smokeloader | addfb046313926c0cfb9e4293f76c408d8e6798e129f1a1043835088c54aa69b

Analysis

max time kernel
59s
max time network
60s
platform
windows10_x64
resource
win10v20201028
submitted
31-03-2021 13:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

1efa56669738d9ef717aae854188495d.exe
Size

175KB
MD5

1efa56669738d9ef717aae854188495d
SHA1

3ff0cbdc4ec92da762c909fa42c23fcd6ff5519c
SHA256

addfb046313926c0cfb9e4293f76c408d8e6798e129f1a1043835088c54aa69b
SHA512

291ec99476a3d35d6f4d862b8f7e1380cb6cc49f4c5725befe53888d38e77b346e849aace9685e0d233b53ac2b4f8e5f4943976dc4295f2385b6d080c9eb984a

Score

10^/10

smokeloader tofsee vidar backdoor bootkit discovery evasion persistence spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3612 created 60 3612 WerFault.exe 5.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Creates new service(s) 1 TTPs
persistence

New Service
T1050

description	pid	process	target process
PID 3612 created 60	3612	WerFault.exe	5.exe

Executes dropped EXE 11 IoCs

Processes:

1D2D.exe1D2D.exe2A7D.exeupdatewin1.exeupdatewin2.exeupdatewin.exe5.exe3C21.exe3F7E.exefhalsaoe.exe6B23.exe

pid	process
1984	1D2D.exe
3696	1D2D.exe
2296	2A7D.exe
3860	updatewin1.exe
4060	updatewin2.exe
3176	updatewin.exe
60	5.exe
188	3C21.exe
1772	3F7E.exe
4068	fhalsaoe.exe
204	6B23.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

pid process

2868
Loads dropped DLL 3 IoCs

Processes:

1efa56669738d9ef717aae854188495d.exe2A7D.exe

pid process

880 1efa56669738d9ef717aae854188495d.exe
2296 2A7D.exe
2296 2A7D.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3448 icacls.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2868

pid	process
3448	icacls.exe

themida 2 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6B23.exe	themida
behavioral2/memory/204-94-0x0000000000400000-0x0000000000A5C000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1D2D.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a2bfb427-ec5b-42e6-b2d9-e25471fc9aa5\\1D2D.exe\" --AutoStart"	1D2D.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 api.2ip.ua
32 api.2ip.ua
44 api.2ip.ua
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

3F7E.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 3F7E.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6B23.exe

pid process

204 6B23.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

fhalsaoe.exe

description pid process target process

PID 4068 set thread context of 2720 4068 fhalsaoe.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3612 60 WerFault.exe 5.exe

flow	ioc
31	api.2ip.ua
32	api.2ip.ua
44	api.2ip.ua

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	3F7E.exe

pid	process
204	6B23.exe

description	pid	process	target process
PID 4068 set thread context of 2720	4068	fhalsaoe.exe	svchost.exe

pid	pid_target	process	target process
3612	60	WerFault.exe	5.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1efa56669738d9ef717aae854188495d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1efa56669738d9ef717aae854188495d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1efa56669738d9ef717aae854188495d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1efa56669738d9ef717aae854188495d.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2A7D.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2A7D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2A7D.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3856 timeout.exe
768 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1700 taskkill.exe

pid	process
3856	timeout.exe
768	timeout.exe

pid	process
1700	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1D2D.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1D2D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1D2D.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1efa56669738d9ef717aae854188495d.exe

pid	process
880	1efa56669738d9ef717aae854188495d.exe
880	1efa56669738d9ef717aae854188495d.exe
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868
2868

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1efa56669738d9ef717aae854188495d.exe

pid process

880 1efa56669738d9ef717aae854188495d.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

