Analysis Overview
SHA256
12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb
Threat Level: Known bad
The file 12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Smokeloader family
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Executes dropped EXE
Deletes itself
Accesses Microsoft Outlook profiles
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
outlook_office_path
outlook_win_path
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 19:07
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 19:07
Reported
2024-04-04 19:09
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2872 created 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\976D.exe | C:\Windows\system32\sihost.exe |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\976D.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3472 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\976D.exe |
| PID 3472 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\976D.exe |
| PID 3472 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\976D.exe |
| PID 3472 wrote to memory of 3628 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 3628 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 3628 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 3628 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 3784 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3472 wrote to memory of 3784 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3472 wrote to memory of 3784 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3472 wrote to memory of 1444 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 1444 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 1444 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 1444 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 2872 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\976D.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 2872 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\976D.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 2872 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\976D.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 2872 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\976D.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 2872 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\976D.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 3472 wrote to memory of 4596 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 4596 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 4596 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 4596 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 4884 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3472 wrote to memory of 4884 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3472 wrote to memory of 4884 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3472 wrote to memory of 2296 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 2296 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 2296 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 2296 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 400 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 400 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 400 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 400 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 5076 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3472 wrote to memory of 5076 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3472 wrote to memory of 5076 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3472 wrote to memory of 4252 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 4252 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 4252 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3472 wrote to memory of 4252 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe
"C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe"
C:\Users\Admin\AppData\Local\Temp\976D.exe
C:\Users\Admin\AppData\Local\Temp\976D.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | atillapro.com | udp |
| NL | 94.156.65.121:80 | atillapro.com | tcp |
| US | 8.8.8.8:53 | 121.65.156.94.in-addr.arpa | udp |
| NL | 94.156.65.121:80 | atillapro.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
memory/2452-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3472-1-0x0000000007C30000-0x0000000007C46000-memory.dmp
memory/2452-2-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\976D.exe
| MD5 | 08e5f1243ad4970745975b27b6e2f9fa |
| SHA1 | 83b1a8939bd4e2ea5677d8742edd1a697edd196b |
| SHA256 | 05074675b07feb8e7556c5af449f5e677e0fabfb09b135971afbb11743bf3165 |
| SHA512 | d01f83c4c35e6049544d71037b3d8db29cf177e232839c684e2943899e7e891d0e30d996ddb0af58f760ac34dd8fc6acee7338b52b3fda5f17c892f7498d2280 |
memory/2872-15-0x0000000000400000-0x000000000048B000-memory.dmp
memory/3628-17-0x0000000001070000-0x00000000010DB000-memory.dmp
memory/3628-18-0x00000000010E0000-0x0000000001155000-memory.dmp
memory/3628-19-0x0000000001070000-0x00000000010DB000-memory.dmp
memory/3784-41-0x0000000000F90000-0x0000000000F9C000-memory.dmp
memory/3784-43-0x0000000000F90000-0x0000000000F9C000-memory.dmp
memory/3784-42-0x0000000001070000-0x00000000010DB000-memory.dmp
memory/3628-44-0x0000000001070000-0x00000000010DB000-memory.dmp
memory/2872-45-0x00000000032D0000-0x00000000036D0000-memory.dmp
memory/2872-47-0x00000000032D0000-0x00000000036D0000-memory.dmp
memory/2872-48-0x00007FFA19190000-0x00007FFA19385000-memory.dmp
memory/1444-49-0x0000000000430000-0x000000000043B000-memory.dmp
memory/2872-50-0x00000000032D0000-0x00000000036D0000-memory.dmp
memory/1444-53-0x00000000032D0000-0x00000000036D0000-memory.dmp
memory/1444-54-0x0000000000430000-0x000000000043B000-memory.dmp
memory/4028-55-0x00000000006C0000-0x00000000006C9000-memory.dmp
memory/2872-52-0x0000000075780000-0x0000000075995000-memory.dmp
memory/2872-56-0x0000000000400000-0x000000000048B000-memory.dmp
memory/4028-58-0x00000000023B0000-0x00000000027B0000-memory.dmp
memory/4028-59-0x00000000023B0000-0x00000000027B0000-memory.dmp
memory/4028-60-0x00007FFA19190000-0x00007FFA19385000-memory.dmp
memory/4028-63-0x0000000075780000-0x0000000075995000-memory.dmp
memory/4028-61-0x00000000023B0000-0x00000000027B0000-memory.dmp
memory/4596-64-0x0000000001170000-0x000000000117B000-memory.dmp
memory/4596-65-0x0000000001180000-0x0000000001187000-memory.dmp
memory/4596-66-0x0000000001170000-0x000000000117B000-memory.dmp
memory/4028-67-0x00000000023B0000-0x00000000027B0000-memory.dmp
memory/4884-68-0x0000000000DA0000-0x0000000000DAF000-memory.dmp
memory/4884-69-0x0000000000DA0000-0x0000000000DAF000-memory.dmp
memory/2296-70-0x0000000000660000-0x0000000000687000-memory.dmp
memory/2296-71-0x0000000000660000-0x0000000000687000-memory.dmp
memory/2296-73-0x0000000000DA0000-0x0000000000DAF000-memory.dmp
memory/400-75-0x0000000000590000-0x000000000059B000-memory.dmp
memory/400-76-0x0000000000660000-0x0000000000687000-memory.dmp
memory/400-77-0x0000000000590000-0x000000000059B000-memory.dmp
memory/5076-79-0x0000000000FE0000-0x0000000000FE7000-memory.dmp
memory/5076-80-0x0000000000FD0000-0x0000000000FDD000-memory.dmp
memory/5076-78-0x0000000000FD0000-0x0000000000FDD000-memory.dmp
memory/4252-81-0x0000000001080000-0x000000000108B000-memory.dmp
memory/4252-82-0x0000000000FD0000-0x0000000000FDD000-memory.dmp
memory/4252-83-0x0000000001080000-0x000000000108B000-memory.dmp
memory/4596-84-0x0000000001180000-0x0000000001187000-memory.dmp
memory/4884-85-0x0000000001170000-0x000000000117B000-memory.dmp
memory/5076-90-0x0000000000FE0000-0x0000000000FE7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 19:07
Reported
2024-04-04 19:10
Platform
win11-20240221-en
Max time kernel
162s
Max time network
159s
Command Line
Signatures
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1396 created 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\5946.exe | C:\Windows\system32\sihost.exe |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5946.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3160 wrote to memory of 1396 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5946.exe |
| PID 3160 wrote to memory of 1396 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5946.exe |
| PID 3160 wrote to memory of 1396 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5946.exe |
| PID 3160 wrote to memory of 2732 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 2732 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 2732 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 2732 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 1148 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3160 wrote to memory of 1148 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3160 wrote to memory of 1148 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3160 wrote to memory of 3296 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 3296 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 3296 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 3296 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 1032 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 1032 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 1032 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 1032 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 1396 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\5946.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 1396 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\5946.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 1396 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\5946.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 1396 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\5946.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 1396 wrote to memory of 2388 | N/A | C:\Users\Admin\AppData\Local\Temp\5946.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 3160 wrote to memory of 476 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3160 wrote to memory of 476 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3160 wrote to memory of 476 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3160 wrote to memory of 4452 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 4452 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 4452 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 4452 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 5088 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 5088 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 5088 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 5088 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 1468 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3160 wrote to memory of 1468 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3160 wrote to memory of 1468 | N/A | N/A | C:\Windows\explorer.exe |
| PID 3160 wrote to memory of 3784 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 3784 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 3784 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
| PID 3160 wrote to memory of 3784 | N/A | N/A | C:\Windows\SysWOW64\explorer.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe
"C:\Users\Admin\AppData\Local\Temp\12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb.exe"
C:\Users\Admin\AppData\Local\Temp\5946.exe
C:\Users\Admin\AppData\Local\Temp\5946.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | atillapro.com | udp |
| NL | 94.156.65.121:80 | atillapro.com | tcp |
Files
memory/2924-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3160-1-0x00000000024D0000-0x00000000024E6000-memory.dmp
memory/2924-2-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5946.exe
| MD5 | 08e5f1243ad4970745975b27b6e2f9fa |
| SHA1 | 83b1a8939bd4e2ea5677d8742edd1a697edd196b |
| SHA256 | 05074675b07feb8e7556c5af449f5e677e0fabfb09b135971afbb11743bf3165 |
| SHA512 | d01f83c4c35e6049544d71037b3d8db29cf177e232839c684e2943899e7e891d0e30d996ddb0af58f760ac34dd8fc6acee7338b52b3fda5f17c892f7498d2280 |
memory/1396-15-0x0000000000400000-0x000000000048B000-memory.dmp
memory/2732-18-0x0000000000510000-0x000000000057B000-memory.dmp
memory/2732-19-0x0000000000510000-0x000000000057B000-memory.dmp
memory/2732-17-0x0000000000580000-0x00000000005F5000-memory.dmp
memory/1148-42-0x0000000000160000-0x0000000000167000-memory.dmp
memory/2732-43-0x0000000000510000-0x000000000057B000-memory.dmp
memory/1148-41-0x0000000000150000-0x000000000015C000-memory.dmp
memory/1148-44-0x0000000000150000-0x000000000015C000-memory.dmp
memory/3296-45-0x0000000001040000-0x000000000104A000-memory.dmp
memory/3296-46-0x0000000001030000-0x000000000103B000-memory.dmp
memory/3296-47-0x0000000001030000-0x000000000103B000-memory.dmp
memory/1396-48-0x00000000034D0000-0x00000000038D0000-memory.dmp
memory/1396-49-0x00000000034D0000-0x00000000038D0000-memory.dmp
memory/1032-51-0x0000000001270000-0x000000000127B000-memory.dmp
memory/1032-52-0x0000000001280000-0x0000000001287000-memory.dmp
memory/1396-50-0x00000000034D0000-0x00000000038D0000-memory.dmp
memory/1032-53-0x0000000001270000-0x000000000127B000-memory.dmp
memory/1396-54-0x00007FFEE14E0000-0x00007FFEE16E9000-memory.dmp
memory/1396-55-0x00000000034D0000-0x00000000038D0000-memory.dmp
memory/1396-57-0x00000000759B0000-0x0000000075C02000-memory.dmp
memory/2388-58-0x0000000000E80000-0x0000000000E89000-memory.dmp
memory/1396-60-0x0000000000400000-0x000000000048B000-memory.dmp
memory/476-62-0x00000000001E0000-0x00000000001EF000-memory.dmp
memory/2388-61-0x00007FFEE14E0000-0x00007FFEE16E9000-memory.dmp
memory/2388-64-0x0000000002E90000-0x0000000003290000-memory.dmp
memory/476-65-0x0000000002E90000-0x0000000003290000-memory.dmp
memory/476-67-0x00000000001E0000-0x00000000001EF000-memory.dmp
memory/2388-63-0x0000000002E90000-0x0000000003290000-memory.dmp
memory/2388-69-0x00007FFEE14E0000-0x00007FFEE16E9000-memory.dmp
memory/2388-71-0x0000000002E90000-0x0000000003290000-memory.dmp
memory/2388-70-0x00000000759B0000-0x0000000075C02000-memory.dmp
memory/4452-73-0x0000000000600000-0x0000000000621000-memory.dmp
memory/4452-74-0x00000000003C0000-0x00000000003E7000-memory.dmp
memory/4452-72-0x00000000003C0000-0x00000000003E7000-memory.dmp
memory/2388-76-0x0000000002E90000-0x0000000003290000-memory.dmp
memory/2388-77-0x00007FFEE14E0000-0x00007FFEE16E9000-memory.dmp
memory/5088-80-0x0000000000530000-0x000000000053B000-memory.dmp
memory/5088-79-0x0000000000540000-0x0000000000546000-memory.dmp
memory/1468-81-0x0000000000100000-0x000000000010D000-memory.dmp
memory/1468-82-0x0000000000100000-0x000000000010D000-memory.dmp
memory/3784-83-0x0000000000870000-0x000000000087B000-memory.dmp
memory/1032-84-0x0000000001280000-0x0000000001287000-memory.dmp
memory/3784-85-0x0000000000100000-0x000000000010D000-memory.dmp
memory/3784-86-0x0000000000870000-0x000000000087B000-memory.dmp
memory/476-87-0x0000000002E90000-0x0000000003290000-memory.dmp
memory/5088-88-0x0000000000530000-0x000000000053B000-memory.dmp
memory/1468-89-0x0000000000530000-0x000000000053B000-memory.dmp
memory/3784-90-0x0000000000100000-0x000000000010D000-memory.dmp