smokeloader | 2a6299dfcbcf3186ded295395c7028d651ff178df40d587b531b6bc25f2e3d3f

max time kernel
27s
max time network
21s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15/11/2022, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Size

307KB
MD5

0abe50c1509136bf62d2184ab439e7a5
SHA1

722a7e2a0dd66f506ba93d24946b8bf504b100c0
SHA256

db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
SHA512

0c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5
SSDEEP

6144:Gu0FGLnBOUaLPP7S9dW8dsgMF24raEn2E1a:Gu0wTBOU2Pj6EisgM/uUv

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/3884-144-0x0000000000970000-0x0000000000979000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	Process not Found

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e6070b004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000200000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000014832d5476aed80100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e6070b004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000300000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000002bf2ee8f75aed80100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e60708004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000b4a8ed996daed80100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133047973646753305"	Process not Found

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3884	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
3884	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
504	Process not Found
4956	Process not Found
4964	Process not Found
5088	Process not Found
4936	Process not Found
4860	Process not Found
4868	Process not Found
4896	Process not Found
4840	Process not Found
4848	Process not Found
5080	Process not Found
4904	Process not Found
4888	Process not Found
4920	Process not Found
4872	Process not Found
4816	Process not Found
1860	Process not Found
1196	Process not Found
820	Process not Found
812	Process not Found
808	Process not Found
768	Process not Found
908	Process not Found
904	Process not Found
1656	Process not Found
1508	Process not Found
1496	Process not Found
1480	Process not Found
1040	Process not Found
1920	Process not Found
1856	Process not Found
1808	Process not Found
1152	Process not Found
1372	Process not Found
1440	Process not Found
1240	Process not Found
1444	Process not Found
1164	Process not Found
4228	Process not Found
1816	Process not Found
2340	Process not Found
348	Process not Found
2224	Process not Found
644	Process not Found
640	Process not Found
1848	Process not Found
3408	Process not Found
96	Process not Found
204	Process not Found
3384	Process not Found
3400	Process not Found
212	Process not Found
220	Process not Found
304	Process not Found
160	Process not Found
308	Process not Found
2548	Process not Found
2428	Process not Found
2404	Process not Found
2304	Process not Found
2360	Process not Found
2212	Process not Found
2536	Process not Found
780	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3884	db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found
Token: SeShutdownPrivilege	2836	Process not Found
Token: SeCreatePagefilePrivilege	2836	Process not Found

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found
2836	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4732	LogonUI.exe
2836	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 4208	4088	cmd.exe	71
PID 4088 wrote to memory of 4208	4088	cmd.exe	71
PID 4208 wrote to memory of 4976	4208	net.exe	72
PID 4208 wrote to memory of 4976	4208	net.exe	72

C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
"C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3884

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\system32\net.exe
  net user /add shit shit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /add shit shit
    3⤵
    PID:4976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae0055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3884-115-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-116-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-117-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-118-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-119-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-120-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-121-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-123-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-124-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-125-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-126-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-127-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-128-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-129-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-130-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-131-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-132-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-133-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-134-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-135-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-136-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-137-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-138-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-139-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-140-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-141-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-143-0x00000000009A0000-0x0000000000AEA000-memory.dmp

Filesize
1.3MB

Download
memory/3884-142-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-144-0x0000000000970000-0x0000000000979000-memory.dmp

Filesize
36KB

Download
memory/3884-145-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-146-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/3884-147-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-148-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-149-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-150-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-151-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-152-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download