WerFault.exetaskkill.exe3F7E.exe

description	pid	process
Token: SeShutdownPrivilege	2868
Token: SeCreatePagefilePrivilege	2868
Token: SeShutdownPrivilege	2868
Token: SeCreatePagefilePrivilege	2868
Token: SeRestorePrivilege	3612	WerFault.exe
Token: SeBackupPrivilege	3612	WerFault.exe
Token: SeShutdownPrivilege	2868
Token: SeCreatePagefilePrivilege	2868
Token: SeDebugPrivilege	3612	WerFault.exe
Token: SeShutdownPrivilege	2868
Token: SeCreatePagefilePrivilege	2868
Token: SeShutdownPrivilege	2868
Token: SeCreatePagefilePrivilege	2868
Token: SeShutdownPrivilege	2868
Token: SeCreatePagefilePrivilege	2868
Token: SeShutdownPrivilege	2868
Token: SeCreatePagefilePrivilege	2868
Token: SeShutdownPrivilege	2868
Token: SeCreatePagefilePrivilege	2868
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeShutdownPrivilege	2868
Token: SeCreatePagefilePrivilege	2868
Token: SeShutdownPrivilege	1772	3F7E.exe
Token: SeShutdownPrivilege	2868
Token: SeCreatePagefilePrivilege	2868
Token: SeShutdownPrivilege	2868
Token: SeCreatePagefilePrivilege	2868

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1D2D.exe1D2D.exeupdatewin.exe3C21.execmd.exe2A7D.execmd.exefhalsaoe.exe

description	pid	process	target process
PID 2868 wrote to memory of 1984	2868		1D2D.exe
PID 2868 wrote to memory of 1984	2868		1D2D.exe
PID 2868 wrote to memory of 1984	2868		1D2D.exe
PID 1984 wrote to memory of 3448	1984	1D2D.exe	icacls.exe
PID 1984 wrote to memory of 3448	1984	1D2D.exe	icacls.exe
PID 1984 wrote to memory of 3448	1984	1D2D.exe	icacls.exe
PID 1984 wrote to memory of 3696	1984	1D2D.exe	1D2D.exe
PID 1984 wrote to memory of 3696	1984	1D2D.exe	1D2D.exe
PID 1984 wrote to memory of 3696	1984	1D2D.exe	1D2D.exe
PID 2868 wrote to memory of 2296	2868		2A7D.exe
PID 2868 wrote to memory of 2296	2868		2A7D.exe
PID 2868 wrote to memory of 2296	2868		2A7D.exe
PID 3696 wrote to memory of 3860	3696	1D2D.exe	updatewin1.exe
PID 3696 wrote to memory of 3860	3696	1D2D.exe	updatewin1.exe
PID 3696 wrote to memory of 3860	3696	1D2D.exe	updatewin1.exe
PID 3696 wrote to memory of 4060	3696	1D2D.exe	updatewin2.exe
PID 3696 wrote to memory of 4060	3696	1D2D.exe	updatewin2.exe
PID 3696 wrote to memory of 4060	3696	1D2D.exe	updatewin2.exe
PID 3696 wrote to memory of 3176	3696	1D2D.exe	updatewin.exe
PID 3696 wrote to memory of 3176	3696	1D2D.exe	updatewin.exe
PID 3696 wrote to memory of 3176	3696	1D2D.exe	updatewin.exe
PID 3696 wrote to memory of 60	3696	1D2D.exe	5.exe
PID 3696 wrote to memory of 60	3696	1D2D.exe	5.exe
PID 3696 wrote to memory of 60	3696	1D2D.exe	5.exe
PID 2868 wrote to memory of 188	2868		3C21.exe
PID 2868 wrote to memory of 188	2868		3C21.exe
PID 2868 wrote to memory of 188	2868		3C21.exe
PID 2868 wrote to memory of 1772	2868		3F7E.exe
PID 2868 wrote to memory of 1772	2868		3F7E.exe
PID 2868 wrote to memory of 1772	2868		3F7E.exe
PID 3176 wrote to memory of 3564	3176	updatewin.exe	cmd.exe
PID 3176 wrote to memory of 3564	3176	updatewin.exe	cmd.exe
PID 3176 wrote to memory of 3564	3176	updatewin.exe	cmd.exe
PID 188 wrote to memory of 2292	188	3C21.exe	cmd.exe
PID 188 wrote to memory of 2292	188	3C21.exe	cmd.exe
PID 188 wrote to memory of 2292	188	3C21.exe	cmd.exe
PID 3564 wrote to memory of 3856	3564	cmd.exe	timeout.exe
PID 3564 wrote to memory of 3856	3564	cmd.exe	timeout.exe
PID 3564 wrote to memory of 3856	3564	cmd.exe	timeout.exe
PID 188 wrote to memory of 576	188	3C21.exe	cmd.exe
PID 188 wrote to memory of 576	188	3C21.exe	cmd.exe
PID 188 wrote to memory of 576	188	3C21.exe	cmd.exe
PID 188 wrote to memory of 1392	188	3C21.exe	sc.exe
PID 188 wrote to memory of 1392	188	3C21.exe	sc.exe
PID 188 wrote to memory of 1392	188	3C21.exe	sc.exe
PID 188 wrote to memory of 3152	188	3C21.exe	sc.exe
PID 188 wrote to memory of 3152	188	3C21.exe	sc.exe
PID 188 wrote to memory of 3152	188	3C21.exe	sc.exe
PID 188 wrote to memory of 3916	188	3C21.exe	sc.exe
PID 188 wrote to memory of 3916	188	3C21.exe	sc.exe
PID 188 wrote to memory of 3916	188	3C21.exe	sc.exe
PID 2296 wrote to memory of 1228	2296	2A7D.exe	cmd.exe
PID 2296 wrote to memory of 1228	2296	2A7D.exe	cmd.exe
PID 2296 wrote to memory of 1228	2296	2A7D.exe	cmd.exe
PID 188 wrote to memory of 3580	188	3C21.exe	netsh.exe
PID 188 wrote to memory of 3580	188	3C21.exe	netsh.exe
PID 188 wrote to memory of 3580	188	3C21.exe	netsh.exe
PID 1228 wrote to memory of 1700	1228	cmd.exe	taskkill.exe
PID 1228 wrote to memory of 1700	1228	cmd.exe	taskkill.exe
PID 1228 wrote to memory of 1700	1228	cmd.exe	taskkill.exe
PID 4068 wrote to memory of 2720	4068	fhalsaoe.exe	svchost.exe
PID 4068 wrote to memory of 2720	4068	fhalsaoe.exe	svchost.exe
PID 4068 wrote to memory of 2720	4068	fhalsaoe.exe	svchost.exe
PID 4068 wrote to memory of 2720	4068	fhalsaoe.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1efa56669738d9ef717aae854188495d.exe
"C:\Users\Admin\AppData\Local\Temp\1efa56669738d9ef717aae854188495d.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:880

C:\Users\Admin\AppData\Local\Temp\1D2D.exe
C:\Users\Admin\AppData\Local\Temp\1D2D.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a2bfb427-ec5b-42e6-b2d9-e25471fc9aa5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:3448

C:\Users\Admin\AppData\Local\Temp\1D2D.exe
"C:\Users\Admin\AppData\Local\Temp\1D2D.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin1.exe
"C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin1.exe"
3⤵
- Executes dropped EXE
PID:3860

C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin2.exe
"C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin2.exe"
3⤵
- Executes dropped EXE
PID:4060

C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin.exe
"C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3856

C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\5.exe
"C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\5.exe"
3⤵
- Executes dropped EXE
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 760
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Users\Admin\AppData\Local\Temp\2A7D.exe
C:\Users\Admin\AppData\Local\Temp\2A7D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 2A7D.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2A7D.exe" & del C:\ProgramData\*.dll & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 2A7D.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:768

C:\Users\Admin\AppData\Local\Temp\3C21.exe
C:\Users\Admin\AppData\Local\Temp\3C21.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xwxqcmek\
2⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fhalsaoe.exe" C:\Windows\SysWOW64\xwxqcmek\
2⤵
PID:576

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create xwxqcmek binPath= "C:\Windows\SysWOW64\xwxqcmek\fhalsaoe.exe /d\"C:\Users\Admin\AppData\Local\Temp\3C21.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:1392

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description xwxqcmek "wifi internet conection"
2⤵
PID:3152

