Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-08-2021 11:49
Static task
static1
Behavioral task
behavioral1
Sample
51d84ec7f9fd6f9cc4ed1c491a6419df.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
51d84ec7f9fd6f9cc4ed1c491a6419df.exe
Resource
win10v20210410
General
-
Target
51d84ec7f9fd6f9cc4ed1c491a6419df.exe
-
Size
182KB
-
MD5
51d84ec7f9fd6f9cc4ed1c491a6419df
-
SHA1
fa21e010d7e6d52484ace0722d6e20dbc2c964f8
-
SHA256
fdacbb575b9ae8cba7286e562abd4d3547089e0ea17b4885b3a4a738b83831fb
-
SHA512
212333b42e76fee070dbaadf67602a6fa4c5492823cd61034706b6b43f63f52b0dc26997976051178204c70a9bd9881ac10556bf96d4effd8a32d4e82f68363b
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Signatures
-
Raccoon Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3576-165-0x0000000000400000-0x0000000002D05000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\639D.exe family_redline C:\Users\Admin\AppData\Local\Temp\639D.exe family_redline C:\Users\Admin\AppData\Local\Temp\6B8D.exe family_redline C:\Users\Admin\AppData\Local\Temp\6B8D.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3600 created 3576 3600 WerFault.exe 76B9.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
639D.exe6B8D.exe76B9.exepid process 2240 639D.exe 3532 6B8D.exe 3576 76B9.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6B8D.exe639D.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6B8D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 639D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 639D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6B8D.exe -
Deletes itself 1 IoCs
Processes:
pid process 3036 -
Loads dropped DLL 1 IoCs
Processes:
76B9.exepid process 3576 76B9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\639D.exe themida C:\Users\Admin\AppData\Local\Temp\639D.exe themida behavioral2/memory/2240-121-0x00000000003F0000-0x00000000003F1000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\6B8D.exe themida C:\Users\Admin\AppData\Local\Temp\6B8D.exe themida behavioral2/memory/3532-133-0x0000000000EA0000-0x0000000000EA1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
639D.exe6B8D.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 639D.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6B8D.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
639D.exe6B8D.exepid process 2240 639D.exe 3532 6B8D.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
51d84ec7f9fd6f9cc4ed1c491a6419df.exedescription pid process target process PID 3016 set thread context of 2204 3016 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe -
Program crash 32 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4048 3576 WerFault.exe 76B9.exe 932 3576 WerFault.exe 76B9.exe 500 3576 WerFault.exe 76B9.exe 1208 3576 WerFault.exe 76B9.exe 420 3576 WerFault.exe 76B9.exe 1340 3576 WerFault.exe 76B9.exe 3908 3576 WerFault.exe 76B9.exe 2016 3576 WerFault.exe 76B9.exe 4012 3576 WerFault.exe 76B9.exe 2512 3576 WerFault.exe 76B9.exe 4004 3576 WerFault.exe 76B9.exe 964 3576 WerFault.exe 76B9.exe 3756 3576 WerFault.exe 76B9.exe 932 3576 WerFault.exe 76B9.exe 3644 3576 WerFault.exe 76B9.exe 2516 3576 WerFault.exe 76B9.exe 1268 3576 WerFault.exe 76B9.exe 1516 3576 WerFault.exe 76B9.exe 2112 3576 WerFault.exe 76B9.exe 200 3576 WerFault.exe 76B9.exe 2752 3576 WerFault.exe 76B9.exe 2280 3576 WerFault.exe 76B9.exe 3392 3576 WerFault.exe 76B9.exe 2160 3576 WerFault.exe 76B9.exe 1740 3576 WerFault.exe 76B9.exe 2504 3576 WerFault.exe 76B9.exe 2488 3576 WerFault.exe 76B9.exe 2864 3576 WerFault.exe 76B9.exe 2984 3576 WerFault.exe 76B9.exe 3292 3576 WerFault.exe 76B9.exe 3056 3576 WerFault.exe 76B9.exe 3600 3576 WerFault.exe 76B9.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
51d84ec7f9fd6f9cc4ed1c491a6419df.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51d84ec7f9fd6f9cc4ed1c491a6419df.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51d84ec7f9fd6f9cc4ed1c491a6419df.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51d84ec7f9fd6f9cc4ed1c491a6419df.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
51d84ec7f9fd6f9cc4ed1c491a6419df.exepid process 2204 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 2204 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3036 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
51d84ec7f9fd6f9cc4ed1c491a6419df.exepid process 2204 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
639D.exe6B8D.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeDebugPrivilege 2240 639D.exe Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeDebugPrivilege 3532 6B8D.exe Token: SeRestorePrivilege 4048 WerFault.exe Token: SeBackupPrivilege 4048 WerFault.exe Token: SeDebugPrivilege 4048 WerFault.exe Token: SeDebugPrivilege 932 WerFault.exe Token: SeDebugPrivilege 500 WerFault.exe Token: SeDebugPrivilege 1208 WerFault.exe Token: SeDebugPrivilege 420 WerFault.exe Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeDebugPrivilege 1340 WerFault.exe Token: SeDebugPrivilege 3908 WerFault.exe Token: SeDebugPrivilege 2016 WerFault.exe Token: SeDebugPrivilege 4012 WerFault.exe Token: SeDebugPrivilege 2512 WerFault.exe Token: SeDebugPrivilege 4004 WerFault.exe Token: SeDebugPrivilege 964 WerFault.exe Token: SeDebugPrivilege 3756 WerFault.exe Token: SeDebugPrivilege 932 WerFault.exe Token: SeDebugPrivilege 3644 WerFault.exe Token: SeDebugPrivilege 2516 WerFault.exe Token: SeDebugPrivilege 1268 WerFault.exe Token: SeDebugPrivilege 1516 WerFault.exe Token: SeDebugPrivilege 2112 WerFault.exe Token: SeDebugPrivilege 200 WerFault.exe Token: SeDebugPrivilege 2752 WerFault.exe Token: SeDebugPrivilege 2280 WerFault.exe Token: SeDebugPrivilege 3392 WerFault.exe Token: SeDebugPrivilege 2160 WerFault.exe Token: SeDebugPrivilege 1740 WerFault.exe Token: SeDebugPrivilege 2504 WerFault.exe Token: SeDebugPrivilege 2488 WerFault.exe Token: SeDebugPrivilege 2864 WerFault.exe Token: SeDebugPrivilege 2984 WerFault.exe Token: SeDebugPrivilege 3292 WerFault.exe Token: SeDebugPrivilege 3056 WerFault.exe Token: SeDebugPrivilege 3600 WerFault.exe Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3036 -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
51d84ec7f9fd6f9cc4ed1c491a6419df.exedescription pid process target process PID 3016 wrote to memory of 2204 3016 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 3016 wrote to memory of 2204 3016 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 3016 wrote to memory of 2204 3016 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 3016 wrote to memory of 2204 3016 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 3016 wrote to memory of 2204 3016 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 3016 wrote to memory of 2204 3016 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 3036 wrote to memory of 2240 3036 639D.exe PID 3036 wrote to memory of 2240 3036 639D.exe PID 3036 wrote to memory of 2240 3036 639D.exe PID 3036 wrote to memory of 3532 3036 6B8D.exe PID 3036 wrote to memory of 3532 3036 6B8D.exe PID 3036 wrote to memory of 3532 3036 6B8D.exe PID 3036 wrote to memory of 3576 3036 76B9.exe PID 3036 wrote to memory of 3576 3036 76B9.exe PID 3036 wrote to memory of 3576 3036 76B9.exe PID 3036 wrote to memory of 2364 3036 explorer.exe PID 3036 wrote to memory of 2364 3036 explorer.exe PID 3036 wrote to memory of 2364 3036 explorer.exe PID 3036 wrote to memory of 2364 3036 explorer.exe PID 3036 wrote to memory of 1664 3036 explorer.exe PID 3036 wrote to memory of 1664 3036 explorer.exe PID 3036 wrote to memory of 1664 3036 explorer.exe PID 3036 wrote to memory of 2764 3036 explorer.exe PID 3036 wrote to memory of 2764 3036 explorer.exe PID 3036 wrote to memory of 2764 3036 explorer.exe PID 3036 wrote to memory of 2764 3036 explorer.exe PID 3036 wrote to memory of 2732 3036 explorer.exe PID 3036 wrote to memory of 2732 3036 explorer.exe PID 3036 wrote to memory of 2732 3036 explorer.exe PID 3036 wrote to memory of 4076 3036 explorer.exe PID 3036 wrote to memory of 4076 3036 explorer.exe PID 3036 wrote to memory of 4076 3036 explorer.exe PID 3036 wrote to memory of 4076 3036 explorer.exe PID 3036 wrote to memory of 644 3036 explorer.exe PID 3036 wrote to memory of 644 3036 explorer.exe PID 3036 wrote to memory of 644 3036 explorer.exe PID 3036 wrote to memory of 504 3036 explorer.exe PID 3036 wrote to memory of 504 3036 explorer.exe PID 3036 wrote to memory of 504 3036 explorer.exe PID 3036 wrote to memory of 504 3036 explorer.exe PID 3036 wrote to memory of 1508 3036 explorer.exe PID 3036 wrote to memory of 1508 3036 explorer.exe PID 3036 wrote to memory of 1508 3036 explorer.exe PID 3036 wrote to memory of 1524 3036 explorer.exe PID 3036 wrote to memory of 1524 3036 explorer.exe PID 3036 wrote to memory of 1524 3036 explorer.exe PID 3036 wrote to memory of 1524 3036 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2204
-
C:\Users\Admin\AppData\Local\Temp\639D.exeC:\Users\Admin\AppData\Local\Temp\639D.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
C:\Users\Admin\AppData\Local\Temp\6B8D.exeC:\Users\Admin\AppData\Local\Temp\6B8D.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
C:\Users\Admin\AppData\Local\Temp\76B9.exeC:\Users\Admin\AppData\Local\Temp\76B9.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 7642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 7682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:500 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 8642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 11842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 14042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 11722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3644 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 14082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:200 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 14322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 14722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 16522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 16322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2364
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1664
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2764
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2732
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4076
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:644
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:504
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1508
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\639D.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\639D.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\6B8D.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\6B8D.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\76B9.exeMD5
760dcf3d0a64b3de5987b1f94a2ec13c
SHA1bf6cd26c3c4f89d47ed06ef9a83cc6503c5e8229
SHA256b550a523160a67aff256cfbab57e4f3fd71c2580d3dae36424b147b27439a39b
SHA512ab8d92496952f87b426232babcc8d1d87ff0fc3417a5f0f07dab742b074c2f39803aa36716ad967a070555a06bad72151da460da8e7dd8f646f8e0536c61ce1e
-
C:\Users\Admin\AppData\Local\Temp\76B9.exeMD5
760dcf3d0a64b3de5987b1f94a2ec13c
SHA1bf6cd26c3c4f89d47ed06ef9a83cc6503c5e8229
SHA256b550a523160a67aff256cfbab57e4f3fd71c2580d3dae36424b147b27439a39b
SHA512ab8d92496952f87b426232babcc8d1d87ff0fc3417a5f0f07dab742b074c2f39803aa36716ad967a070555a06bad72151da460da8e7dd8f646f8e0536c61ce1e
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/504-174-0x0000000000810000-0x0000000000819000-memory.dmpFilesize
36KB
-
memory/504-172-0x0000000000000000-mapping.dmp
-
memory/504-173-0x0000000000820000-0x0000000000824000-memory.dmpFilesize
16KB
-
memory/644-170-0x00000000012B0000-0x00000000012B6000-memory.dmpFilesize
24KB
-
memory/644-169-0x0000000000000000-mapping.dmp
-
memory/644-171-0x00000000012A0000-0x00000000012AC000-memory.dmpFilesize
48KB
-
memory/1508-175-0x0000000000000000-mapping.dmp
-
memory/1508-176-0x0000000000820000-0x0000000000825000-memory.dmpFilesize
20KB
-
memory/1508-177-0x0000000000810000-0x0000000000819000-memory.dmpFilesize
36KB
-
memory/1524-178-0x0000000000000000-mapping.dmp
-
memory/1524-179-0x0000000003060000-0x0000000003065000-memory.dmpFilesize
20KB
-
memory/1524-180-0x0000000003050000-0x0000000003059000-memory.dmpFilesize
36KB
-
memory/1664-149-0x0000000000B70000-0x0000000000B77000-memory.dmpFilesize
28KB
-
memory/1664-148-0x0000000000000000-mapping.dmp
-
memory/1664-150-0x0000000000B60000-0x0000000000B6C000-memory.dmpFilesize
48KB
-
memory/2204-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2204-115-0x0000000000402E1A-mapping.dmp
-
memory/2240-126-0x00000000773F0000-0x000000007757E000-memory.dmpFilesize
1.6MB
-
memory/2240-156-0x0000000007DD0000-0x0000000007DD1000-memory.dmpFilesize
4KB
-
memory/2240-118-0x0000000000000000-mapping.dmp
-
memory/2240-121-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2240-132-0x0000000003820000-0x0000000003821000-memory.dmpFilesize
4KB
-
memory/2240-130-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/2240-127-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/2240-125-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/2240-124-0x00000000037F0000-0x00000000037F1000-memory.dmpFilesize
4KB
-
memory/2240-154-0x0000000006CA0000-0x0000000006CA1000-memory.dmpFilesize
4KB
-
memory/2240-155-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/2240-123-0x0000000005E80000-0x0000000005E81000-memory.dmpFilesize
4KB
-
memory/2240-157-0x0000000006F90000-0x0000000006F91000-memory.dmpFilesize
4KB
-
memory/2240-159-0x00000000070B0000-0x00000000070B1000-memory.dmpFilesize
4KB
-
memory/2240-161-0x00000000079D0000-0x00000000079D1000-memory.dmpFilesize
4KB
-
memory/2240-160-0x0000000007090000-0x0000000007091000-memory.dmpFilesize
4KB
-
memory/2364-147-0x0000000003050000-0x00000000030BB000-memory.dmpFilesize
428KB
-
memory/2364-145-0x0000000000000000-mapping.dmp
-
memory/2364-146-0x00000000030C0000-0x0000000003134000-memory.dmpFilesize
464KB
-
memory/2732-158-0x0000000000000000-mapping.dmp
-
memory/2732-162-0x0000000001200000-0x0000000001209000-memory.dmpFilesize
36KB
-
memory/2732-163-0x0000000000FF0000-0x0000000000FFF000-memory.dmpFilesize
60KB
-
memory/2764-151-0x0000000000000000-mapping.dmp
-
memory/2764-152-0x0000000003060000-0x0000000003067000-memory.dmpFilesize
28KB
-
memory/2764-153-0x0000000003050000-0x000000000305B000-memory.dmpFilesize
44KB
-
memory/3016-116-0x0000000002E20000-0x0000000002E2A000-memory.dmpFilesize
40KB
-
memory/3036-117-0x00000000006A0000-0x00000000006B6000-memory.dmpFilesize
88KB
-
memory/3532-138-0x00000000773F0000-0x000000007757E000-memory.dmpFilesize
1.6MB
-
memory/3532-139-0x0000000001E80000-0x0000000001E81000-memory.dmpFilesize
4KB
-
memory/3532-133-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/3532-128-0x0000000000000000-mapping.dmp
-
memory/3576-164-0x0000000002DE0000-0x0000000002F2A000-memory.dmpFilesize
1.3MB
-
memory/3576-165-0x0000000000400000-0x0000000002D05000-memory.dmpFilesize
41.0MB
-
memory/3576-142-0x0000000000000000-mapping.dmp
-
memory/4076-167-0x0000000000190000-0x0000000000195000-memory.dmpFilesize
20KB
-
memory/4076-166-0x0000000000000000-mapping.dmp
-
memory/4076-168-0x0000000000180000-0x0000000000189000-memory.dmpFilesize
36KB