smokeloader | a40168b530d3ea4b9d3cef906d53d757755efee1572924d49a3eb968ccb37933

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2022 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a40168b530d3ea4b9d3cef906d53d757755efee1572924d49a3eb968ccb37933.exe
Size

296KB
MD5

9bb6008b648e3e1d6d1c76148217870c
SHA1

7b74d75e415eb9f77ae22ee2261b5d54196c04e0
SHA256

a40168b530d3ea4b9d3cef906d53d757755efee1572924d49a3eb968ccb37933
SHA512

196fd0ae69b64767e871c516488705f45f4e06d709ac7597231497f57137ab7c06bc0bd7cd5a856bc5f311747d303701d54eaa7793ae57caa1348708d267a2aa
SSDEEP

3072:8/ZW4if1/1pLeX1GoJoBRBOUiw6jbpJ1QOIxMGIXLqNwE6f+8U9SkEqwi:l4IrLyGoJoxahjbRQjiGIhE6G8UIkEq

Score

10^/10

smokeloader backdoor discovery trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/944-133-0x00000000021A0000-0x00000000021A9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3916	498C.exe
2704	Otfhfhweptay.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	498C.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2408	Process not Found
4544	chrome.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3916 set thread context of 4764	3916	498C.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3384	4764	WerFault.exe	88
3780	3916	WerFault.exe	86
3316	2704	WerFault.exe	87
2368	4544	WerFault.exe	96

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a40168b530d3ea4b9d3cef906d53d757755efee1572924d49a3eb968ccb37933.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a40168b530d3ea4b9d3cef906d53d757755efee1572924d49a3eb968ccb37933.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a40168b530d3ea4b9d3cef906d53d757755efee1572924d49a3eb968ccb37933.exe

Checks processor information in registry 2 TTPs 45 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	498C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	498C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	498C.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	498C.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	498C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	498C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	498C.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	498C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	498C.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
944	a40168b530d3ea4b9d3cef906d53d757755efee1572924d49a3eb968ccb37933.exe
944	a40168b530d3ea4b9d3cef906d53d757755efee1572924d49a3eb968ccb37933.exe
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found
2408	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2408	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
944	a40168b530d3ea4b9d3cef906d53d757755efee1572924d49a3eb968ccb37933.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	rundll32.exe
Token: SeDebugPrivilege	2704	Otfhfhweptay.exe
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeDebugPrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found
Token: SeShutdownPrivilege	2408	Process not Found
Token: SeCreatePagefilePrivilege	2408	Process not Found

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4764	rundll32.exe
2704	Otfhfhweptay.exe
4544	chrome.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2704	Otfhfhweptay.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4544	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3916	2408	Process not Found	86
PID 2408 wrote to memory of 3916	2408	Process not Found	86
PID 2408 wrote to memory of 3916	2408	Process not Found	86
PID 3916 wrote to memory of 2704	3916	498C.exe	87
PID 3916 wrote to memory of 2704	3916	498C.exe	87
PID 3916 wrote to memory of 2704	3916	498C.exe	87
PID 3916 wrote to memory of 4764	3916	498C.exe	88
PID 3916 wrote to memory of 4764	3916	498C.exe	88
PID 3916 wrote to memory of 4764	3916	498C.exe	88
PID 3916 wrote to memory of 4764	3916	498C.exe	88
PID 2408 wrote to memory of 4544	2408	Process not Found	96
PID 2408 wrote to memory of 4544	2408	Process not Found	96
PID 4544 wrote to memory of 1796	4544	chrome.exe	97
PID 4544 wrote to memory of 1796	4544	chrome.exe	97
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 1724	4544	chrome.exe	100
PID 4544 wrote to memory of 3132	4544	chrome.exe	101
PID 4544 wrote to memory of 3132	4544	chrome.exe	101
PID 4544 wrote to memory of 1676	4544	chrome.exe	102
PID 4544 wrote to memory of 1676	4544	chrome.exe	102
PID 4544 wrote to memory of 1676	4544	chrome.exe	102
PID 4544 wrote to memory of 1676	4544	chrome.exe	102
PID 4544 wrote to memory of 1676	4544	chrome.exe	102
PID 4544 wrote to memory of 1676	4544	chrome.exe	102
PID 4544 wrote to memory of 1676	4544	chrome.exe	102
PID 4544 wrote to memory of 1676	4544	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\a40168b530d3ea4b9d3cef906d53d757755efee1572924d49a3eb968ccb37933.exe
"C:\Users\Admin\AppData\Local\Temp\a40168b530d3ea4b9d3cef906d53d757755efee1572924d49a3eb968ccb37933.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:944

C:\Users\Admin\AppData\Local\Temp\498C.exe
C:\Users\Admin\AppData\Local\Temp\498C.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\Otfhfhweptay.exe
  "C:\Users\Admin\AppData\Local\Temp\Otfhfhweptay.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 440
    3⤵
    - Program crash
    PID:3316
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1380
    3⤵
    - Program crash
    PID:3384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1452
  2⤵
  - Program crash
  PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4764 -ip 4764
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3916 -ip 3916
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2704 -ip 2704
1⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe1694f50,0x7fffe1694f60,0x7fffe1694f70
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,7847355745782657684,8733268166840539352,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:2
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,7847355745782657684,8733268166840539352,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1964 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,7847355745782657684,8733268166840539352,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,7847355745782657684,8733268166840539352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:1556
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4544 -s 3576
  2⤵
  - Program crash
  PID:2368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4544 -ip 4544
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\498C.exe

Filesize
6.7MB

MD5
60f97611d0eade73efa5e1c01c9cf1a3

SHA1
bc431ea137ced41bbf254895eb455094ccf39454

SHA256
68155dc3be0bbf2f43aa4069f834011ab812a2d9851c158f2ff3fcac897bb108

SHA512
a0b39b1a0456ed94655de64dfa85f52d71f5be71d218ba5b72543d3fa23ffe3aabf5e01e858c2d636974346fba624cd84fca475121d2ac71c46941edcabedaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\498C.exe

Filesize
6.7MB

MD5
60f97611d0eade73efa5e1c01c9cf1a3

SHA1
bc431ea137ced41bbf254895eb455094ccf39454

SHA256
68155dc3be0bbf2f43aa4069f834011ab812a2d9851c158f2ff3fcac897bb108

SHA512
a0b39b1a0456ed94655de64dfa85f52d71f5be71d218ba5b72543d3fa23ffe3aabf5e01e858c2d636974346fba624cd84fca475121d2ac71c46941edcabedaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\607cd18f-98c4-4c86-94ad-33f9ee772d45.tmp

Filesize
25KB

MD5
9f670566b87be47f09e3871cd67ed6d9

SHA1
8b49dd7fb4bf06df0a16cfc03a42832b78bdfabd

SHA256
d7089602fa181dfd161165dc1bb34271e7481f88ee2ca06230da2a2269a68c80

SHA512
6e53a2d3c4329114f7e562d84bcb6345176ce4d7006c9d699d6dab9886d5aa277b5b8fe5cfb9e574a49e0c1de6414efa913cf9b3ffecd95e9fafa28370fc2456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Otfhfhweptay.exe

Filesize
1.5MB

MD5
4be03ece98dae87458118dcac2d98528

SHA1
08c65c05c85ef3c0781e24a8aebe26e1426b2ac0

SHA256
61cd01c9b49f419fc7735413f0bc75ce9f49472517d11a272d2de5a746d866ec

SHA512
972f1c71d184e7983978f332ebfd4e4b0145e5a5fda3962bb5c1b931f2269bbab6ebf5108a7661a61717f5543a101dc0851e341a7a5e35778eb3e6f6d66b573e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Otfhfhweptay.exe

Filesize
1.5MB

MD5
4be03ece98dae87458118dcac2d98528

SHA1
08c65c05c85ef3c0781e24a8aebe26e1426b2ac0

SHA256
61cd01c9b49f419fc7735413f0bc75ce9f49472517d11a272d2de5a746d866ec

SHA512
972f1c71d184e7983978f332ebfd4e4b0145e5a5fda3962bb5c1b931f2269bbab6ebf5108a7661a61717f5543a101dc0851e341a7a5e35778eb3e6f6d66b573e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Otfhfhweptay.tmp

Filesize
3.5MB

MD5
e9ff74c50c5a8c95e20cd1f03c727235

SHA1
435270cb5a26e92c06a79be4c10e58fbe9fe6641

SHA256
917a6e23940d62c55398fe59f1d39093fbb916465b84e7588f90a12013f4b49e

SHA512
6895b206a27b5988304afd392bcf3674a3812b012fb7cf5db4b30825d22d8cb5fd63bf1e7a2dafa7f17ae19484e23754254beaf7cb620f49881268dde5b2163d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct8A4A.tmp

Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctD292.tmp

Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
697B

MD5
16a993a13d195d20dca07319d0725671

SHA1
2642524456da144d2db89ea760fdd788461d74db

SHA256
4f17ddbb8ccc7da41e95a5f5bd1c4c7c99f7bf321cfdf67988e32591a4e375f2

SHA512
afaea880275fa137598f5bb676059966e5b3df29473ad978ae1e4e378b674d9e52cb79629a0be5399c02170306658a635d909efe8b82daa848328858d1cf0be0

Download Submit
memory/944-132-0x00000000007A8000-0x00000000007B9000-memory.dmp

Filesize
68KB

Download
memory/944-133-0x00000000021A0000-0x00000000021A9000-memory.dmp

Filesize
36KB

Download
memory/944-134-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/944-135-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2408-184-0x00000000089E0000-0x0000000008B08000-memory.dmp

