smokeloader | 740ea75a107ba0d8245192a1f0906b206cf797f9e11fcd815dfed1a86798797c

Analysis

max time kernel
365s
max time network
1085s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

793a58e683a54d24d3c6bae96df29d65.html
Size

8KB
MD5

e0b75bc23482fdc078b4dd694c49c4bb
SHA1

c9503d1020a26d6ccbf0da9bf2f86d5ba034d347
SHA256

dd51d6eeee76165192540548e2ac8fef08870afae3cc73c50b3687f8f8242f5f
SHA512

0da5ed0187fb01027471cb0b07aaaac75e4c3964e64c50e09d398dc8a74e0ba75b8cef3f30949c082319f8546f455d0232ed05a99d4213ff4928502c37adb918
SSDEEP

96:tS9qSotSBnHZ9R2va5keK3MbIxaopFztWDnOLnA/:twot8nHTUgahWD6M

Score

10^/10

smokeloader backdoor discovery trojan

Malware Config

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
2828	Transaction_ref_08252024_jpg.scr
1620	Transaction_ref_08252024_jpg.scr
996	Transaction_ref_08252024_jpg.scr
2816	Transaction_ref_08252024_jpg.scr

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com
13	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 1620	2828	Transaction_ref_08252024_jpg.scr	52
PID 996 set thread context of 2816	996	Transaction_ref_08252024_jpg.scr	58

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transaction_ref_08252024_jpg.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transaction_ref_08252024_jpg.scr

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeRestorePrivilege	1328	7zG.exe
Token: 35	1328	7zG.exe
Token: SeSecurityPrivilege	1328	7zG.exe
Token: SeSecurityPrivilege	1328	7zG.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
1328	7zG.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2716	624	chrome.exe	30
PID 624 wrote to memory of 2716	624	chrome.exe	30
PID 624 wrote to memory of 2716	624	chrome.exe	30
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2356	624	chrome.exe	32
PID 624 wrote to memory of 2204	624	chrome.exe	33
PID 624 wrote to memory of 2204	624	chrome.exe	33
PID 624 wrote to memory of 2204	624	chrome.exe	33
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34
PID 624 wrote to memory of 2640	624	chrome.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\793a58e683a54d24d3c6bae96df29d65.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7449758,0x7fef7449768,0x7fef7449778
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:2
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2196 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2204 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1300 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:2
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2992 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:8
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3116 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3756 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3020 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1936 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4156 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3736 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4312 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3296 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3812 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4448 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1288,i,6816314811145120006,4000632250832437166,131072 /prefetch:8
  2⤵
  PID:2688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2104

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Transaction_ref_08252024_jpg\" -spe -an -ai#7zMap7972:118:7zEvent20879
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1328

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548
1⤵
PID:2388

C:\Users\Admin\Downloads\Transaction_ref_08252024_jpg\Transaction_ref_08252024_jpg.scr
"C:\Users\Admin\Downloads\Transaction_ref_08252024_jpg\Transaction_ref_08252024_jpg.scr" /S
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2828
- C:\Users\Admin\Downloads\Transaction_ref_08252024_jpg\Transaction_ref_08252024_jpg.scr
  "C:\Users\Admin\Downloads\Transaction_ref_08252024_jpg\Transaction_ref_08252024_jpg.scr"
  2⤵
  - Executes dropped EXE
  PID:1620

C:\Users\Admin\Downloads\Transaction_ref_08252024_jpg\Transaction_ref_08252024_jpg.scr
"C:\Users\Admin\Downloads\Transaction_ref_08252024_jpg\Transaction_ref_08252024_jpg.scr" /S
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:996
- C:\Users\Admin\Downloads\Transaction_ref_08252024_jpg\Transaction_ref_08252024_jpg.scr
  "C:\Users\Admin\Downloads\Transaction_ref_08252024_jpg\Transaction_ref_08252024_jpg.scr"
  2⤵
  - Executes dropped EXE
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a85031fa028db75ac7252a7171dc8d8

SHA1
f732f4e8c8827646ac88c36e42b36560bb7b7609

SHA256
82235d1b8062fd9eeee16fabf8871e623150ec058d34db670f6f60448ff8eb19

SHA512
381b9302c4292d1282a3f9f07064e958f7c4d0e9b460c256f419b312ae8f9bed3097bef92c1527a811b675d79a6a7a86daf1f3d8a709ee8d80d9c4d8c7a8a961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\2d880669-231d-422a-82a9-89cfbac6cac4.tmp

Filesize
321KB

MD5
d340128635739a9b99664e7b0738883e

SHA1
f91f761646847da6cf5fa3da3f88941333f94108

SHA256
3573bf5b5e17ef1861764784c259bdcd19f17c1330dab3e6340c151e16011f0c

SHA512
e051b12d019f04860e179b151893595de91835a322c8575f3ebae46b61707d948230bf523fc3a0d8f7917311f02644fb790e48c3026ea62bae564c2dd7fa2287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\ee39fcba-91d0-4b9b-b28c-6081550db7c4.dmp

