smokeloader | 0e1c1f54576e5ea6f024852228ef877537849db15a46633d77e36d8439e9609a

Analysis

max time kernel
123s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b92f9a4d53ddaa32a6a42d348744cabd.exe
Size

289KB
MD5

b92f9a4d53ddaa32a6a42d348744cabd
SHA1

d70ee7a27b5c376552c1f62d70efefc68d6d5a50
SHA256

0e1c1f54576e5ea6f024852228ef877537849db15a46633d77e36d8439e9609a
SHA512

747ffb90b0744964ed3ebc459c9b965937e68ee52c554987e7af20b7769310594c92948f4e3db849ace24fff015b8663063e9ffcf7b604b11d036a3c67685d3e
SSDEEP

3072:B52jCnuzHwEtL4O/S1NUATrBcN11F0p0alESA38ItQ5mESUem9Qj+/:3wCnu7wEtLp/MUATgv8IC/H

Score

10^/10

smokeloader up4 backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up4

Extracted

Family

smokeloader

Version

2020

http://host-file-file0.com/

http://file-file-file1.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
3160	Process not Found

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 3432	1464	b92f9a4d53ddaa32a6a42d348744cabd.exe	95

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b92f9a4d53ddaa32a6a42d348744cabd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b92f9a4d53ddaa32a6a42d348744cabd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b92f9a4d53ddaa32a6a42d348744cabd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2231940048-779848787-2990559741-1000\{D6C9ABD4-EF52-49FF-B379-EC1CDEC5FD34}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3432	b92f9a4d53ddaa32a6a42d348744cabd.exe
3432	b92f9a4d53ddaa32a6a42d348744cabd.exe
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3432	b92f9a4d53ddaa32a6a42d348744cabd.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe
Token: SeShutdownPrivilege	1504	explorer.exe
Token: SeCreatePagefilePrivilege	1504	explorer.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1816	StartMenuExperienceHost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3160	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 3432	1464	b92f9a4d53ddaa32a6a42d348744cabd.exe	95
PID 1464 wrote to memory of 3432	1464	b92f9a4d53ddaa32a6a42d348744cabd.exe	95
PID 1464 wrote to memory of 3432	1464	b92f9a4d53ddaa32a6a42d348744cabd.exe	95
PID 1464 wrote to memory of 3432	1464	b92f9a4d53ddaa32a6a42d348744cabd.exe	95
PID 1464 wrote to memory of 3432	1464	b92f9a4d53ddaa32a6a42d348744cabd.exe	95
PID 1464 wrote to memory of 3432	1464	b92f9a4d53ddaa32a6a42d348744cabd.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b92f9a4d53ddaa32a6a42d348744cabd.exe
"C:\Users\Admin\AppData\Local\Temp\b92f9a4d53ddaa32a6a42d348744cabd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\b92f9a4d53ddaa32a6a42d348744cabd.exe
  "C:\Users\Admin\AppData\Local\Temp\b92f9a4d53ddaa32a6a42d348744cabd.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3432

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1656

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4980

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4192

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1000

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
eaefbc8a7aff289b5c7916717bed1f92

SHA1
e78cf69ea8805f083ddabbab29c675753ed81555

SHA256
07b7338e63a59d68f7901bb2942a11fcb97eac798efb7008f0c37622a063b70a

SHA512
e1f41b1b75e6a0651529a9046f7c9e1c8616ce62099a6515a0d60ae4c32781d483873d2fc62990f5bc7a1da8269c18455c65c2650dfaf0bbe7930d6dd478c28a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
459375181ae48139d88ffb1eb874d692

SHA1
286e66c920ef5307c9c8fe01275eb3304086bb30

SHA256
0bd342e561eff9ac069a9bd9e980131c3bc14440c60cc75c2c35f4742bd2e8f9

SHA512
e648ef0699eca4130410c9f6e6ff6a7edced31c894b5235db110d825f3d5135d051e9e1adfb59f802a00be57c15adc88279dd97fad731afce5e5369ffa6cfca0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Z7LOIA6T\microsoft.windows[1].xml

Filesize
96B

MD5
25b98f558f0ca5ad449151322b6034e1

SHA1
ce562dcce60d8dab8767a0cfafc3b0ef5458c546

SHA256
bb763557ec01c0968c2c4e8d9414c197e9b1961a697c0fd99b8da3c67133740d

SHA512
2c4bb59caa1715ab49ec45a44a5873698894fd13fe7aa84391b328014e99112d29d55da708e6d10e274937971e759159af4f429fb94cee29ba3d2211a5211275

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Z7LOIA6T\microsoft.windows[1].xml

Filesize
189B

MD5
0751037ff817aab149589294ee29c477

SHA1
48906b6daf490b5bd22866722cea357107977786

SHA256
511f0f9980833c74dd211a84e0c8bb7e5b0b270d534f442ddb3ce4ca0ea0da02

SHA512
0f929c557bdc731f54656210d47a5c7ce3b024fca0c922c1d8e47cddbda9c14b9446b177138a0d31f6e996281f208b15e935a33639302d4d1d5494d8e973d0f0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\Z7LOIA6T\microsoft.windows[1].xml

Filesize
96B

MD5
25b98f558f0ca5ad449151322b6034e1

SHA1
ce562dcce60d8dab8767a0cfafc3b0ef5458c546

SHA256
bb763557ec01c0968c2c4e8d9414c197e9b1961a697c0fd99b8da3c67133740d

SHA512
2c4bb59caa1715ab49ec45a44a5873698894fd13fe7aa84391b328014e99112d29d55da708e6d10e274937971e759159af4f429fb94cee29ba3d2211a5211275

Download Submit
memory/1000-77-0x0000022E1E7D0000-0x0000022E1E7F0000-memory.dmp

Filesize
128KB

Download
memory/1000-73-0x0000022E1E360000-0x0000022E1E380000-memory.dmp

Filesize
128KB

Download
memory/1000-75-0x0000022E1E320000-0x0000022E1E340000-memory.dmp

Filesize
128KB

Download
memory/1464-1-0x0000000002AE0000-0x0000000002BE0000-memory.dmp

Filesize
1024KB

Download
memory/1464-2-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/1756-65-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/2804-32-0x0000018E47460000-0x0000018E47480000-memory.dmp

Filesize
128KB

Download
memory/2804-35-0x0000018E47420000-0x0000018E47440000-memory.dmp

Filesize
128KB

Download
memory/2804-39-0x0000018E478C0000-0x0000018E478E0000-memory.dmp

Filesize
128KB

Download
memory/3160-6-0x0000000000760000-0x0000000000776000-memory.dmp

Filesize
88KB

Download
memory/3160-14-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/3432-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3432-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3432-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3432-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3996-45-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/4192-53-0x000001768B170000-0x000001768B190000-memory.dmp

Filesize
128KB

Download
memory/4192-55-0x000001768B130000-0x000001768B150000-memory.dmp

Filesize
128KB

Download
memory/4192-59-0x000001768B540000-0x000001768B560000-memory.dmp

Filesize
128KB

Download
memory/4888-25-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download