Filesize
1.2MB

Download
memory/2408-189-0x00000000089E0000-0x0000000008B08000-memory.dmp

Filesize
1.2MB

Download
memory/2408-192-0x00000000089E0000-0x0000000008B08000-memory.dmp

Filesize
1.2MB

Download
memory/2704-180-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/2704-179-0x0000000002400000-0x0000000002555000-memory.dmp

Filesize
1.3MB

Download
memory/2704-181-0x00000000027E0000-0x0000000002914000-memory.dmp

Filesize
1.2MB

Download
memory/2704-178-0x00000000022B2000-0x00000000023F2000-memory.dmp

Filesize
1.2MB

Download
memory/2704-176-0x00000000027E0000-0x0000000002914000-memory.dmp

Filesize
1.2MB

Download
memory/2704-175-0x00000000027E0000-0x0000000002914000-memory.dmp

Filesize
1.2MB

Download
memory/2704-174-0x00000000027E0000-0x0000000002914000-memory.dmp

Filesize
1.2MB

Download
memory/2704-170-0x00000000027E0000-0x0000000002914000-memory.dmp

Filesize
1.2MB

Download
memory/2704-182-0x00000000027E0000-0x0000000002914000-memory.dmp

Filesize
1.2MB

Download
memory/2704-183-0x00000000027E0000-0x0000000002914000-memory.dmp

Filesize
1.2MB

Download
memory/2704-190-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/2704-143-0x0000000000000000-mapping.dmp

Download
memory/3916-146-0x0000000004B20000-0x0000000005670000-memory.dmp

Filesize
11.3MB

Download
memory/3916-155-0x0000000005750000-0x0000000005890000-memory.dmp

Filesize
1.2MB

Download
memory/3916-136-0x0000000000000000-mapping.dmp

Download
memory/3916-139-0x000000000294E000-0x0000000002FC8000-memory.dmp

Filesize
6.5MB

Download
memory/3916-141-0x0000000000400000-0x0000000000CD4000-memory.dmp

Filesize
8.8MB

Download
memory/3916-140-0x0000000002FD0000-0x0000000003898000-memory.dmp

Filesize
8.8MB

Download
memory/3916-154-0x0000000005750000-0x0000000005890000-memory.dmp

Filesize
1.2MB

Download
memory/3916-188-0x0000000000400000-0x0000000000CD4000-memory.dmp

Filesize
8.8MB

Download
memory/3916-187-0x0000000004B20000-0x0000000005670000-memory.dmp

Filesize
11.3MB

Download
memory/3916-142-0x0000000000400000-0x0000000000CD4000-memory.dmp

Filesize
8.8MB

Download
memory/3916-185-0x0000000000400000-0x0000000000CD4000-memory.dmp

Filesize
8.8MB

Download
memory/3916-156-0x0000000004B20000-0x0000000005670000-memory.dmp

Filesize
11.3MB

Download
memory/3916-177-0x000000000294E000-0x0000000002FC8000-memory.dmp

Filesize
6.5MB

Download
memory/3916-151-0x0000000005750000-0x0000000005890000-memory.dmp

Filesize
1.2MB

Download
memory/3916-152-0x0000000005750000-0x0000000005890000-memory.dmp

Filesize
1.2MB

Download
memory/3916-153-0x0000000005750000-0x0000000005890000-memory.dmp

Filesize
1.2MB

Download
memory/3916-150-0x0000000005750000-0x0000000005890000-memory.dmp

Filesize
1.2MB

Download
memory/3916-148-0x0000000005750000-0x0000000005890000-memory.dmp

Filesize
1.2MB

Download
memory/3916-149-0x0000000005750000-0x0000000005890000-memory.dmp

Filesize
1.2MB

Download
memory/3916-147-0x0000000004B20000-0x0000000005670000-memory.dmp

Filesize
11.3MB

Download
memory/4764-169-0x0000000004430000-0x0000000004570000-memory.dmp

Filesize
1.2MB

Download
memory/4764-157-0x0000000000000000-mapping.dmp

Download
memory/4764-186-0x0000000003860000-0x00000000043B0000-memory.dmp

Filesize
11.3MB

Download
memory/4764-160-0x0000000004430000-0x0000000004570000-memory.dmp

Filesize
1.2MB

Download
memory/4764-168-0x0000000004430000-0x0000000004570000-memory.dmp

Filesize
1.2MB

Download
memory/4764-158-0x0000000003860000-0x00000000043B0000-memory.dmp

Filesize
11.3MB

Download
memory/4764-164-0x0000000003860000-0x00000000043B0000-memory.dmp

Filesize
11.3MB

Download
memory/4764-159-0x0000000004430000-0x0000000004570000-memory.dmp

Filesize
1.2MB

Download
memory/4764-161-0x00000000012E0000-0x0000000001D10000-memory.dmp

Filesize
10.2MB

Download