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start xwxqcmek
2⤵
PID:3916

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\3F7E.exe
C:\Users\Admin\AppData\Local\Temp\3F7E.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\xwxqcmek\fhalsaoe.exe
C:\Windows\SysWOW64\xwxqcmek\fhalsaoe.exe /d"C:\Users\Admin\AppData\Local\Temp\3C21.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\6B23.exe
C:\Users\Admin\AppData\Local\Temp\6B23.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
0936d19232cfcdafbced53ad410a7302

SHA1
7ecf78bc4b20f07d1b4e37d3b6d23276d559b18a

SHA256
9046bb77872ac1e6d8b9a6af797f1fdd5cac5b833de440cbd285f396938c54fa

SHA512
642215bbc005909a0a4ff3e1cfd9fb3017838e7a6bdf03c5716e980b59d46a793fd24d63ce8e27867d58daa644112e53e63fac7f671ee6f3a9b28bbde805805c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
9c381e1c05936ad539bc8d0fe34981c3

SHA1
cff61eb4121208e3fc90e0ae7cc605fc44e65ab9

SHA256
bde1d8daaa1cb82ecab9742c4e06ae955070fb10be6689f5f177efe3496d32e3

SHA512
bdc49a8fd3318658de368d640198e91a07dac3365fd1a6eff2265b1d909fb5a32d398b4fa94a6d8dd04876980b138217f15a579d1b47df0820f58ee4db295d65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
67dd510c04deca4a2f9073df392119cd

SHA1
4167d9f7e9c61c4684c58a01aab1a2d7dd8c5418

SHA256
057a9df58f855a0c52a70d3983bacd4d69e60010daf03c6b731dc96d025fa07f

SHA512
913a1d15c2dd4154ac52f2fe43ee6010bdbaa0cd9a409262ce8281d152159b463eeb186a3467653a38c3cea74d3e2f194886abe19e1bff45534f90c6b83b7eb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
9db930a554a2b7674dc77fd015076097

SHA1
fe9ddfc8a1bcf94e128f5dbcab4a3d2c817e6a7a

SHA256
1444b7c4fd5ea3ad571b100f8a2ca3fd418d6ea028d9f4f631ff1c949f7a02ce

SHA512
bb32e0c6a6b6fbbe6053f118ccc95a60424afc595dda63c937c4d1720ff09fb6bdb13c1e672e8836427760828b788e789c6a29a605784ccf6ecbaf18c5e9c7f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
6c493806deace183de750bdc2c934b33

SHA1
693541e6a2617c93e792f05b38a5a908b3273d8b

SHA256
3d910981ee2ea205ffb7f30eb359c75bb23b61c40d1c60412123ab1f4fd6be70

SHA512
837329961fee9f721a3e6324c0363e40c0184fea45099e9778c19dc0db253304d096d5f3fedcd52193248bcfbf40e802d13df1fb7a2822b7a9734d71ff55e831

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
bced263313d12885b64bf25252cc3d05

SHA1
59f028b44e7f243562e90c5471d36cde46740ea9

SHA256
3601e462c20b7a4003cbdc91db32ec6ef0846c88b8f89223d0949445179be240

SHA512
80622f44e1f0dbcfe17a0d93e4f9530db7257f519878ce7745c2b553f8573467f53c03b0186b5c4119c0e3b4865dcf92d6e986afcf43171f536fcf4fbb1ef025

Download Submit
C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\5.exe
MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\5.exe
MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin.exe
MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin.exe
MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\9f029eab-f409-490a-9b36-65d82e81bdc7\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JTUQ9QG4.cookie
MD5
f948c8e8e134df1bef8241e8b9759a99

SHA1
00914229f8def488c0fa72bc42a14cc2a4c79866

SHA256
c92010bef32d71305f567f3576a5982024dd9492065f691952ec8628576b26f1

SHA512
d0981facedeb4893acc265e867b30b51cc00f26939d4cd0466357c67f46ecf5ddf99368f6409ceaa9842f4f1f47fb9aa9a7d9a4e1694fb88908f69a8e7e65e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D2D.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D2D.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D2D.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A7D.exe
MD5
4328b263719a51a40732349a08ba3bb6

SHA1
904bd397a12c124af4a24021c6a21060955c79a3

SHA256
a351c1d494a1060fc9cd1c914bb846d87318181202c4f9c06c6931a73c933522

SHA512
75a6cdea5867875cab4c8c446c950805ab643a81d5acba6e2fc459f2859f7606690a7f19b00fb4ab22ece57236bbeaaf83295901a1807eba1881c7342f298107

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A7D.exe
MD5
4328b263719a51a40732349a08ba3bb6

SHA1
904bd397a12c124af4a24021c6a21060955c79a3

SHA256
a351c1d494a1060fc9cd1c914bb846d87318181202c4f9c06c6931a73c933522

SHA512
75a6cdea5867875cab4c8c446c950805ab643a81d5acba6e2fc459f2859f7606690a7f19b00fb4ab22ece57236bbeaaf83295901a1807eba1881c7342f298107

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C21.exe
MD5
0aea4d493d5420856fc80865efba4838

SHA1
12acfd267b76fbcdc98914902d73ff7adfd15c3d

SHA256
ff7ae82d36a61a1480ca96bc4fef2831fb5bef00d733f29bdf5f053e7cc89ac5

SHA512
763fff58c3488579f0224c45a5e9d982ddf9b33d94def7671869f91f8b03e7f8b3452014f1dd4b95113e714d9db1f5a6d9f325a51cab964decb7263688796d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C21.exe
MD5
0aea4d493d5420856fc80865efba4838

SHA1
12acfd267b76fbcdc98914902d73ff7adfd15c3d

SHA256
ff7ae82d36a61a1480ca96bc4fef2831fb5bef00d733f29bdf5f053e7cc89ac5

SHA512
763fff58c3488579f0224c45a5e9d982ddf9b33d94def7671869f91f8b03e7f8b3452014f1dd4b95113e714d9db1f5a6d9f325a51cab964decb7263688796d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F7E.exe
MD5
1073896ed8714969c25798c6b30a954c

SHA1
1b1ef4654cae70cb1bc34eb270d189edb285b46a

SHA256
4aeed5485089f1b6efe2eb92328b30f04262b2f171ca41ffcadb2407e1ddadf4

SHA512
b26bec26537603e649ebc57ab51e287d5c527d8cbdeecf8c3fdb08919cae0417fc5b0cd173c33f11657f0daca6789e6b729656b44684519586a5d862a90725bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F7E.exe
MD5
1073896ed8714969c25798c6b30a954c

SHA1
1b1ef4654cae70cb1bc34eb270d189edb285b46a

SHA256
4aeed5485089f1b6efe2eb92328b30f04262b2f171ca41ffcadb2407e1ddadf4

SHA512
b26bec26537603e649ebc57ab51e287d5c527d8cbdeecf8c3fdb08919cae0417fc5b0cd173c33f11657f0daca6789e6b729656b44684519586a5d862a90725bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B23.exe
MD5
efb43e0949072a0851b3ed4176e85eef

SHA1
5e3d9156fe778102ca067a48c9e95a04dd1a3863

SHA256
e65fd7af205a4a8f4ecf46925648f361d5356c964ee3429774fe32c555bde288

SHA512
76eb105596be20adba0db0fb663319d1c89794828c5e7d1fbb0b3b945b4914995df09debe72b4c4d22edabd24f240ae735c153cdb24bdba35fac855e3ab9fbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fhalsaoe.exe
MD5
46ab453c15aa3a9365824a3ff06a77ca

SHA1
f06c177c555c6b0e1dd4dbf2ec67c6f7fbc6ab0d

SHA256
7434eaa3dc1a35ebd137af141fd71c1ec9efc53950f64f39d2f2185ae708e82d

SHA512
7435949d6e9263d3901d114b9156f823431a9b3be3c6574ee6fa40e29702d9b71ac04cc8915e6727127a5a9d0ac1b3cf92b83cdd32af27f27266f9efdd70de20

