Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2022 12:34
Static task
static1
Behavioral task
behavioral1
Sample
5ed47a43b8d0d423215bcba69e73511c1169061748076818d62dab3ea8c3f9e3.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
5ed47a43b8d0d423215bcba69e73511c1169061748076818d62dab3ea8c3f9e3.exe
-
Size
231KB
-
MD5
24170fa94eef3bb1dc9ba5e714543ed5
-
SHA1
de41bbb64f2b0bfcbe474c3e463ff1963d97f42b
-
SHA256
5ed47a43b8d0d423215bcba69e73511c1169061748076818d62dab3ea8c3f9e3
-
SHA512
34e380590e3604b3ea1f70f346ecdb6b8214b47816f851e1ce3697e885eaad1e33c931e548284bab83e8776292ff8f7f28ad2166273f7dbb9af04d554f19bd83
-
SSDEEP
3072:3XJkLtGo5bxEpoNzJzBxUijwFbo7xqdy4tJ/Wsrg4xw7RkxmJZs:36LsqN1zBxUipg46J/WsrjxGymI
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/2220-133-0x0000000002190000-0x0000000002199000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 61 3584 rundll32.exe 64 3584 rundll32.exe 111 3584 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 208 DBAF.exe -
Loads dropped DLL 1 IoCs
pid Process 3584 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3584 set thread context of 1056 3584 rundll32.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1040 208 WerFault.exe 86 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5ed47a43b8d0d423215bcba69e73511c1169061748076818d62dab3ea8c3f9e3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5ed47a43b8d0d423215bcba69e73511c1169061748076818d62dab3ea8c3f9e3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5ed47a43b8d0d423215bcba69e73511c1169061748076818d62dab3ea8c3f9e3.exe -
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000099556a6c100054656d7000003a0009000400efbe0c55199999556f6c2e0000000000000000000000000000000000000000000000000025725b00540065006d007000000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 700 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2220 5ed47a43b8d0d423215bcba69e73511c1169061748076818d62dab3ea8c3f9e3.exe 2220 5ed47a43b8d0d423215bcba69e73511c1169061748076818d62dab3ea8c3f9e3.exe 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 700 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2220 5ed47a43b8d0d423215bcba69e73511c1169061748076818d62dab3ea8c3f9e3.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeDebugPrivilege 3584 rundll32.exe Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 1056 rundll32.exe 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 3584 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 700 Process not Found 700 Process not Found -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 700 wrote to memory of 208 700 Process not Found 86 PID 700 wrote to memory of 208 700 Process not Found 86 PID 700 wrote to memory of 208 700 Process not Found 86 PID 208 wrote to memory of 3584 208 DBAF.exe 87 PID 208 wrote to memory of 3584 208 DBAF.exe 87 PID 208 wrote to memory of 3584 208 DBAF.exe 87 PID 3584 wrote to memory of 1056 3584 rundll32.exe 91 PID 3584 wrote to memory of 1056 3584 rundll32.exe 91 PID 3584 wrote to memory of 1056 3584 rundll32.exe 91 PID 3584 wrote to memory of 4700 3584 rundll32.exe 92 PID 3584 wrote to memory of 4700 3584 rundll32.exe 92 PID 3584 wrote to memory of 4700 3584 rundll32.exe 92 PID 3584 wrote to memory of 1632 3584 rundll32.exe 95 PID 3584 wrote to memory of 1632 3584 rundll32.exe 95 PID 3584 wrote to memory of 1632 3584 rundll32.exe 95 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ed47a43b8d0d423215bcba69e73511c1169061748076818d62dab3ea8c3f9e3.exe"C:\Users\Admin\AppData\Local\Temp\5ed47a43b8d0d423215bcba69e73511c1169061748076818d62dab3ea8c3f9e3.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220
-
C:\Users\Admin\AppData\Local\Temp\DBAF.exeC:\Users\Admin\AppData\Local\Temp\DBAF.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp",Dsdupihuqo2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3584 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 223613⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4700
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1632
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 5242⤵
- Program crash
PID:1040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 208 -ip 2081⤵PID:4588
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4304
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵PID:2220
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5fc06223e149202f91d3bd8ca7993c2d3
SHA1a9b9471ce72bd5e5b991e1985e5de0672bed06e8
SHA256a2322e86cae01329ae93947d554093b7254ef38f9febf4ac62efeefa8c2dc76d
SHA512961db3445c2c6f09e6654a360afb270afae2d6a530d7e7138ecf4892925675781ebb73de78fb3d5fca19040b85459c93b0c9543a360e3fb23a365d9564821f99
-
Filesize
1.1MB
MD5fc06223e149202f91d3bd8ca7993c2d3
SHA1a9b9471ce72bd5e5b991e1985e5de0672bed06e8
SHA256a2322e86cae01329ae93947d554093b7254ef38f9febf4ac62efeefa8c2dc76d
SHA512961db3445c2c6f09e6654a360afb270afae2d6a530d7e7138ecf4892925675781ebb73de78fb3d5fca19040b85459c93b0c9543a360e3fb23a365d9564821f99
-
Filesize
792KB
MD59e3ff54c77c7d43bfdf8cff1d31c3c51
SHA19681f127f0300093ac15d8a3fc16c289f0b9c045
SHA2562c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d
SHA512d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec
-
Filesize
792KB
MD59e3ff54c77c7d43bfdf8cff1d31c3c51
SHA19681f127f0300093ac15d8a3fc16c289f0b9c045
SHA2562c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d
SHA512d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec