Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-08-2021 09:02
Static task
static1
Behavioral task
behavioral1
Sample
d86d71d53b351a9d3c585b7e8b24d525.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
d86d71d53b351a9d3c585b7e8b24d525.exe
Resource
win10v20210408
General
-
Target
d86d71d53b351a9d3c585b7e8b24d525.exe
-
Size
180KB
-
MD5
d86d71d53b351a9d3c585b7e8b24d525
-
SHA1
590a404f7a297f97a8bf78f072a152c7ebdea277
-
SHA256
eaa52f460d64093ebcf267e2fa4ebe342b31ee442127afe065892b790409eb33
-
SHA512
d52dad0397efd9c9973b754d63e710ce04916672acfb4e25f492d597aed944c287744804eec4b267665aea023ac4cd3f9e928a1800fed9db1af9f5681d971a97
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Signatures
-
Raccoon Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/740-144-0x0000000000400000-0x0000000002D05000-memory.dmp family_raccoon behavioral2/memory/740-141-0x00000000049A0000-0x0000000004A31000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7AFD.exe family_redline C:\Users\Admin\AppData\Local\Temp\7AFD.exe family_redline C:\Users\Admin\AppData\Local\Temp\82BE.exe family_redline C:\Users\Admin\AppData\Local\Temp\82BE.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3164 created 740 3164 WerFault.exe 887C.exe -
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
7AFD.exe82BE.exe887C.exepid process 3412 7AFD.exe 1164 82BE.exe 740 887C.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
82BE.exe7AFD.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 82BE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 82BE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7AFD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7AFD.exe -
Deletes itself 1 IoCs
Processes:
pid process 3060 -
Loads dropped DLL 1 IoCs
Processes:
887C.exepid process 740 887C.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7AFD.exe themida C:\Users\Admin\AppData\Local\Temp\7AFD.exe themida behavioral2/memory/3412-122-0x0000000001160000-0x0000000001161000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\82BE.exe themida C:\Users\Admin\AppData\Local\Temp\82BE.exe themida behavioral2/memory/1164-134-0x0000000000DA0000-0x0000000000DA1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
7AFD.exe82BE.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7AFD.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 82BE.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
7AFD.exe82BE.exepid process 3412 7AFD.exe 1164 82BE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d86d71d53b351a9d3c585b7e8b24d525.exedescription pid process target process PID 656 set thread context of 696 656 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe -
Program crash 32 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2268 740 WerFault.exe 887C.exe 1868 740 WerFault.exe 887C.exe 1904 740 WerFault.exe 887C.exe 208 740 WerFault.exe 887C.exe 3844 740 WerFault.exe 887C.exe 4028 740 WerFault.exe 887C.exe 3948 740 WerFault.exe 887C.exe 1868 740 WerFault.exe 887C.exe 204 740 WerFault.exe 887C.exe 3364 740 WerFault.exe 887C.exe 3664 740 WerFault.exe 887C.exe 1812 740 WerFault.exe 887C.exe 4092 740 WerFault.exe 887C.exe 2164 740 WerFault.exe 887C.exe 1900 740 WerFault.exe 887C.exe 3112 740 WerFault.exe 887C.exe 3052 740 WerFault.exe 887C.exe 296 740 WerFault.exe 887C.exe 2196 740 WerFault.exe 887C.exe 1908 740 WerFault.exe 887C.exe 208 740 WerFault.exe 887C.exe 4048 740 WerFault.exe 887C.exe 1732 740 WerFault.exe 887C.exe 2420 740 WerFault.exe 887C.exe 3960 740 WerFault.exe 887C.exe 4068 740 WerFault.exe 887C.exe 912 740 WerFault.exe 887C.exe 1464 740 WerFault.exe 887C.exe 3444 740 WerFault.exe 887C.exe 2252 740 WerFault.exe 887C.exe 2028 740 WerFault.exe 887C.exe 3164 740 WerFault.exe 887C.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d86d71d53b351a9d3c585b7e8b24d525.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d86d71d53b351a9d3c585b7e8b24d525.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d86d71d53b351a9d3c585b7e8b24d525.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d86d71d53b351a9d3c585b7e8b24d525.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d86d71d53b351a9d3c585b7e8b24d525.exepid process 696 d86d71d53b351a9d3c585b7e8b24d525.exe 696 d86d71d53b351a9d3c585b7e8b24d525.exe 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3060 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
d86d71d53b351a9d3c585b7e8b24d525.exepid process 696 d86d71d53b351a9d3c585b7e8b24d525.exe 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 3060 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WerFault.exe82BE.exe7AFD.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeRestorePrivilege 2268 WerFault.exe Token: SeBackupPrivilege 2268 WerFault.exe Token: SeDebugPrivilege 1164 82BE.exe Token: SeDebugPrivilege 3412 7AFD.exe Token: SeDebugPrivilege 2268 WerFault.exe Token: SeDebugPrivilege 1868 WerFault.exe Token: SeDebugPrivilege 1904 WerFault.exe Token: SeDebugPrivilege 208 WerFault.exe Token: SeDebugPrivilege 3844 WerFault.exe Token: SeDebugPrivilege 4028 WerFault.exe Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeDebugPrivilege 3948 WerFault.exe Token: SeDebugPrivilege 1868 WerFault.exe Token: SeDebugPrivilege 204 WerFault.exe Token: SeDebugPrivilege 3364 WerFault.exe Token: SeDebugPrivilege 3664 WerFault.exe Token: SeDebugPrivilege 1812 WerFault.exe Token: SeDebugPrivilege 4092 WerFault.exe Token: SeDebugPrivilege 2164 WerFault.exe Token: SeDebugPrivilege 1900 WerFault.exe Token: SeDebugPrivilege 3112 WerFault.exe Token: SeDebugPrivilege 3052 WerFault.exe Token: SeDebugPrivilege 296 WerFault.exe Token: SeDebugPrivilege 2196 WerFault.exe Token: SeDebugPrivilege 1908 WerFault.exe Token: SeDebugPrivilege 208 WerFault.exe Token: SeDebugPrivilege 4048 WerFault.exe Token: SeDebugPrivilege 1732 WerFault.exe Token: SeDebugPrivilege 2420 WerFault.exe Token: SeDebugPrivilege 3960 WerFault.exe Token: SeDebugPrivilege 4068 WerFault.exe Token: SeDebugPrivilege 912 WerFault.exe Token: SeDebugPrivilege 1464 WerFault.exe Token: SeDebugPrivilege 3444 WerFault.exe Token: SeDebugPrivilege 2252 WerFault.exe Token: SeDebugPrivilege 2028 WerFault.exe Token: SeDebugPrivilege 3164 WerFault.exe Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 Token: SeShutdownPrivilege 3060 Token: SeCreatePagefilePrivilege 3060 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3060 -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
d86d71d53b351a9d3c585b7e8b24d525.exedescription pid process target process PID 656 wrote to memory of 696 656 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 656 wrote to memory of 696 656 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 656 wrote to memory of 696 656 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 656 wrote to memory of 696 656 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 656 wrote to memory of 696 656 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 656 wrote to memory of 696 656 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 3060 wrote to memory of 3412 3060 7AFD.exe PID 3060 wrote to memory of 3412 3060 7AFD.exe PID 3060 wrote to memory of 3412 3060 7AFD.exe PID 3060 wrote to memory of 1164 3060 82BE.exe PID 3060 wrote to memory of 1164 3060 82BE.exe PID 3060 wrote to memory of 1164 3060 82BE.exe PID 3060 wrote to memory of 740 3060 887C.exe PID 3060 wrote to memory of 740 3060 887C.exe PID 3060 wrote to memory of 740 3060 887C.exe PID 3060 wrote to memory of 2884 3060 explorer.exe PID 3060 wrote to memory of 2884 3060 explorer.exe PID 3060 wrote to memory of 2884 3060 explorer.exe PID 3060 wrote to memory of 2884 3060 explorer.exe PID 3060 wrote to memory of 3752 3060 explorer.exe PID 3060 wrote to memory of 3752 3060 explorer.exe PID 3060 wrote to memory of 3752 3060 explorer.exe PID 3060 wrote to memory of 396 3060 explorer.exe PID 3060 wrote to memory of 396 3060 explorer.exe PID 3060 wrote to memory of 396 3060 explorer.exe PID 3060 wrote to memory of 396 3060 explorer.exe PID 3060 wrote to memory of 2060 3060 explorer.exe PID 3060 wrote to memory of 2060 3060 explorer.exe PID 3060 wrote to memory of 2060 3060 explorer.exe PID 3060 wrote to memory of 3588 3060 explorer.exe PID 3060 wrote to memory of 3588 3060 explorer.exe PID 3060 wrote to memory of 3588 3060 explorer.exe PID 3060 wrote to memory of 3588 3060 explorer.exe PID 3060 wrote to memory of 2620 3060 explorer.exe PID 3060 wrote to memory of 2620 3060 explorer.exe PID 3060 wrote to memory of 2620 3060 explorer.exe PID 3060 wrote to memory of 1196 3060 explorer.exe PID 3060 wrote to memory of 1196 3060 explorer.exe PID 3060 wrote to memory of 1196 3060 explorer.exe PID 3060 wrote to memory of 1196 3060 explorer.exe PID 3060 wrote to memory of 1316 3060 explorer.exe PID 3060 wrote to memory of 1316 3060 explorer.exe PID 3060 wrote to memory of 1316 3060 explorer.exe PID 3060 wrote to memory of 908 3060 explorer.exe PID 3060 wrote to memory of 908 3060 explorer.exe PID 3060 wrote to memory of 908 3060 explorer.exe PID 3060 wrote to memory of 908 3060 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7AFD.exeC:\Users\Admin\AppData\Local\Temp\7AFD.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\82BE.exeC:\Users\Admin\AppData\Local\Temp\82BE.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\887C.exeC:\Users\Admin\AppData\Local\Temp\887C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 7442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 7482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 8802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 11842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 11882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 13442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 13282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 11522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 13202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 14082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 15202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 15802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 13882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 13362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 15402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 16482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 15202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 17682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 18282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 16762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 19322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 19642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 20282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 16682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 18762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 20362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 20322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 18562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 17682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 18082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 17082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7AFD.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\7AFD.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\82BE.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\82BE.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\887C.exeMD5
fa5832dd51887a1b02c0ec71fc4b69b4
SHA14465429197dae92d5bcf35148cbcd5087a360c03
SHA256a5316932344a3c83e2e2bddb6cb19d73ce03fc820c20a573d5e7866071a84a5e
SHA512aaf2e99bc0f3009c08a5f43b8d1a48da36d06d7c6b93e2d1c2974e7412f3b5d008cff71a66ff9ad37d54b30de5872d5362b965c60a42f483b0a0c457102b0b07
-
C:\Users\Admin\AppData\Local\Temp\887C.exeMD5
fa5832dd51887a1b02c0ec71fc4b69b4
SHA14465429197dae92d5bcf35148cbcd5087a360c03
SHA256a5316932344a3c83e2e2bddb6cb19d73ce03fc820c20a573d5e7866071a84a5e
SHA512aaf2e99bc0f3009c08a5f43b8d1a48da36d06d7c6b93e2d1c2974e7412f3b5d008cff71a66ff9ad37d54b30de5872d5362b965c60a42f483b0a0c457102b0b07
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/396-153-0x0000000000000000-mapping.dmp
-
memory/396-154-0x0000000003190000-0x0000000003197000-memory.dmpFilesize
28KB
-
memory/396-155-0x0000000003180000-0x000000000318B000-memory.dmpFilesize
44KB
-
memory/656-114-0x00000000049D0000-0x00000000049DA000-memory.dmpFilesize
40KB
-
memory/696-115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/696-116-0x0000000000402E1A-mapping.dmp
-
memory/740-141-0x00000000049A0000-0x0000000004A31000-memory.dmpFilesize
580KB
-
memory/740-129-0x0000000000000000-mapping.dmp
-
memory/740-144-0x0000000000400000-0x0000000002D05000-memory.dmpFilesize
41.0MB
-
memory/908-174-0x0000000000000000-mapping.dmp
-
memory/908-176-0x00000000009B0000-0x00000000009B5000-memory.dmpFilesize
20KB
-
memory/908-177-0x00000000009A0000-0x00000000009A9000-memory.dmpFilesize
36KB
-
memory/1164-133-0x0000000077D90000-0x0000000077F1E000-memory.dmpFilesize
1.6MB
-
memory/1164-134-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/1164-124-0x0000000000000000-mapping.dmp
-
memory/1164-146-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/1164-143-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB
-
memory/1196-167-0x0000000003440000-0x0000000003449000-memory.dmpFilesize
36KB
-
memory/1196-166-0x0000000003450000-0x0000000003454000-memory.dmpFilesize
16KB
-
memory/1196-165-0x0000000000000000-mapping.dmp
-
memory/1316-172-0x0000000000F10000-0x0000000000F15000-memory.dmpFilesize
20KB
-
memory/1316-173-0x0000000000F00000-0x0000000000F09000-memory.dmpFilesize
36KB
-
memory/1316-168-0x0000000000000000-mapping.dmp
-
memory/2060-156-0x0000000000000000-mapping.dmp
-
memory/2060-158-0x0000000000D90000-0x0000000000D9F000-memory.dmpFilesize
60KB
-
memory/2060-157-0x0000000000DA0000-0x0000000000DA9000-memory.dmpFilesize
36KB
-
memory/2620-163-0x00000000009D0000-0x00000000009D6000-memory.dmpFilesize
24KB
-
memory/2620-162-0x0000000000000000-mapping.dmp
-
memory/2620-164-0x00000000009C0000-0x00000000009CC000-memory.dmpFilesize
48KB
-
memory/2884-149-0x0000000000BA0000-0x0000000000C14000-memory.dmpFilesize
464KB
-
memory/2884-150-0x0000000000B30000-0x0000000000B9B000-memory.dmpFilesize
428KB
-
memory/2884-145-0x0000000000000000-mapping.dmp
-
memory/3060-117-0x00000000013F0000-0x0000000001406000-memory.dmpFilesize
88KB
-
memory/3412-142-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/3412-170-0x0000000007250000-0x0000000007251000-memory.dmpFilesize
4KB
-
memory/3412-178-0x0000000006F70000-0x0000000006F71000-memory.dmpFilesize
4KB
-
memory/3412-118-0x0000000000000000-mapping.dmp
-
memory/3412-132-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/3412-127-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/3412-121-0x0000000077D90000-0x0000000077F1E000-memory.dmpFilesize
1.6MB
-
memory/3412-139-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/3412-169-0x0000000006B50000-0x0000000006B51000-memory.dmpFilesize
4KB
-
memory/3412-179-0x0000000007090000-0x0000000007091000-memory.dmpFilesize
4KB
-
memory/3412-171-0x0000000006AD0000-0x0000000006AD1000-memory.dmpFilesize
4KB
-
memory/3412-180-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/3412-128-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/3412-122-0x0000000001160000-0x0000000001161000-memory.dmpFilesize
4KB
-
memory/3412-175-0x0000000007C80000-0x0000000007C81000-memory.dmpFilesize
4KB
-
memory/3588-161-0x0000000000870000-0x0000000000879000-memory.dmpFilesize
36KB
-
memory/3588-159-0x0000000000000000-mapping.dmp
-
memory/3588-160-0x0000000000880000-0x0000000000885000-memory.dmpFilesize
20KB
-
memory/3752-152-0x0000000000690000-0x000000000069C000-memory.dmpFilesize
48KB
-
memory/3752-148-0x0000000000000000-mapping.dmp
-
memory/3752-151-0x00000000006A0000-0x00000000006A7000-memory.dmpFilesize
28KB