Filesize
1.6MB

MD5
ef823c54bc9162cb953c930914d97399

SHA1
ad56fcba1d92c2a8386b848eee935ef73aaf1043

SHA256
f31bcfffa219c32adc49df2884d5fd086a14fba8a80882a809b2a5b7f8a8a902

SHA512
1f172860e31c7d24f448a149fc96f464e16a3d5dcd9e5cf19bc78bfdadadfa4ea915a4c4341f03415ce66d74c9bffa5ad05f30a84b25927da734658224f1637d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ef6a2a508bb9cd255eaf22da187554e8

SHA1
c2d5c218e301d10427e31b4fa6029e3c9d80c590

SHA256
f119f6f4f35802d8a037d2e5ba72449b547a19ee4c947427767fe476b7ee5cb6

SHA512
2710f2e0db5399a1d17e6178ca97bb1c2ff57a755d733dc09cdf7e380a2964bbdb4799540a9fac86bfa80bc5a2db4a33acf73e104ceb67367c768e8ffc4d6cd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
34d8b34019ac5ba06bbc55c415bab200

SHA1
45e0a7f33843a30add3e1ac98e1a76e67a4cd1dd

SHA256
a88d0cb7841b4dd2a7d07aadd43daad5c3645b79a152ebd3ed5f1de896922624

SHA512
c49ac15753897489d96bc759618b2fe1f748102a78e9f791cd88b4a4ccf32f06200eba8dcf67660496db0aa8b8bbc2aad223fd95af8d1a96ca5e5efc1173f35d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ca65787710953912e440195314bc7a60

SHA1
ded2812fe7ce4013a9f75468555065b47abb99f2

SHA256
9b909134025b072512561a69785aa622bfe8d4e0f3e6c28638f949c11b3778cf

SHA512
22df5f7c0130ef21d544546777a02bc91d3ed6e94951d20984a7930400b7983085033718f8e7cbd1b56a87b042c78ca375cadaeebde1131c0077445e667bfd3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
297f2bf3992457181d23b602c1ded513

SHA1
ecbdee1c27e376ec0275f224a002d50861d171f7

SHA256
cf195808c379c59d7b980a8817a4826e54c4f7d755c0b500ec9c759cedb94b5a

SHA512
a3d98e720978cc759edf8c9cca81586c72bedb5c13aff3b030cb41697a72996bfdf96885b158cfae4012ca830dd33a8e4cf2102826400132cb6cf4f44341f86f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b0b7c4f479631c34ddec5f627d3c6443

SHA1
37adc5dbbb9fbb21713cda0e9787331e19b28a55

SHA256
732c4bc9cd9e0d9fdd520b49e21fd243d345b8c10dc4097dafc1b04320bc1507

SHA512
6d7de7dcc0d1b5bd33effd82d97aa8dafe0205eac93c7c3c76c36b3c26d84fb30bdc4fc713dadfef8f7a11c6cc17368036b18f7b792396a04ebdc7f4ef5158ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
6fc87ad478ddcf1243ae0b9b9b8ce9ec

SHA1
66d73e4ad408770d5db57c014dbd8117cbe3823a

SHA256
f14d5a236f3fca5004331f706f07acdf0dde66b0177be35e54cde341876c2850

SHA512
13b4726763cbf2e76ea7845dbc1b5202f1add1188f531c8de5308da0c973fba370e683153babbce3037c9837413cb39539b350c37808416e4fa13db6e1faa779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
d992b629beb54e212c897fd729b83094

SHA1
fb49161c22085350e06632fbdc36947312305fca

SHA256
d049a52720e0475e643351fc7067727eb1836d0291c561b7ecfbc643aa7b6235

SHA512
58b7f25ddaf983c4e4fb6cfda3b5576d4762026ec0d3715cb51e5bd7f8b05207f9896b7319d3f0777fd7f34cdb2282501a5c80d7cd7818ee1bc4ecbc24822bdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6d82f6a6dfae04615a1a04bf3b599e94

SHA1
53b95a0e63dc5b0862b9f93cd2a6aaf8a0f34746

SHA256
61bd94d6dbb2d7c38195e85961ee5ba429dae72e5cd8cacb470537ea06d8afa3

SHA512
e5837da54e74dba5fcc562381b8511dfaf9ceedab1ab1424f08c31d4078a0a2ad8317259e3c5a369e6a8fe1f6f37636a5c10b64d4945b699776833184357f3cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
569c3d0067a934c14662a73692be658b

SHA1
e3556c1344c7b7e9b7b26369976ffcbb1d73f21b

SHA256
6b05f65d5a6dd926e4c334c7ae92d5d52fa18ee5687ff47b5d4548c1a1cd83d0

SHA512
fa8ff49f3434591dca5077a6681dd9dad86c1fc728a2b2b619d46f74b09dfe6f24726c3bb19a1420ea7d068e3c3bdbe1a8f22d0d27fc22f8f70558c4a8567d28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b6615b65e5b12fd4858675ef1e94e71e

SHA1
db694fa17a4e719729d0abb0822665ce3b0653b8

SHA256
abad61c2231ec39299c244abf70d418edb93618a4dcf901edea2e85cad992d1d

SHA512
40329aae7bbb6910f92e9896d7b7b1705504fbb01947dcf225c09f3bee59ba0202b48a4e9eed575bc70fc4be1ec993ed07d46df9d7465e837778b4024e426a51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8a58906242bed7ab3db071c435835ee1

SHA1
a8a1a20fa829736432d8eea0e07adfc6f81dcbd3

SHA256
47108e4c05498b4515d6d88d5cefaee7e2443ea2fd4ecc4e1775f957ba8b1d4b

SHA512
be51a1ebf438a71177e85b6c29d0ab86f5b4a21efc9a68d70401c8dbfa665719707e60281dd5cfd30ffdb8f3a72d4d69a2c05ca678a90a37492479cf3cd68af6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
52ba71bf5921600e04e4150e9a7fd5a8

SHA1
2098986ce0de85f91c90db0e9427b55aa4f15856

SHA256
f085a428ecddcb9281d28659cbe865cc782320b0fe7dc2d4525e3625296ade74

SHA512
a72f5b14f7e7dc2fd963826e43d1b8f8928f8932408bf44f504f6d360cb4ded1eac947389f8f629af6649aafe1c43811e25117f3c7f73475f7514cdfa01330ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf7906f3.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
319KB

MD5
ea34e0fa4fdbb75b701d1c519772beba

SHA1
b9d8100a4bc2dc8d79437993f543a4de1303239a

SHA256
111e61d9f6ddae85b9e95e0176b540ab9539667f380939c2cb02e6dd2c2feb26

SHA512
e5ea9cda3efb08024a8d8403fd26f4c0db0763f833cac6cd84e1a495e5870929f4ee7746c59f8fd5daf054e14cdc373a70d385bb2efcfc954a710a094cec80fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
bf30929c54348fa50e38dbab60df5dba

SHA1
f23b95a0c061d77cfd2604c30429e31973fd5b4a

SHA256
149a5556762f2064ada5b6685705da7f01a9749907c7e9b6f2a04bef6be9c970

SHA512
dd4b553e1fd07c9f84bdf0035c8b2b08cfd62ccfa9a531b89834c8ae45a794605ad75f3e4b1f3b3959b7b9e0c1ac76a331a42c90f97e83b22a74a4fa1774c625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
319KB

MD5
4cb5aa0fc6d2c30cf8d30f63eaadddda

SHA1
bd534ccdb0229fd948e2f080b1a2907f423be81b

SHA256
29744f2072c0b641a8a89245c270f21c1a3f7e81cdbd62ab5b60742942570856

SHA512
5b1aea4c7bfc26749afeee654436fc8c8b02398ab23153663d8a1cb737e3dc4390a9dc35af606ee003d7231bba3adfdf57a60c6a9bcdd17870a15652a9ed27ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6357.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar63D7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Downloads\Transaction_ref_08252024_jpg.zip

Filesize
413KB

MD5
5755ac152d850988c03a36cc4352c633

SHA1
9a86c5d8ff21405bcbd0ddb1c1ab7771ead3511c

SHA256
49a1f5b53c52a2c9c101daf4882f46463b0aefa29ea0603fcac5105d494ced15

SHA512
196da2891e1c5da08ef96f322c1d03858f26c1f80362badaf894fad611dbd57c7c39cc2929fb4e234c60a2d211c7855f78a46e5e0741f857fed040b60c2ffe11

Download Submit
C:\Users\Admin\Downloads\Transaction_ref_08252024_jpg\Transaction_ref_08252024_jpg.scr

Filesize
469KB

MD5
793a58e683a54d24d3c6bae96df29d65

SHA1
09e7bdc6a52fa3290fa7e9ee0471c0d1e445a2ce

SHA256
80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce

SHA512
f9d6a7d6bdcdfcc3507c55de2e2273e8681f5e8002cffd543bd664064c7e96c35137323f21a742bb00a6cadfc66e06084ddab3ba68207e97cbfa55fc7ec83e42

Download Submit
memory/996-239-0x0000000000BA0000-0x0000000000C1C000-memory.dmp

Filesize
496KB

Download
memory/1620-225-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1620-227-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1620-223-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1620-229-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1620-224-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2816-327-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-222-0x00000000020C0000-0x0000000002112000-memory.dmp

Filesize
328KB

Download
memory/2828-221-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2828-217-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-216-0x00000000741BE000-0x00000000741BF000-memory.dmp

Filesize
4KB

Download
memory/2828-215-0x00000000004F0000-0x000000000050A000-memory.dmp

Filesize
104KB

Download
memory/2828-214-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-213-0x0000000000970000-0x00000000009EC000-memory.dmp

Filesize
496KB

Download
memory/2828-212-0x00000000741BE000-0x00000000741BF000-memory.dmp

Filesize
4KB

Download
memory/2828-230-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download