Analysis
-
max time kernel
162s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-08-2021 09:50
Static task
static1
Behavioral task
behavioral1
Sample
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Resource
win10v20210408
General
-
Target
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
-
Size
194KB
-
MD5
ced17a3bd52eab4a5105c0e58945b9de
-
SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5
-
SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486
-
SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Signatures
-
Raccoon Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3424-160-0x0000000004930000-0x00000000049C1000-memory.dmp family_raccoon behavioral2/memory/3424-162-0x0000000000400000-0x0000000002D05000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\D36E.exe family_redline C:\Users\Admin\AppData\Local\Temp\D36E.exe family_redline C:\Users\Admin\AppData\Local\Temp\DB7D.exe family_redline C:\Users\Admin\AppData\Local\Temp\DB7D.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1484 created 3424 1484 WerFault.exe E10C.exe -
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
D36E.exeDB7D.exeE10C.exepid process 2200 D36E.exe 964 DB7D.exe 3424 E10C.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
D36E.exeDB7D.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion D36E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DB7D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DB7D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion D36E.exe -
Deletes itself 1 IoCs
Processes:
pid process 3024 -
Loads dropped DLL 1 IoCs
Processes:
E10C.exepid process 3424 E10C.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\D36E.exe themida C:\Users\Admin\AppData\Local\Temp\D36E.exe themida behavioral2/memory/2200-122-0x00000000008F0000-0x00000000008F1000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\DB7D.exe themida C:\Users\Admin\AppData\Local\Temp\DB7D.exe themida behavioral2/memory/964-133-0x0000000000F20000-0x0000000000F21000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
DB7D.exeD36E.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DB7D.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA D36E.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
D36E.exeDB7D.exepid process 2200 D36E.exe 964 DB7D.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
x2BFjy8SRtdIV0VKlMSL7WDQ.exedescription pid process target process PID 664 set thread context of 3904 664 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe -
Program crash 32 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2448 3424 WerFault.exe E10C.exe 836 3424 WerFault.exe E10C.exe 3168 3424 WerFault.exe E10C.exe 2724 3424 WerFault.exe E10C.exe 3112 3424 WerFault.exe E10C.exe 2080 3424 WerFault.exe E10C.exe 3136 3424 WerFault.exe E10C.exe 4048 3424 WerFault.exe E10C.exe 3008 3424 WerFault.exe E10C.exe 3844 3424 WerFault.exe E10C.exe 408 3424 WerFault.exe E10C.exe 3016 3424 WerFault.exe E10C.exe 2628 3424 WerFault.exe E10C.exe 1060 3424 WerFault.exe E10C.exe 888 3424 WerFault.exe E10C.exe 496 3424 WerFault.exe E10C.exe 1336 3424 WerFault.exe E10C.exe 3872 3424 WerFault.exe E10C.exe 3948 3424 WerFault.exe E10C.exe 3588 3424 WerFault.exe E10C.exe 3844 3424 WerFault.exe E10C.exe 1192 3424 WerFault.exe E10C.exe 3168 3424 WerFault.exe E10C.exe 1664 3424 WerFault.exe E10C.exe 2724 3424 WerFault.exe E10C.exe 2084 3424 WerFault.exe E10C.exe 4060 3424 WerFault.exe E10C.exe 3700 3424 WerFault.exe E10C.exe 712 3424 WerFault.exe E10C.exe 3800 3424 WerFault.exe E10C.exe 1860 3424 WerFault.exe E10C.exe 1484 3424 WerFault.exe E10C.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
x2BFjy8SRtdIV0VKlMSL7WDQ.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI x2BFjy8SRtdIV0VKlMSL7WDQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI x2BFjy8SRtdIV0VKlMSL7WDQ.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI x2BFjy8SRtdIV0VKlMSL7WDQ.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
x2BFjy8SRtdIV0VKlMSL7WDQ.exepid process 3904 x2BFjy8SRtdIV0VKlMSL7WDQ.exe 3904 x2BFjy8SRtdIV0VKlMSL7WDQ.exe 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3024 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
x2BFjy8SRtdIV0VKlMSL7WDQ.exepid process 3904 x2BFjy8SRtdIV0VKlMSL7WDQ.exe 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
D36E.exeDB7D.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeDebugPrivilege 2200 D36E.exe Token: SeDebugPrivilege 964 DB7D.exe Token: SeRestorePrivilege 2448 WerFault.exe Token: SeBackupPrivilege 2448 WerFault.exe Token: SeDebugPrivilege 2448 WerFault.exe Token: SeDebugPrivilege 836 WerFault.exe Token: SeDebugPrivilege 3168 WerFault.exe Token: SeDebugPrivilege 2724 WerFault.exe Token: SeDebugPrivilege 3112 WerFault.exe Token: SeDebugPrivilege 2080 WerFault.exe Token: SeDebugPrivilege 3136 WerFault.exe Token: SeDebugPrivilege 4048 WerFault.exe Token: SeDebugPrivilege 3008 WerFault.exe Token: SeDebugPrivilege 3844 WerFault.exe Token: SeDebugPrivilege 408 WerFault.exe Token: SeDebugPrivilege 3016 WerFault.exe Token: SeDebugPrivilege 2628 WerFault.exe Token: SeDebugPrivilege 1060 WerFault.exe Token: SeDebugPrivilege 888 WerFault.exe Token: SeDebugPrivilege 496 WerFault.exe Token: SeDebugPrivilege 1336 WerFault.exe Token: SeDebugPrivilege 3872 WerFault.exe Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeDebugPrivilege 3948 WerFault.exe Token: SeDebugPrivilege 3588 WerFault.exe Token: SeDebugPrivilege 3844 WerFault.exe Token: SeDebugPrivilege 1192 WerFault.exe Token: SeDebugPrivilege 3168 WerFault.exe Token: SeDebugPrivilege 1664 WerFault.exe Token: SeDebugPrivilege 2724 WerFault.exe Token: SeDebugPrivilege 2084 WerFault.exe Token: SeDebugPrivilege 4060 WerFault.exe Token: SeDebugPrivilege 3700 WerFault.exe Token: SeDebugPrivilege 712 WerFault.exe Token: SeDebugPrivilege 3800 WerFault.exe Token: SeDebugPrivilege 1860 WerFault.exe Token: SeDebugPrivilege 1484 WerFault.exe Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3024 -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
x2BFjy8SRtdIV0VKlMSL7WDQ.exedescription pid process target process PID 664 wrote to memory of 3904 664 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 664 wrote to memory of 3904 664 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 664 wrote to memory of 3904 664 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 664 wrote to memory of 3904 664 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 664 wrote to memory of 3904 664 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 664 wrote to memory of 3904 664 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 3024 wrote to memory of 2200 3024 D36E.exe PID 3024 wrote to memory of 2200 3024 D36E.exe PID 3024 wrote to memory of 2200 3024 D36E.exe PID 3024 wrote to memory of 964 3024 DB7D.exe PID 3024 wrote to memory of 964 3024 DB7D.exe PID 3024 wrote to memory of 964 3024 DB7D.exe PID 3024 wrote to memory of 3424 3024 E10C.exe PID 3024 wrote to memory of 3424 3024 E10C.exe PID 3024 wrote to memory of 3424 3024 E10C.exe PID 3024 wrote to memory of 1460 3024 explorer.exe PID 3024 wrote to memory of 1460 3024 explorer.exe PID 3024 wrote to memory of 1460 3024 explorer.exe PID 3024 wrote to memory of 1460 3024 explorer.exe PID 3024 wrote to memory of 2336 3024 explorer.exe PID 3024 wrote to memory of 2336 3024 explorer.exe PID 3024 wrote to memory of 2336 3024 explorer.exe PID 3024 wrote to memory of 3772 3024 explorer.exe PID 3024 wrote to memory of 3772 3024 explorer.exe PID 3024 wrote to memory of 3772 3024 explorer.exe PID 3024 wrote to memory of 3772 3024 explorer.exe PID 3024 wrote to memory of 2788 3024 explorer.exe PID 3024 wrote to memory of 2788 3024 explorer.exe PID 3024 wrote to memory of 2788 3024 explorer.exe PID 3024 wrote to memory of 1980 3024 explorer.exe PID 3024 wrote to memory of 1980 3024 explorer.exe PID 3024 wrote to memory of 1980 3024 explorer.exe PID 3024 wrote to memory of 1980 3024 explorer.exe PID 3024 wrote to memory of 196 3024 explorer.exe PID 3024 wrote to memory of 196 3024 explorer.exe PID 3024 wrote to memory of 196 3024 explorer.exe PID 3024 wrote to memory of 2284 3024 explorer.exe PID 3024 wrote to memory of 2284 3024 explorer.exe PID 3024 wrote to memory of 2284 3024 explorer.exe PID 3024 wrote to memory of 2284 3024 explorer.exe PID 3024 wrote to memory of 3544 3024 explorer.exe PID 3024 wrote to memory of 3544 3024 explorer.exe PID 3024 wrote to memory of 3544 3024 explorer.exe PID 3024 wrote to memory of 2496 3024 explorer.exe PID 3024 wrote to memory of 2496 3024 explorer.exe PID 3024 wrote to memory of 2496 3024 explorer.exe PID 3024 wrote to memory of 2496 3024 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D36E.exeC:\Users\Admin\AppData\Local\Temp\D36E.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DB7D.exeC:\Users\Admin\AppData\Local\Temp\DB7D.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\E10C.exeC:\Users\Admin\AppData\Local\Temp\E10C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 7362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 8482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 8242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 8682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 11882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 14282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 14002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 15362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 14562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 15402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 14282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12242⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D36E.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\D36E.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\DB7D.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\DB7D.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\E10C.exeMD5
fc1ecf8a0ed037f608a2e75de2e4bfcb
SHA13a66425ab626a3912bc023d02a8e104b1bd8ca52
SHA2568550aa53578ffe4fec8db131cf90bfa9ceac8e5e2759e1fed6c5249bcda57f49
SHA512f250dee19b6b0c61bc9c5fadb8918c0bd1f1638ecf4fac6da8763a0937795e2d4d42f11ccce3e1e9f2cf222e2fb8c5f997688c7b13de8fb3146b64f22f18451e
-
C:\Users\Admin\AppData\Local\Temp\E10C.exeMD5
fc1ecf8a0ed037f608a2e75de2e4bfcb
SHA13a66425ab626a3912bc023d02a8e104b1bd8ca52
SHA2568550aa53578ffe4fec8db131cf90bfa9ceac8e5e2759e1fed6c5249bcda57f49
SHA512f250dee19b6b0c61bc9c5fadb8918c0bd1f1638ecf4fac6da8763a0937795e2d4d42f11ccce3e1e9f2cf222e2fb8c5f997688c7b13de8fb3146b64f22f18451e
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/196-161-0x0000000000000000-mapping.dmp
-
memory/196-163-0x00000000001F0000-0x00000000001F6000-memory.dmpFilesize
24KB
-
memory/196-164-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/664-114-0x0000000002DA0000-0x0000000002DAA000-memory.dmpFilesize
40KB
-
memory/964-133-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/964-139-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/964-124-0x0000000000000000-mapping.dmp
-
memory/964-145-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/964-143-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/964-138-0x0000000077020000-0x00000000771AE000-memory.dmpFilesize
1.6MB
-
memory/1460-149-0x00000000030D0000-0x000000000313B000-memory.dmpFilesize
428KB
-
memory/1460-147-0x0000000003140000-0x00000000031B4000-memory.dmpFilesize
464KB
-
memory/1460-142-0x0000000000000000-mapping.dmp
-
memory/1980-158-0x00000000007C0000-0x00000000007C5000-memory.dmpFilesize
20KB
-
memory/1980-159-0x00000000007B0000-0x00000000007B9000-memory.dmpFilesize
36KB
-
memory/1980-157-0x0000000000000000-mapping.dmp
-
memory/2200-172-0x00000000079A0000-0x00000000079A1000-memory.dmpFilesize
4KB
-
memory/2200-171-0x00000000072A0000-0x00000000072A1000-memory.dmpFilesize
4KB
-
memory/2200-177-0x0000000007590000-0x0000000007591000-memory.dmpFilesize
4KB
-
memory/2200-122-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/2200-178-0x00000000083D0000-0x00000000083D1000-memory.dmpFilesize
4KB
-
memory/2200-174-0x0000000007470000-0x0000000007471000-memory.dmpFilesize
4KB
-
memory/2200-141-0x0000000005DB0000-0x0000000005DB1000-memory.dmpFilesize
4KB
-
memory/2200-128-0x0000000005D00000-0x0000000005D01000-memory.dmpFilesize
4KB
-
memory/2200-121-0x0000000077020000-0x00000000771AE000-memory.dmpFilesize
1.6MB
-
memory/2200-118-0x0000000000000000-mapping.dmp
-
memory/2200-179-0x0000000007750000-0x0000000007751000-memory.dmpFilesize
4KB
-
memory/2200-180-0x0000000007ED0000-0x0000000007ED1000-memory.dmpFilesize
4KB
-
memory/2200-132-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/2200-127-0x00000000063D0000-0x00000000063D1000-memory.dmpFilesize
4KB
-
memory/2284-166-0x0000000000520000-0x0000000000524000-memory.dmpFilesize
16KB
-
memory/2284-165-0x0000000000000000-mapping.dmp
-
memory/2284-167-0x0000000000510000-0x0000000000519000-memory.dmpFilesize
36KB
-
memory/2336-146-0x0000000000000000-mapping.dmp
-
memory/2336-150-0x00000000005F0000-0x00000000005FC000-memory.dmpFilesize
48KB
-
memory/2336-148-0x0000000000800000-0x0000000000807000-memory.dmpFilesize
28KB
-
memory/2496-176-0x0000000000800000-0x0000000000809000-memory.dmpFilesize
36KB
-
memory/2496-175-0x0000000000810000-0x0000000000815000-memory.dmpFilesize
20KB
-
memory/2496-173-0x0000000000000000-mapping.dmp
-
memory/2788-154-0x0000000000000000-mapping.dmp
-
memory/2788-155-0x00000000010A0000-0x00000000010A9000-memory.dmpFilesize
36KB
-
memory/2788-156-0x0000000001090000-0x000000000109F000-memory.dmpFilesize
60KB
-
memory/3024-117-0x0000000000750000-0x0000000000766000-memory.dmpFilesize
88KB
-
memory/3424-162-0x0000000000400000-0x0000000002D05000-memory.dmpFilesize
41.0MB
-
memory/3424-129-0x0000000000000000-mapping.dmp
-
memory/3424-160-0x0000000004930000-0x00000000049C1000-memory.dmpFilesize
580KB
-
memory/3544-169-0x00000000010B0000-0x00000000010B5000-memory.dmpFilesize
20KB
-
memory/3544-170-0x00000000010A0000-0x00000000010A9000-memory.dmpFilesize
36KB
-
memory/3544-168-0x0000000000000000-mapping.dmp
-
memory/3772-151-0x0000000000000000-mapping.dmp
-
memory/3772-152-0x0000000000930000-0x0000000000937000-memory.dmpFilesize
28KB
-
memory/3772-153-0x0000000000920000-0x000000000092B000-memory.dmpFilesize
44KB
-
memory/3904-115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3904-116-0x0000000000402E1A-mapping.dmp