Download Submit
C:\Users\Admin\AppData\Local\a2bfb427-ec5b-42e6-b2d9-e25471fc9aa5\1D2D.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Windows\SysWOW64\xwxqcmek\fhalsaoe.exe
MD5
46ab453c15aa3a9365824a3ff06a77ca

SHA1
f06c177c555c6b0e1dd4dbf2ec67c6f7fbc6ab0d

SHA256
7434eaa3dc1a35ebd137af141fd71c1ec9efc53950f64f39d2f2185ae708e82d

SHA512
7435949d6e9263d3901d114b9156f823431a9b3be3c6574ee6fa40e29702d9b71ac04cc8915e6727127a5a9d0ac1b3cf92b83cdd32af27f27266f9efdd70de20

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/60-53-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/60-59-0x00000000024A0000-0x0000000002535000-memory.dmp

Filesize
596KB

Download
memory/60-60-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/60-41-0x0000000000000000-mapping.dmp

Download
memory/188-47-0x0000000000000000-mapping.dmp

Download
memory/188-64-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/188-62-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/188-68-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/188-67-0x0000000002BE0000-0x0000000002BF3000-memory.dmp

Filesize
76KB

Download
memory/204-94-0x0000000000400000-0x0000000000A5C000-memory.dmp

Filesize
6.4MB

Download
memory/204-92-0x0000000000000000-mapping.dmp

Download
memory/204-95-0x0000000000401000-0x000000000041B000-memory.dmp

Filesize
104KB

Download
memory/204-96-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/204-97-0x0000000077294000-0x0000000077295000-memory.dmp

Filesize
4KB

Download
memory/576-73-0x0000000000000000-mapping.dmp

Download
memory/768-88-0x0000000000000000-mapping.dmp

Download
memory/880-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/880-2-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/880-4-0x0000000000940000-0x0000000000949000-memory.dmp

Filesize
36KB

Download
memory/1228-80-0x0000000000000000-mapping.dmp

Download
memory/1392-77-0x0000000000000000-mapping.dmp

Download
memory/1700-83-0x0000000000000000-mapping.dmp

Download
memory/1772-75-0x0000000002DA0000-0x0000000002E0B000-memory.dmp

Filesize
428KB

Download
memory/1772-72-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1772-76-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1772-50-0x0000000000000000-mapping.dmp

Download
memory/1984-11-0x0000000001DD0000-0x0000000001EEA000-memory.dmp

Filesize
1.1MB

Download
memory/1984-12-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1984-7-0x0000000000000000-mapping.dmp

Download
memory/1984-10-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2292-70-0x0000000000000000-mapping.dmp

Download
memory/2296-38-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2296-17-0x0000000000000000-mapping.dmp

Download
memory/2296-39-0x0000000002570000-0x0000000002604000-memory.dmp

Filesize
592KB

Download
memory/2296-40-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2720-86-0x0000000002AA0000-0x0000000002AB5000-memory.dmp

Filesize
84KB

Download
memory/2720-87-0x0000000002AA9A6B-mapping.dmp

Download
memory/2868-6-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/3152-78-0x0000000000000000-mapping.dmp

Download
memory/3176-44-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3176-45-0x0000000000980000-0x00000000009B6000-memory.dmp

Filesize
216KB

Download
memory/3176-46-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3176-35-0x0000000000000000-mapping.dmp

Download
memory/3448-13-0x0000000000000000-mapping.dmp

Download
memory/3564-69-0x0000000000000000-mapping.dmp

Download
memory/3580-82-0x0000000000000000-mapping.dmp

Download
memory/3612-63-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/3612-61-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/3696-20-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/3696-15-0x0000000000000000-mapping.dmp

Download
memory/3856-71-0x0000000000000000-mapping.dmp

Download
memory/3860-30-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/3860-27-0x0000000000000000-mapping.dmp

Download
memory/3916-79-0x0000000000000000-mapping.dmp

Download
memory/4060-34-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4060-31-0x0000000000000000-mapping.dmp

Download
memory/4068-84-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads