Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2022, 18:07
Static task
static1
Behavioral task
behavioral1
Sample
afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
29 signatures
150 seconds
General
-
Target
afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc.exe
-
Size
312KB
-
MD5
88e84db01e522fe947af3f5359fa7fa4
-
SHA1
90b859b5f355d9c5fa8500a403d16fd38f53a79f
-
SHA256
afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc
-
SHA512
0a7452621387c5e4009de2a78e531f1c2fd3f0a1964dc2f97066fb70af3ef30f19bd53def44cf0c41658f6faa81663153652886d497ae1aa0670218e14c376c5
-
SSDEEP
6144:DLt0OQU1eXjJQX1G9AEsLbMSmLDsxyIxZ1WqqdS09R:Dh0OQU4XjJQX1VV/dYX
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/3064-133-0x00000000007B0000-0x00000000007B9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 5040 4362.exe 5088 Sppyteaet.exe 528 gvrucgd -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 4362.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2648 Process not Found 5096 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5040 set thread context of 2208 5040 4362.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3844 5040 WerFault.exe 88 4620 5096 WerFault.exe 93 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gvrucgd Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gvrucgd Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gvrucgd -
Checks processor information in registry 2 TTPs 49 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4362.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz 4362.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet 4362.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4362.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 4362.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 4362.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision 4362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found -
Modifies registry class 19 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Process not Found Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2648 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3064 afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc.exe 3064 afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc.exe 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found 2648 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2648 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3064 afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc.exe 528 gvrucgd -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 5088 Sppyteaet.exe Token: SeDebugPrivilege 2208 rundll32.exe Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeDebugPrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found Token: SeShutdownPrivilege 2648 Process not Found Token: SeCreatePagefilePrivilege 2648 Process not Found -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 5088 Sppyteaet.exe 2208 rundll32.exe 5096 chrome.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 5088 Sppyteaet.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2648 Process not Found 2648 Process not Found 5096 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 5040 2648 Process not Found 88 PID 2648 wrote to memory of 5040 2648 Process not Found 88 PID 2648 wrote to memory of 5040 2648 Process not Found 88 PID 5040 wrote to memory of 5088 5040 4362.exe 89 PID 5040 wrote to memory of 5088 5040 4362.exe 89 PID 5040 wrote to memory of 5088 5040 4362.exe 89 PID 5040 wrote to memory of 2208 5040 4362.exe 90 PID 5040 wrote to memory of 2208 5040 4362.exe 90 PID 5040 wrote to memory of 2208 5040 4362.exe 90 PID 5040 wrote to memory of 2208 5040 4362.exe 90 PID 2648 wrote to memory of 5096 2648 Process not Found 93 PID 2648 wrote to memory of 5096 2648 Process not Found 93 PID 5096 wrote to memory of 3436 5096 chrome.exe 94 PID 5096 wrote to memory of 3436 5096 chrome.exe 94 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1668 5096 chrome.exe 97 PID 5096 wrote to memory of 1624 5096 chrome.exe 98 PID 5096 wrote to memory of 1624 5096 chrome.exe 98 PID 5096 wrote to memory of 688 5096 chrome.exe 99 PID 5096 wrote to memory of 688 5096 chrome.exe 99 PID 5096 wrote to memory of 688 5096 chrome.exe 99 PID 5096 wrote to memory of 688 5096 chrome.exe 99 PID 5096 wrote to memory of 688 5096 chrome.exe 99 PID 5096 wrote to memory of 688 5096 chrome.exe 99 PID 5096 wrote to memory of 688 5096 chrome.exe 99 PID 5096 wrote to memory of 688 5096 chrome.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc.exe"C:\Users\Admin\AppData\Local\Temp\afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3064
-
C:\Users\Admin\AppData\Local\Temp\4362.exeC:\Users\Admin\AppData\Local\Temp\4362.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe"C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5088
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- outlook_office_path
- outlook_win_path
PID:2208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 11642⤵
- Program crash
PID:3844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5040 -ip 50401⤵PID:984
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1a6b4f50,0x7ffa1a6b4f60,0x7ffa1a6b4f702⤵PID:3436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,12791064056842922374,15366452526070471525,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:22⤵PID:1668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,12791064056842922374,15366452526070471525,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1980 /prefetch:82⤵PID:1624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,12791064056842922374,15366452526070471525,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2412 /prefetch:82⤵PID:688
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5096 -s 31162⤵
- Program crash
PID:4620
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1504
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 5096 -ip 50961⤵PID:2652
-
C:\Users\Admin\AppData\Roaming\gvrucgdC:\Users\Admin\AppData\Roaming\gvrucgd1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD52865cc8250e8d72b957c304a3a5ab4d3
SHA11fd166072b73e090968c83c76b324b5399f5dde8
SHA256d32c3e48952c756cdc0990cacf893dc1be197a44e69a46cff7992c67629f50fa
SHA5129fffd64f5b62e2e362058f968e41532d1894e5de40d2fb8b994f76e9813d09b0b0db7babcb0efa284804612e9141555053343b262fa7bea882e43d119677a64b
-
Filesize
5.6MB
MD52865cc8250e8d72b957c304a3a5ab4d3
SHA11fd166072b73e090968c83c76b324b5399f5dde8
SHA256d32c3e48952c756cdc0990cacf893dc1be197a44e69a46cff7992c67629f50fa
SHA5129fffd64f5b62e2e362058f968e41532d1894e5de40d2fb8b994f76e9813d09b0b0db7babcb0efa284804612e9141555053343b262fa7bea882e43d119677a64b
-
Filesize
1.3MB
MD5ff6a5732355485b459248f586c2b6945
SHA107da3f03ef18e2eaddfceb050b68e93fd533f7a3
SHA256366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
SHA512379fd03ebec85a9b15caf0aa8ba5a43c76199391ba3a2b29d20426501294e66d8f07c219e05355b47702e5a836d1a89015533f72da6bbe2ded57ee5d24056749
-
Filesize
1.3MB
MD5ff6a5732355485b459248f586c2b6945
SHA107da3f03ef18e2eaddfceb050b68e93fd533f7a3
SHA256366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
SHA512379fd03ebec85a9b15caf0aa8ba5a43c76199391ba3a2b29d20426501294e66d8f07c219e05355b47702e5a836d1a89015533f72da6bbe2ded57ee5d24056749
-
Filesize
312KB
MD588e84db01e522fe947af3f5359fa7fa4
SHA190b859b5f355d9c5fa8500a403d16fd38f53a79f
SHA256afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc
SHA5120a7452621387c5e4009de2a78e531f1c2fd3f0a1964dc2f97066fb70af3ef30f19bd53def44cf0c41658f6faa81663153652886d497ae1aa0670218e14c376c5
-
Filesize
312KB
MD588e84db01e522fe947af3f5359fa7fa4
SHA190b859b5f355d9c5fa8500a403d16fd38f53a79f
SHA256afc2e82908e33ed18369797088e118c93880c07ed785946f6a351aa8bef739fc
SHA5120a7452621387c5e4009de2a78e531f1c2fd3f0a1964dc2f97066fb70af3ef30f19bd53def44cf0c41658f6faa81663153652886d497ae1aa0670218e14c376c5