smokeloader | 1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4

Analysis

max time kernel
151s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe
Size

201KB
MD5

b5a9eddc6bd8e549dbfeb667648ee195
SHA1

f1b3cadab75a9ecf3f42878d1a1c36c19e776b6d
SHA256

1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4
SHA512

72eda3dfdcaba04780a16235d2af962365cdd52f2203edfa97a23add0653b14106616404e5489a0e89695ad9a576918211d7b7ac93e971906567269ea9e47a93
SSDEEP

3072:Ksq8rAo1NImQnb6mi5LlYihUhG9ef5awUzdhTDw02rwjUQmRJ:dQnb6dlVhN9V9z002sjgR

Score

10^/10

smokeloader systembc backdoor trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4984-133-0x00000000005C0000-0x00000000005C9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

34 1844 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

4DD2.exe1B06.exe2A3A.exeipjjbhm.exe

pid process

2876 4DD2.exe
3736 1B06.exe
3756 2A3A.exe
1036 ipjjbhm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

4DD2.exe

description pid process target process

PID 2876 set thread context of 4236 2876 4DD2.exe rundll32.exe
Drops file in Windows directory 2 IoCs

Processes:

2A3A.exe

description ioc process

File created C:\Windows\Tasks\ipjjbhm.job 2A3A.exe
File opened for modification C:\Windows\Tasks\ipjjbhm.job 2A3A.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2156 2876 WerFault.exe 4DD2.exe

flow	pid	process
34	1844	rundll32.exe

pid	process
2876	4DD2.exe
3736	1B06.exe
3756	2A3A.exe
1036	ipjjbhm.exe

description	pid	process	target process
PID 2876 set thread context of 4236	2876	4DD2.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\ipjjbhm.job	2A3A.exe
File opened for modification	C:\Windows\Tasks\ipjjbhm.job	2A3A.exe

pid	pid_target	process	target process
2156	2876	WerFault.exe	4DD2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe

Checks processor information in registry 2 TTPs 43 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe4DD2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	4DD2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	4DD2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4DD2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	4DD2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4DD2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	4DD2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	4DD2.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 19 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3068

pid	process
3068

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe

pid	process
4984	1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe
4984	1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3068
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe

pid process

4984 1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe

pid	process
3068

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4236 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3068
3068

pid	process
4236	rundll32.exe

pid	process
3068
3068

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

4DD2.exe

description	pid	process	target process
PID 3068 wrote to memory of 2876	3068		4DD2.exe
PID 3068 wrote to memory of 2876	3068		4DD2.exe
PID 3068 wrote to memory of 2876	3068		4DD2.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 1844	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 4236	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 4236	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 4236	2876	4DD2.exe	rundll32.exe
PID 2876 wrote to memory of 4236	2876	4DD2.exe	rundll32.exe
PID 3068 wrote to memory of 3736	3068		1B06.exe
PID 3068 wrote to memory of 3736	3068		1B06.exe
PID 3068 wrote to memory of 3736	3068		1B06.exe
PID 3068 wrote to memory of 3756	3068		2A3A.exe
PID 3068 wrote to memory of 3756	3068		2A3A.exe
PID 3068 wrote to memory of 3756	3068		2A3A.exe

C:\Users\Admin\AppData\Local\Temp\1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe
"C:\Users\Admin\AppData\Local\Temp\1b5623f996bf9921e77dfc72ee3e253035e187083d03786fa674819e84f85cd4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4984

C:\Users\Admin\AppData\Local\Temp\4DD2.exe
C:\Users\Admin\AppData\Local\Temp\4DD2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1844

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1036
2⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2876 -ip 2876
1⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\1B06.exe
C:\Users\Admin\AppData\Local\Temp\1B06.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Users\Admin\AppData\Local\Temp\2A3A.exe
C:\Users\Admin\AppData\Local\Temp\2A3A.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3756

C:\ProgramData\oupksow\ipjjbhm.exe
C:\ProgramData\oupksow\ipjjbhm.exe start
1⤵
- Executes dropped EXE
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oupksow\ipjjbhm.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\ProgramData\oupksow\ipjjbhm.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B06.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1B06.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A3A.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A3A.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DD2.exe
Filesize
781KB

MD5
b7503f2ce1f8ae161525c09da6ce2fef

SHA1
79dae979810a3af3a8be3700c63c138b17249b32

SHA256
ea1a47b7593cfdd76d063a9c8320bd663098d7345ad361ca6881731e357d590b

SHA512
c164a781ca0e92befb5c27e9d07fbb37c9aa18275d76e9829261d97e427f71d9d7d16f619d23905a89e39a2caf56b6b11640730bd08ca0b2531b937034dd1a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DD2.exe
Filesize
781KB

MD5
b7503f2ce1f8ae161525c09da6ce2fef

SHA1
79dae979810a3af3a8be3700c63c138b17249b32

SHA256
ea1a47b7593cfdd76d063a9c8320bd663098d7345ad361ca6881731e357d590b

SHA512
c164a781ca0e92befb5c27e9d07fbb37c9aa18275d76e9829261d97e427f71d9d7d16f619d23905a89e39a2caf56b6b11640730bd08ca0b2531b937034dd1a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prewodwyyerdeuy..tmp
Filesize
3.5MB

MD5
1951049d57a12b81d96e53ba69eecc2e

SHA1
7c02ee5b4c4f1de5e7955d641c0c4949a9907a22

SHA256
f904e96e8666928f318f5515400282402d1f5d4a6f05304b9e92982ef32e3ba4

SHA512
e7d4f0fd41b8cb17f3969ad094e114bff74c82d57676a23728bd232b83c36116104c1b364d896681f1b0ce0b6ecb746f47ddafbc0b5ac88801bfd599db5abe15

Download Submit
memory/1036-208-0x00000000006F8000-0x0000000000709000-memory.dmp

Filesize
68KB

Download
memory/1036-209-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1844-161-0x0000000000000000-mapping.dmp

Download
memory/1844-166-0x0000000000460000-0x0000000000463000-memory.dmp

Filesize
12KB

Download
memory/1844-167-0x0000000000590000-0x0000000000593000-memory.dmp

Filesize
12KB

Download
memory/1844-168-0x0000000000590000-0x0000000000593000-memory.dmp

Filesize
12KB

Download
memory/2876-181-0x00000000068A0000-0x00000000069E0000-memory.dmp

Filesize
1.2MB

Download
memory/2876-172-0x0000000005C10000-0x0000000006769000-memory.dmp

Filesize
11.3MB

Download
memory/2876-180-0x00000000068A0000-0x00000000069E0000-memory.dmp

Filesize
1.2MB

Download
memory/2876-179-0x00000000068A0000-0x00000000069E0000-memory.dmp

Filesize
1.2MB

Download
memory/2876-178-0x00000000068A0000-0x00000000069E0000-memory.dmp

Filesize
1.2MB

Download
memory/2876-176-0x00000000068A0000-0x00000000069E0000-memory.dmp

Filesize
1.2MB

Download
memory/2876-177-0x0000000005C10000-0x0000000006769000-memory.dmp

Filesize
11.3MB

Download
memory/2876-175-0x00000000068A0000-0x00000000069E0000-memory.dmp

Filesize
1.2MB

Download
memory/2876-174-0x00000000068A0000-0x00000000069E0000-memory.dmp

Filesize
1.2MB

Download
memory/2876-165-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2876-182-0x00000000068A0000-0x00000000069E0000-memory.dmp

Filesize
1.2MB

Download
memory/2876-184-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2876-192-0x0000000005C10000-0x0000000006769000-memory.dmp

Filesize
11.3MB

Download
memory/2876-193-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2876-136-0x0000000000000000-mapping.dmp

Download
memory/2876-163-0x0000000002044000-0x00000000020E5000-memory.dmp

Filesize
644KB

Download
memory/2876-164-0x00000000021F0000-0x00000000022E5000-memory.dmp

Filesize
980KB

Download
memory/3068-170-0x0000000004610000-0x0000000004620000-memory.dmp

Filesize
64KB

Download
memory/3068-154-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-160-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-159-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-158-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-137-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-171-0x0000000004610000-0x0000000004620000-memory.dmp

Filesize
64KB

Download
memory/3068-157-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-173-0x0000000004610000-0x0000000004620000-memory.dmp

Filesize
64KB

Download
memory/3068-156-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-149-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-151-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-153-0x0000000004610000-0x0000000004620000-memory.dmp

Filesize
64KB

Download
memory/3068-145-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-155-0x0000000004610000-0x0000000004620000-memory.dmp

Filesize
64KB

Download
memory/3068-152-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-150-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/3068-148-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-140-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-146-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-141-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-162-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-142-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-143-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3068-144-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/3736-199-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3736-198-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/3736-194-0x0000000000000000-mapping.dmp

Download
memory/3736-203-0x000000000074D000-0x000000000075D000-memory.dmp

Filesize
64KB

Download
memory/3736-197-0x000000000074D000-0x000000000075D000-memory.dmp

Filesize
64KB

Download
memory/3756-205-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3756-204-0x00000000005CD000-0x00000000005DE000-memory.dmp

Filesize
68KB

Download
memory/3756-200-0x0000000000000000-mapping.dmp

Download
memory/4236-188-0x00000000040E0000-0x0000000004220000-memory.dmp

Filesize
1.2MB

Download
memory/4236-185-0x00000000033D0000-0x0000000003F29000-memory.dmp

Filesize
11.3MB

Download
memory/4236-187-0x00000000040E0000-0x0000000004220000-memory.dmp

Filesize
1.2MB

Download
memory/4236-186-0x0000000000E80000-0x00000000018B9000-memory.dmp

Filesize
10.2MB

Download
memory/4236-183-0x0000000000000000-mapping.dmp

Download
memory/4236-191-0x00000000033D0000-0x0000000003F29000-memory.dmp

Filesize
11.3MB

Download
memory/4236-189-0x00000000040E0000-0x0000000004220000-memory.dmp

Filesize
1.2MB

Download
memory/4236-190-0x00000000040E0000-0x0000000004220000-memory.dmp

Filesize
1.2MB

Download
memory/4984-132-0x0000000000658000-0x0000000000669000-memory.dmp

Filesize
68KB

Download
memory/4984-135-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4984-134-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4984-133-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download