icedid | 60a4c4bd4123ceeaa0e9806aa63dceb164091583112ba166d7708335f35edb8c

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
23-02-2022 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
Size

347KB
MD5

5e0e9e8a5a59e34b24ae82afb780ee1b
SHA1

b7fcc73c90fc8abdccd0cdd1c2ff306a497461cc
SHA256

1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473
SHA512

d7ad21283e25d2b4a6860a23723a7bb7cd3f570471b8072310aa01c321123a2d6dba7fd5b8508431db41d3b75d1d3abcc559160511b8886a6621de862abed502

Score

10^/10

icedid smokeloader 1843818144 backdoor banker evasion loader persistence trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://dollybuster.at/upload/

http://spaldingcompanies.com/upload/

http://remik-franchise.ru/upload/

http://fennsports.com/upload/

http://am1420wbec.com/upload/

http://islamic-city.com/upload/

http://egsagl.com/upload/

http://mordo.ru/upload/

http://piratia-life.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

rc4.i32

Extracted

Family

icedid

Campaign

1843818144

grendafolz.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2240 created 3244	2240	WerFault.exe	explorer.exe
PID 2292 created 2672	2292	WerFault.exe	DllHost.exe
PID 3244 created 1428	3244	WerFault.exe	DllHost.exe
PID 3524 created 3532	3524	WerFault.exe	DllHost.exe

ACProtect 1.3x - 1.4x DLL software 13 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
C:\PROGRA~1\COMMON~1\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/4084-170-0x00000233B3ED0000-0x00000233B3EDB000-memory.dmp	IcedidFirstLoader

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

9B1F.exeAE2B.exe

pid process

836 9B1F.exe
4084 AE2B.exe
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
836	9B1F.exe
4084	AE2B.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\PROGRA~1\COMMON~1\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx

Loads dropped DLL 20 IoCs

Processes:

1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe9B1F.exeielowutil.exeIEXPLORE.EXEexplorer.exeWerFault.exeWerFault.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
4064	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
836	9B1F.exe
836	9B1F.exe
836	9B1F.exe
3628	ielowutil.exe
3628	ielowutil.exe
4012	IEXPLORE.EXE
4012	IEXPLORE.EXE
3628	ielowutil.exe
3628	ielowutil.exe
3628	ielowutil.exe
3244	explorer.exe
2240	WerFault.exe
892	WerFault.exe
1880	explorer.exe
204	explorer.exe
1880	explorer.exe
1880	explorer.exe
1880	explorer.exe
1688	explorer.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe9B1F.exeielowutil.exe

description	ioc	process
File opened (read-only)	\??\e:	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
File opened (read-only)	\??\e:	9B1F.exe
File opened (read-only)	\??\e:	ielowutil.exe

Drops file in Program Files directory 12 IoCs

Processes:

ielowutil.exeexplorer.exe1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe9B1F.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE.tmp	ielowutil.exe
File created	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE.tmp	explorer.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	ielowutil.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	ielowutil.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	ielowutil.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	explorer.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	explorer.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	explorer.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	9B1F.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	ielowutil.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
892	3244	WerFault.exe	explorer.exe
1512	2672	WerFault.exe	DllHost.exe
3612	1428	WerFault.exe	DllHost.exe
3256	3532	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe9B1F.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B1F.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B1F.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9B1F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3464 tasklist.exe

pid	process
3464	tasklist.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

2800 ipconfig.exe
3532 NETSTAT.EXE
2144 NETSTAT.EXE
3780 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3312 systeminfo.exe

pid	process
2800	ipconfig.exe
3532	NETSTAT.EXE
2144	NETSTAT.EXE
3780	ipconfig.exe

pid	process
3312	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6062c1a9e328d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D24EA0CB-94D6-11EC-82D0-5250347CA0A0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30943459"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30943459"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda0000000002000000000010660000000100002000000061b33a44ec89e5461f46bc88cb8e3a48c8333f0062cc9d19bccc7bd3a38c571e000000000e80000000020000200000009658ee3f0133551505094074d92b7b0aa379e43d1dfdfc1dae1947a26ee9061d20000000de512da6bd28c1f16014b833c0bf47920a2e0d13122a60d03c456dc9cb4ed08c40000000b1576dbf13340c75d89d6b901f4d6453aab249c0a5feb8709844ecf2a69f8a4b30faf05f66836a21f9deed5049efafedcf011d74d17feb5be0b7e842815301a5	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2801463361"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2801463361"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807bb5a9e328d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda0000000002000000000010660000000100002000000074156a49cd02cc5c1fd4d3ef2fa0e5db5bf8a9532d68ad23807464dbd807f3bc000000000e800000000200002000000063310b0b58254d027c574024801b3fed64abeeea770aa9c14243cf4905a237c8200000003d19f17eccd3982d6fff2d61da697f7944db3622dfcbdd4bfe4cfb573b5e39d440000000ed7de20214f00e056284b3c4bd78f188a79ba00678032d26e41a0cc847491d5d434a3f33f9ae4002fe767bd0d7d08bae99e9e28a3bd2e35b38d0c2fd6d3a5c08	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30943459"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2814744400"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe

pid	process
4064	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
4064	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
4064	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
4064	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2372

pid	process
2372

Suspicious behavior: MapViewOfSection 58 IoCs

Processes:

1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe9B1F.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
4064	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
836	9B1F.exe
2372
2372
2372
2372
2372
2372
1880	explorer.exe
1880	explorer.exe
2372
2372
2472	explorer.exe
2472	explorer.exe
2372
2372
204	explorer.exe
204	explorer.exe
2372
2372
3036	explorer.exe
3036	explorer.exe
2372
2372
1688	explorer.exe
1688	explorer.exe
1688	explorer.exe
1688	explorer.exe
2372
2372
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe
1560	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe9B1F.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4064	1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
Token: SeDebugPrivilege	836	9B1F.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: 36	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: 36	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3544	WMIC.exe
Token: SeSecurityPrivilege	3544	WMIC.exe
Token: SeTakeOwnershipPrivilege	3544	WMIC.exe
Token: SeLoadDriverPrivilege	3544	WMIC.exe
Token: SeSystemProfilePrivilege	3544	WMIC.exe
Token: SeSystemtimePrivilege	3544	WMIC.exe
Token: SeProfSingleProcessPrivilege	3544	WMIC.exe
Token: SeIncBasePriorityPrivilege	3544	WMIC.exe
Token: SeCreatePagefilePrivilege	3544	WMIC.exe
Token: SeBackupPrivilege	3544	WMIC.exe
Token: SeRestorePrivilege	3544	WMIC.exe
Token: SeShutdownPrivilege	3544	WMIC.exe
Token: SeDebugPrivilege	3544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3544	WMIC.exe
Token: SeRemoteShutdownPrivilege	3544	WMIC.exe
Token: SeUndockPrivilege	3544	WMIC.exe
Token: SeManageVolumePrivilege	3544	WMIC.exe
Token: 33	3544	WMIC.exe
Token: 34	3544	WMIC.exe
Token: 35	3544	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1800 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1800 iexplore.exe
1800 iexplore.exe
4012 IEXPLORE.EXE
4012 IEXPLORE.EXE

pid	process
1800	iexplore.exe

pid	process
1800	iexplore.exe
1800	iexplore.exe
4012	IEXPLORE.EXE
4012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2372 wrote to memory of 836	2372		9B1F.exe
PID 2372 wrote to memory of 836	2372		9B1F.exe
PID 2372 wrote to memory of 836	2372		9B1F.exe
PID 2372 wrote to memory of 4084	2372		AE2B.exe
PID 2372 wrote to memory of 4084	2372		AE2B.exe
PID 2372 wrote to memory of 3860	2372		cmd.exe
PID 2372 wrote to memory of 3860	2372		cmd.exe
PID 3860 wrote to memory of 1728	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 1728	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 3544	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 3544	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 4004	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 4004	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 116	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 116	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 4064	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 4064	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 2464	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 2464	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 3304	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 3304	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 1520	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 1520	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 3036	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 3036	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 1796	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 1796	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 2172	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 2172	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 1604	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 1604	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 3816	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 3816	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 3144	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 3144	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 2800	3860	cmd.exe	ipconfig.exe
PID 3860 wrote to memory of 2800	3860	cmd.exe	ipconfig.exe
PID 3860 wrote to memory of 3840	3860	cmd.exe	ROUTE.EXE
PID 3860 wrote to memory of 3840	3860	cmd.exe	ROUTE.EXE
PID 3860 wrote to memory of 1556	3860	cmd.exe	netsh.exe
PID 3860 wrote to memory of 1556	3860	cmd.exe	netsh.exe
PID 3860 wrote to memory of 3312	3860	cmd.exe	systeminfo.exe
PID 3860 wrote to memory of 3312	3860	cmd.exe	systeminfo.exe
PID 3860 wrote to memory of 3464	3860	cmd.exe	tasklist.exe
PID 3860 wrote to memory of 3464	3860	cmd.exe	tasklist.exe
PID 3860 wrote to memory of 752	3860	cmd.exe	net.exe
PID 3860 wrote to memory of 752	3860	cmd.exe	net.exe
PID 752 wrote to memory of 2136	752	net.exe	net1.exe
PID 752 wrote to memory of 2136	752	net.exe	net1.exe
PID 3860 wrote to memory of 1012	3860	cmd.exe	net.exe
PID 3860 wrote to memory of 1012	3860	cmd.exe	net.exe
PID 1012 wrote to memory of 1676	1012	net.exe	net1.exe
PID 1012 wrote to memory of 1676	1012	net.exe	net1.exe
PID 3860 wrote to memory of 1532	3860	cmd.exe	net.exe
PID 3860 wrote to memory of 1532	3860	cmd.exe	net.exe
PID 1532 wrote to memory of 392	1532	net.exe	net1.exe
PID 1532 wrote to memory of 392	1532	net.exe	net1.exe
PID 3860 wrote to memory of 1428	3860	cmd.exe	net.exe
PID 3860 wrote to memory of 1428	3860	cmd.exe	net.exe
PID 1428 wrote to memory of 3552	1428	net.exe	net1.exe
PID 1428 wrote to memory of 3552	1428	net.exe	net1.exe
PID 3860 wrote to memory of 388	3860	cmd.exe	net.exe
PID 3860 wrote to memory of 388	3860	cmd.exe	net.exe
PID 3860 wrote to memory of 1136	3860	cmd.exe	net.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2232

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2780

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2672 -s 1020
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2208

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe
"C:\Users\Admin\AppData\Local\Temp\1bc6dc2bd7d420c49f410a30bbcf786a7c68a7e324145487edfc8dfb324c6473.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Users\Admin\AppData\Local\Temp\9B1F.exe
C:\Users\Admin\AppData\Local\Temp\9B1F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Users\Admin\AppData\Local\Temp\AE2B.exe
C:\Users\Admin\AppData\Local\Temp\AE2B.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:4004

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:116

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:4064

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:2464

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:3304

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:1520

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:3036

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:1796

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:2172

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:1604

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:3816

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:3144

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:2800

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:3840

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:1556

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:3312

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3464

C:\Windows\system32\net.exe
net accounts /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:2136

C:\Windows\system32\net.exe
net share
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:1676

C:\Windows\system32\net.exe
net user
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:392

C:\Windows\system32\net.exe
net user /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:3552

C:\Windows\system32\net.exe
net use
2⤵
PID:388

C:\Windows\system32\net.exe
net group
2⤵
PID:1136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:444

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:2424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:3612

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:2924

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:2864

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:2144

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:1560

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:3780

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:980

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
PID:3628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:17410 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Loads dropped DLL
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 928
2⤵
- Loads dropped DLL
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3244 -ip 3244
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
PID:2240

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2552

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
PID:1880

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2472

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:204

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3036

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1688

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2672 -ip 2672
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2292

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1428 -s 828
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 1428 -ip 1428
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3244

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3532 -s 812
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3532 -ip 3532
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

MD5
ccf8e98dd430827c0c0ed255d1a275b8

SHA1
58e08039f817b807656709f2732dc423b575fda4

SHA256
d422a1cb03c06682202ef62d7651d7a051dfbb7429adf90a50d1c7e9c1cfd455

SHA512
0cb64039a83c8ddd5e3171989585953a1fb8eb2b323a2073ddd8739b8c3830254e11a0fcc515285050004d68faea24a405223d2795aca6d68a7cd30ef66c1afd

Download Submit
C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

MD5
7917283619332240b9b5e8cde77ff581

SHA1
cbe7b2f59fc43c4bd70034703a4f2a22d1378734

SHA256
643fc76940c70a5e891883a7f827816489b89e59a76252412bde995d78f0ca0a

SHA512
662a43d22277c71515b316bf5618c5c0534f4041841627869e95b8a07069211dc104439ef974366e9fa6955114728f9530b258ace8461485d95fef7b40bc201d

Download Submit
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE.tmp

MD5
d89737fa6d6864a259de71abcbfb6e13

SHA1
696768bc4d8c87c6b5b344427293a6147481c1d5

SHA256
a9f6711203aa26ebff4f2a9a0e5d1416c3116bcd06a7477b2f8ff077edd6d31a

SHA512
091652f982e9f76c7b80def67e6e3aec6153da7031386eb238701cf34bda33f5f1306bee74faf58fa125ee6a10d7b833592dd088ce422504abce96e58b9026b1

Download Submit
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE.tmp

MD5
d89737fa6d6864a259de71abcbfb6e13

SHA1
696768bc4d8c87c6b5b344427293a6147481c1d5

SHA256
a9f6711203aa26ebff4f2a9a0e5d1416c3116bcd06a7477b2f8ff077edd6d31a

SHA512
091652f982e9f76c7b80def67e6e3aec6153da7031386eb238701cf34bda33f5f1306bee74faf58fa125ee6a10d7b833592dd088ce422504abce96e58b9026b1

Download Submit
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE.tmp

MD5
e40e40b27f4f9e2035a618cfe851fd78

SHA1
66a01f32fae183dafe4e08e39d94a888af6a0c7b

SHA256
16f28d96345cdf0582aa25e98e5b53ba0aed004aa89b32702da28960a931695e

SHA512
f7c440b5f350daeec232edc5a4d2bd35d6b4d048434fc90d75b85aee9d7a280f24472d8a681651228b229262441dd9960af073b2016d75fa6e1fd6b434d50004

Download Submit
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE.tmp

MD5
e40e40b27f4f9e2035a618cfe851fd78

SHA1
66a01f32fae183dafe4e08e39d94a888af6a0c7b

SHA256
16f28d96345cdf0582aa25e98e5b53ba0aed004aa89b32702da28960a931695e

SHA512
f7c440b5f350daeec232edc5a4d2bd35d6b4d048434fc90d75b85aee9d7a280f24472d8a681651228b229262441dd9960af073b2016d75fa6e1fd6b434d50004

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B1F.exe

MD5
b7c2dd1847c13c290cf0222b97683296

SHA1
e1476364cf71b87e924e08eaf9fa16ab3ed183e6

SHA256
0744f30041cee2b2925b9f6025eea636dc6d7271837d5c936f847d2ea55ef778

SHA512
1fccaf3886fefe728f54dba8954b7037c47100504dab1ce64c8af9ffb656a7133b865055cd116bac32e60a198e0e1a4fd1fb571723a74be6e28366011cd434d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B1F.exe

MD5
c4f0898d67d9e7b6cda8d7380e784bbf

SHA1
0d4e0aa5a8f4ae82b4ce4e60ae9172bddcbc6350

SHA256
f24d594c3552420c54c2cef227d8de56c44fcd0dbbf2cc04320dcd17b7f26531

SHA512
19e0a71a0ee8964dda002af20d9a970b6a24b109d8c24b64d0322f9c7295cae852def83c10cfb379991f00f9f1e3557fce7a9a4075d3aa72d63b94be57730732

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B1F.exe

MD5
c4f0898d67d9e7b6cda8d7380e784bbf

SHA1
0d4e0aa5a8f4ae82b4ce4e60ae9172bddcbc6350

SHA256
f24d594c3552420c54c2cef227d8de56c44fcd0dbbf2cc04320dcd17b7f26531

SHA512
19e0a71a0ee8964dda002af20d9a970b6a24b109d8c24b64d0322f9c7295cae852def83c10cfb379991f00f9f1e3557fce7a9a4075d3aa72d63b94be57730732

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B1F.exe.tmp

MD5
b7c2dd1847c13c290cf0222b97683296

SHA1
e1476364cf71b87e924e08eaf9fa16ab3ed183e6

SHA256
0744f30041cee2b2925b9f6025eea636dc6d7271837d5c936f847d2ea55ef778

SHA512
1fccaf3886fefe728f54dba8954b7037c47100504dab1ce64c8af9ffb656a7133b865055cd116bac32e60a198e0e1a4fd1fb571723a74be6e28366011cd434d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B1F.exe.tmp

MD5
b7c2dd1847c13c290cf0222b97683296

SHA1
e1476364cf71b87e924e08eaf9fa16ab3ed183e6

SHA256
0744f30041cee2b2925b9f6025eea636dc6d7271837d5c936f847d2ea55ef778

SHA512
1fccaf3886fefe728f54dba8954b7037c47100504dab1ce64c8af9ffb656a7133b865055cd116bac32e60a198e0e1a4fd1fb571723a74be6e28366011cd434d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE2B.exe

MD5
ee0e37deb11cf4a2985c6ed958b13d62

SHA1
7d8670e51edef13c46a6189734975f43035f601c

SHA256
c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94

SHA512
bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE2B.exe

MD5
ee0e37deb11cf4a2985c6ed958b13d62

SHA1
7d8670e51edef13c46a6189734975f43035f601c

SHA256
c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94

SHA512
bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246

Download Submit
\??\c:\progra~1\common~1\system\symsrv.dll.000

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
\??\c:\progra~1\common~1\system\symsrv.dll.000

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
memory/204-196-0x0000000000E40000-0x0000000000E49000-memory.dmp

Filesize
36KB

Download
memory/204-195-0x0000000000E50000-0x0000000000E55000-memory.dmp

Filesize
20KB

Download
memory/836-165-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/836-160-0x00000000006B1000-0x00000000006C1000-memory.dmp

Filesize
64KB

Download
memory/836-163-0x00000000006B1000-0x00000000006C1000-memory.dmp

Filesize
64KB

Download
memory/836-164-0x0000000000580000-0x0000000000589000-memory.dmp

Filesize
36KB

Download
memory/1560-208-0x00000000012D0000-0x00000000012DD000-memory.dmp

Filesize
52KB

Download
memory/1560-207-0x00000000012E0000-0x00000000012E7000-memory.dmp

Filesize
28KB

Download
memory/1688-204-0x0000000000BF0000-0x0000000000BF6000-memory.dmp

Filesize
24KB

Download
memory/1688-206-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

Filesize
44KB

Download
memory/1880-191-0x0000000000450000-0x000000000045B000-memory.dmp

Filesize
44KB

Download
memory/1880-190-0x0000000000460000-0x0000000000467000-memory.dmp

Filesize
28KB

Download
memory/1928-221-0x0000026F97DF0000-0x0000026F97DFD000-memory.dmp

Filesize
52KB

Download
memory/2100-219-0x000002706D3F0000-0x000002706D3FD000-memory.dmp

Filesize
52KB

Download
memory/2160-209-0x000001504DE80000-0x000001504DE81000-memory.dmp

Filesize
4KB

Download
memory/2160-210-0x000001504DE70000-0x000001504DE7D000-memory.dmp

Filesize
52KB

Download
memory/2208-211-0x000001A8BFFE0000-0x000001A8BFFE1000-memory.dmp

Filesize
4KB

Download
memory/2208-212-0x000001A8BFFA0000-0x000001A8BFFAD000-memory.dmp

Filesize
52KB

Download
memory/2232-213-0x0000022A0C810000-0x0000022A0C811000-memory.dmp

Filesize
4KB

Download
memory/2232-214-0x0000022A0C800000-0x0000022A0C80D000-memory.dmp

Filesize
52KB

Download
memory/2372-155-0x0000000000D90000-0x0000000000DA6000-memory.dmp

Filesize
88KB

Download
memory/2372-169-0x00000000081B0000-0x00000000081C6000-memory.dmp

Filesize
88KB

Download
memory/2372-172-0x00000000089C0000-0x00000000089CF000-memory.dmp

Filesize
60KB

Download
memory/2472-192-0x0000000001090000-0x0000000001099000-memory.dmp

Filesize
36KB

Download
memory/2472-193-0x0000000001080000-0x000000000108E000-memory.dmp

Filesize
56KB

Download
memory/2476-216-0x00000197D2A80000-0x00000197D2A8D000-memory.dmp

Filesize
52KB

Download
memory/2476-215-0x00000197D33D0000-0x00000197D33D1000-memory.dmp

Filesize
4KB

Download
memory/2552-188-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/2780-217-0x000001CCBC8E0000-0x000001CCBC8ED000-memory.dmp

Filesize
52KB

Download
memory/2848-218-0x0000025208B30000-0x0000025208B3D000-memory.dmp

Filesize
52KB

Download
memory/3036-197-0x00000000012A0000-0x00000000012A6000-memory.dmp

Filesize
24KB

Download
memory/3036-198-0x0000000001290000-0x000000000129C000-memory.dmp

Filesize
48KB

Download
memory/3244-185-0x0000000000160000-0x00000000001CB000-memory.dmp

Filesize
428KB

Download
memory/3244-184-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3360-220-0x000002BDAB3B0000-0x000002BDAB3BD000-memory.dmp

Filesize
52KB

Download
memory/3628-205-0x0000000004770000-0x000000000477B000-memory.dmp

Filesize
44KB

Download
memory/3628-203-0x00000000775C5000-0x00000000775C6000-memory.dmp

Filesize
4KB

Download
memory/4064-143-0x0000000000417000-0x0000000000418000-memory.dmp

Filesize
4KB

Download
memory/4064-148-0x0000000000409000-0x000000000040A000-memory.dmp

Filesize
4KB

Download
memory/4064-142-0x000000000040A000-0x000000000040B000-memory.dmp

Filesize
4KB

Download
memory/4064-149-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/4064-141-0x0000000000414000-0x0000000000415000-memory.dmp

Filesize
4KB

Download
memory/4064-147-0x000000000041D000-0x0000000000420000-memory.dmp

Filesize
12KB

Download
memory/4064-152-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/4064-140-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/4064-154-0x00000000775C5000-0x00000000775C6000-memory.dmp

Filesize
4KB

Download
memory/4064-145-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/4064-144-0x000000000040D000-0x000000000040E000-memory.dmp

Filesize
4KB

Download
memory/4064-151-0x0000000002230000-0x0000000002239000-memory.dmp

Filesize
36KB

Download
memory/4064-150-0x00000000005A9000-0x00000000005B9000-memory.dmp

Filesize
64KB

Download
memory/4064-153-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/4064-146-0x0000000000416000-0x0000000000417000-memory.dmp

Filesize
4KB

Download
memory/4064-139-0x0000000000419000-0x000000000041A000-memory.dmp

Filesize
4KB

Download
memory/4064-138-0x000000000041A000-0x000000000041B000-memory.dmp

Filesize
4KB

Download
memory/4064-137-0x000000000040F000-0x0000000000410000-memory.dmp

Filesize
4KB

Download
memory/4064-136-0x0000000000418000-0x0000000000419000-memory.dmp

Filesize
4KB

Download
memory/4064-135-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/4064-134-0x0000000000413000-0x0000000000414000-memory.dmp

Filesize
4KB

Download
memory/4064-132-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/4064-133-0x0000000000411000-0x0000000000413000-memory.dmp

Filesize
8KB

Download
memory/4064-131-0x00000000005A9000-0x00000000005B9000-memory.dmp

Filesize
64KB

Download
memory/4084-170-0x00000233B3ED0000-0x00000233B3EDB000-memory.dmp

Filesize
44KB

Download