Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2023, 01:09
Static task
static1
Behavioral task
behavioral1
Sample
d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe
Resource
win10v2004-20230915-en
General
-
Target
d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe
-
Size
239KB
-
MD5
25583a13f8e47e6775ffefc2897d9176
-
SHA1
dacb21dd53eabc6af67460d6b405f68fcfb1f4d2
-
SHA256
d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8
-
SHA512
377596f0ff6192d58b3e000b45dc0b709a11ce3717552fc78db143e18fc19683de0f3503e1ad0e3d040777bce683adf0b9d8e8cf11be606571c907d1c8688d40
-
SSDEEP
6144:xJ46fuYXChoQTjlFgLuCY1dRuAOLJ8Sw8y0:x+YzXChdTbv1bu/pw8y
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
pid Process 5476 sfciaft -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 944 set thread context of 4376 944 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4656 944 WerFault.exe 84 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4376 AppLaunch.exe 4376 AppLaunch.exe 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found 3160 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3160 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4376 AppLaunch.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeShutdownPrivilege 3160 Process not Found Token: SeCreatePagefilePrivilege 3160 Process not Found Token: SeShutdownPrivilege 3160 Process not Found Token: SeCreatePagefilePrivilege 3160 Process not Found Token: SeShutdownPrivilege 3160 Process not Found Token: SeCreatePagefilePrivilege 3160 Process not Found Token: SeShutdownPrivilege 3160 Process not Found Token: SeCreatePagefilePrivilege 3160 Process not Found Token: SeShutdownPrivilege 3160 Process not Found Token: SeCreatePagefilePrivilege 3160 Process not Found Token: SeShutdownPrivilege 3160 Process not Found Token: SeCreatePagefilePrivilege 3160 Process not Found Token: SeShutdownPrivilege 3160 Process not Found Token: SeCreatePagefilePrivilege 3160 Process not Found Token: SeManageVolumePrivilege 1484 svchost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe 460 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 944 wrote to memory of 4376 944 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 87 PID 944 wrote to memory of 4376 944 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 87 PID 944 wrote to memory of 4376 944 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 87 PID 944 wrote to memory of 4376 944 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 87 PID 944 wrote to memory of 4376 944 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 87 PID 944 wrote to memory of 4376 944 d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe 87 PID 3160 wrote to memory of 3568 3160 Process not Found 105 PID 3160 wrote to memory of 3568 3160 Process not Found 105 PID 3568 wrote to memory of 636 3568 cmd.exe 107 PID 3568 wrote to memory of 636 3568 cmd.exe 107 PID 3568 wrote to memory of 460 3568 cmd.exe 110 PID 3568 wrote to memory of 460 3568 cmd.exe 110 PID 636 wrote to memory of 1444 636 msedge.exe 109 PID 636 wrote to memory of 1444 636 msedge.exe 109 PID 460 wrote to memory of 4116 460 msedge.exe 111 PID 460 wrote to memory of 4116 460 msedge.exe 111 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 4124 460 msedge.exe 112 PID 460 wrote to memory of 1164 460 msedge.exe 113 PID 460 wrote to memory of 1164 460 msedge.exe 113 PID 460 wrote to memory of 3856 460 msedge.exe 114 PID 460 wrote to memory of 3856 460 msedge.exe 114 PID 460 wrote to memory of 3856 460 msedge.exe 114 PID 460 wrote to memory of 3856 460 msedge.exe 114 PID 460 wrote to memory of 3856 460 msedge.exe 114 PID 460 wrote to memory of 3856 460 msedge.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe"C:\Users\Admin\AppData\Local\Temp\d1be7f5d28a5c648ead43ea2cccc6221251f638457879502560a3c9b62f7fee8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 2562⤵
- Program crash
PID:4656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 944 -ip 9441⤵PID:3584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7049.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xbc,0x128,0x7ff9bbc546f8,0x7ff9bbc54708,0x7ff9bbc547183⤵PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14943220744041461370,3737774839832421798,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:23⤵PID:2644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14943220744041461370,3737774839832421798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:33⤵PID:4368
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9bbc546f8,0x7ff9bbc54708,0x7ff9bbc547183⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:23⤵PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:33⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:83⤵PID:3856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵PID:3740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:13⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:13⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:83⤵PID:5572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:83⤵PID:5592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:13⤵PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:13⤵PID:5684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:13⤵PID:5876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2211665269946491660,275319035400445446,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:13⤵PID:5884
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2504
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2768
-
C:\Users\Admin\AppData\Roaming\sfciaftC:\Users\Admin\AppData\Roaming\sfciaft1⤵
- Executes dropped EXE
PID:5476
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:5392
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56351be8b63227413881e5dfb033459cc
SHA1f24489be1e693dc22d6aac7edd692833c623d502
SHA256e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA51266e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5bd1a302b3733918ecd48243e5d048268
SHA14b63cff59dddc30ca63776d111151d5407184a9f
SHA256b2f6d1a9cefaa15bc3cb2f868b672eaca69bce5dd90fbc610a339cf7891c0548
SHA5125084276534dbd195eb413194006dceb861b4b9896a6742fe83f9352b32fdf104b504c38f12d1f5b31bb9ea28e4c895d6525caf64e8d4e74e8d0254031e2b0edf
-
Filesize
1KB
MD5c3f8fb089a9efb3d2f6d0044d3167a96
SHA107c89ceb782257f2aa43ea9029be8338ace81973
SHA256318ae1c00b87704638da454f9d6edc362e878e73c751bdd50f07b1f2c539c579
SHA512b3aad6aaeed8e9501ccd9c2aa2f659d9a0f8a504979d1782e060a0ced9df138126ed25a93f267f874563652ce9b47fea323df3ca90c86da9d6426d4d9ff97825
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5e9570bc334f1faccedf6244267983361
SHA116c1178c131870d1e864a96cd674f5cc89386871
SHA2568aead8954938b0ef4c16851b6ffe102d62ece9c260875a0648f45c902309acab
SHA512954f24c5ed9a5b4e55e8f6650a8bf9bc4ce2dd782d79013436d203a060a20ce45ca00cf7e828244daccf6585dabc57d61547e48ceccec4e4117054766562ee94
-
Filesize
6KB
MD585b7800c2ac2f6a8707a501c0cf9755b
SHA1e5e53cb82b838953a5bd84fd12bd7e020ec0b4e1
SHA256c0952d18458d6d77356b5401aa11ea83dfb40e864c7c42a0a82f43a79d7eb34f
SHA512d89bcce7754a90d30520f351740330774e1b6a960f74c579149fe200b182ff3808a6f86d96a8d22513852a15a5072df633a87fb57e4709037242c05ab7caee40
-
Filesize
24KB
MD5699e3636ed7444d9b47772e4446ccfc1
SHA1db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA2569205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51
-
Filesize
866B
MD5e8c262345b3e7e4488a840f4b5085efa
SHA1a5305ae73e1b57e3adcdbe8bec072ff8687a9d95
SHA2569dd56873b058c1e96c3a520d296c88a9ed0cc564eca2ee03750fff49b8b55d8e
SHA512283f9785643020c8fe200303d9e4142d2d36b53fef9c07aa925c49a4c25a96ab2cc3e661633165fb604cf63b4cb14907cd450107f44174d15a48bbf0f5be3564
-
Filesize
866B
MD59499b42288c6faf6fabdb1949046a499
SHA19271ff1696b42dfd9886ab4af1f94f3088beafe4
SHA25605801d710ed37b15dd3584170875eb0233b05a24a6b3ad77aff5e6657bf4de57
SHA512c2bbe725ebb847549101196cb470c4649abf1c5852a89cf376cb38fb3ecdf12fc43eb1ef0cb64e32c5dda69b9e3650cd7eaf73808cd63c6d3439649640f773be
-
Filesize
864B
MD556d9056592d203a7266094e19e2f3f47
SHA1127673804a9681ee0fd19c06b6f95e25770dabaa
SHA25639165ee45d09c47b84c85dd073bce74b89310f1e04d625f11d9ed686942a37c8
SHA512fc7aa513f7759f43f45d5cc34360adcca8393c4a2c1c38f0d1d4e882883e5c585c1b214fd4e2abe68a59e0d14a0ca76cd5ae7c59f76045edcaf390ff12aca4de
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD56cd0664ed1cb19a7f82a53bb620f5cd3
SHA10fa4c172b7d15779a2dc064515cf82320e604b23
SHA256b65250d37fdef0a247f9b1a282303d3ea44fa9b7ba188134e4915872af0b4bf4
SHA51298a7b7f33181bc7634a5dcbb5e8328bcba323fe0bea1ef8484cba864489938391054fd01382950b898140f989213304434e5981210ab588e3477f406001e18c3
-
Filesize
10KB
MD5027c06510e22d105cd9bdbab0a56a510
SHA1b9e8002b1c86eadcbb34a7bf71c4ec71eea8af16
SHA25601dc51758ca29aad61ec72c3b4462e471d8ff0bf732aab0f2f650554251ce388
SHA512f4b22d0ae89968f6197d413b0ef178527517916eed484c1d81ec4ed5670bb264b1756a8f1cc424a6c15a6290ee2e1330cbabb2cedcfb4a7647183a8c987a4866
-
Filesize
2KB
MD56cd0664ed1cb19a7f82a53bb620f5cd3
SHA10fa4c172b7d15779a2dc064515cf82320e604b23
SHA256b65250d37fdef0a247f9b1a282303d3ea44fa9b7ba188134e4915872af0b4bf4
SHA51298a7b7f33181bc7634a5dcbb5e8328bcba323fe0bea1ef8484cba864489938391054fd01382950b898140f989213304434e5981210ab588e3477f406001e18c3
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc