djvu | ed4c8f72e049a22a51ff3d1b871fb42c1e333d4831710b7180e040d5a27a8b24

Analysis

max time kernel
82s
max time network
81s
platform
windows10_x64
resource
win10v20201028
submitted
31-03-2021 17:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe
Size

176KB
MD5

de276c3b5b196028e89b37f04230a39d
SHA1

77df36a5cccf073b4fb998efe4e42df8b78e3277
SHA256

ed4c8f72e049a22a51ff3d1b871fb42c1e333d4831710b7180e040d5a27a8b24
SHA512

0268a4deb27a2874a7796086e1635b325ac98d2a83d93521a8b3fb7fc3142d3165a55724b411bf5934a1c80c7096374690afebf4edbf0d57a954343de4a5a4ea

Score

10^/10

djvu smokeloader tofsee vidar backdoor bootkit discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Processes:

mpcmdrun.exe

pid process

3116 mpcmdrun.exe
Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 3164 created 3820 3164 WerFault.exe viivgvw
PID 2224 created 3572 2224 WerFault.exe 5.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Drops file in Drivers directory 1 IoCs

Processes:

updatewin2.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe

pid	process
3116	mpcmdrun.exe

description	pid	process	target process
PID 3164 created 3820	3164	WerFault.exe	viivgvw
PID 2224 created 3572	2224	WerFault.exe	5.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

Executes dropped EXE 12 IoCs

Processes:

viivgvw1492.exe1492.exeupdatewin1.exeupdatewin2.exeupdatewin.exe5.exe327C.exe471E.exeupdatewin1.exe58C2.exexjiwhrzt.exe

pid	process
3820	viivgvw
4012	1492.exe
3924	1492.exe
208	updatewin1.exe
2364	updatewin2.exe
412	updatewin.exe
3572	5.exe
1136	327C.exe
2264	471E.exe
2964	updatewin1.exe
2832	58C2.exe
3532	xjiwhrzt.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

pid process

3020
Loads dropped DLL 3 IoCs

Processes:

SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe327C.exe

pid process

1908 SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe
1136 327C.exe
1136 327C.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3216 icacls.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3020

pid	process
3216	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1492.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\19a4b7da-4d2e-4577-9b4b-1ba1d63ee53b\\1492.exe\" --AutoStart"	1492.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 api.2ip.ua
40 api.2ip.ua
46 api.2ip.ua
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

58C2.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 58C2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

xjiwhrzt.exe

description pid process target process

PID 3532 set thread context of 1576 3532 xjiwhrzt.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3164 3820 WerFault.exe viivgvw
2224 3572 WerFault.exe 5.exe

flow	ioc
39	api.2ip.ua
40	api.2ip.ua
46	api.2ip.ua

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	58C2.exe

description	pid	process	target process
PID 3532 set thread context of 1576	3532	xjiwhrzt.exe	svchost.exe

pid	pid_target	process	target process
3164	3820	WerFault.exe	viivgvw
2224	3572	WerFault.exe	5.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

327C.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	327C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	327C.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2764 timeout.exe
608 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2420 taskkill.exe

pid	process
2764	timeout.exe
608	timeout.exe

pid	process
2420	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1492.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1492.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1492.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe

pid	process
1908	SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe
1908	SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe

pid process

1908 SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

WerFault.exeWerFault.exetaskkill.exe58C2.exe

description	pid	process
Token: SeRestorePrivilege	3164	WerFault.exe
Token: SeBackupPrivilege	3164	WerFault.exe
Token: SeDebugPrivilege	3164	WerFault.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	2224	WerFault.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	2832	58C2.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3020

pid	process
3020

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1492.exe1492.exeupdatewin.execmd.exeupdatewin1.exe327C.exe471E.execmd.exe

description	pid	process	target process
PID 3020 wrote to memory of 4012	3020		1492.exe
PID 3020 wrote to memory of 4012	3020		1492.exe
PID 3020 wrote to memory of 4012	3020		1492.exe
PID 4012 wrote to memory of 3216	4012	1492.exe	icacls.exe
PID 4012 wrote to memory of 3216	4012	1492.exe	icacls.exe
PID 4012 wrote to memory of 3216	4012	1492.exe	icacls.exe
PID 4012 wrote to memory of 3924	4012	1492.exe	1492.exe
PID 4012 wrote to memory of 3924	4012	1492.exe	1492.exe
PID 4012 wrote to memory of 3924	4012	1492.exe	1492.exe
PID 3924 wrote to memory of 208	3924	1492.exe	updatewin1.exe
PID 3924 wrote to memory of 208	3924	1492.exe	updatewin1.exe
PID 3924 wrote to memory of 208	3924	1492.exe	updatewin1.exe
PID 3924 wrote to memory of 2364	3924	1492.exe	updatewin2.exe
PID 3924 wrote to memory of 2364	3924	1492.exe	updatewin2.exe
PID 3924 wrote to memory of 2364	3924	1492.exe	updatewin2.exe
PID 3924 wrote to memory of 412	3924	1492.exe	updatewin.exe
PID 3924 wrote to memory of 412	3924	1492.exe	updatewin.exe
PID 3924 wrote to memory of 412	3924	1492.exe	updatewin.exe
PID 3924 wrote to memory of 3572	3924	1492.exe	5.exe
PID 3924 wrote to memory of 3572	3924	1492.exe	5.exe
PID 3924 wrote to memory of 3572	3924	1492.exe	5.exe
PID 3020 wrote to memory of 1136	3020		327C.exe
PID 3020 wrote to memory of 1136	3020		327C.exe
PID 3020 wrote to memory of 1136	3020		327C.exe
PID 412 wrote to memory of 1916	412	updatewin.exe	cmd.exe
PID 412 wrote to memory of 1916	412	updatewin.exe	cmd.exe
PID 412 wrote to memory of 1916	412	updatewin.exe	cmd.exe
PID 1916 wrote to memory of 608	1916	cmd.exe	timeout.exe
PID 1916 wrote to memory of 608	1916	cmd.exe	timeout.exe
PID 1916 wrote to memory of 608	1916	cmd.exe	timeout.exe
PID 3020 wrote to memory of 2264	3020		471E.exe
PID 3020 wrote to memory of 2264	3020		471E.exe
PID 3020 wrote to memory of 2264	3020		471E.exe
PID 208 wrote to memory of 2964	208	updatewin1.exe	updatewin1.exe
PID 208 wrote to memory of 2964	208	updatewin1.exe	updatewin1.exe
PID 208 wrote to memory of 2964	208	updatewin1.exe	updatewin1.exe
PID 1136 wrote to memory of 2736	1136	327C.exe	cmd.exe
PID 1136 wrote to memory of 2736	1136	327C.exe	cmd.exe
PID 1136 wrote to memory of 2736	1136	327C.exe	cmd.exe
PID 2264 wrote to memory of 2232	2264	471E.exe	cmd.exe
PID 2264 wrote to memory of 2232	2264	471E.exe	cmd.exe
PID 2264 wrote to memory of 2232	2264	471E.exe	cmd.exe
PID 2736 wrote to memory of 2420	2736	cmd.exe	taskkill.exe
PID 2736 wrote to memory of 2420	2736	cmd.exe	taskkill.exe
PID 2736 wrote to memory of 2420	2736	cmd.exe	taskkill.exe
PID 2736 wrote to memory of 2764	2736	cmd.exe	timeout.exe
PID 2736 wrote to memory of 2764	2736	cmd.exe	timeout.exe
PID 2736 wrote to memory of 2764	2736	cmd.exe	timeout.exe
PID 2264 wrote to memory of 1408	2264	471E.exe	cmd.exe
PID 2264 wrote to memory of 1408	2264	471E.exe	cmd.exe
PID 2264 wrote to memory of 1408	2264	471E.exe	cmd.exe
PID 2264 wrote to memory of 504	2264	471E.exe	sc.exe
PID 2264 wrote to memory of 504	2264	471E.exe	sc.exe
PID 2264 wrote to memory of 504	2264	471E.exe	sc.exe
PID 2264 wrote to memory of 1060	2264	471E.exe	sc.exe
PID 2264 wrote to memory of 1060	2264	471E.exe	sc.exe
PID 2264 wrote to memory of 1060	2264	471E.exe	sc.exe
PID 3020 wrote to memory of 2832	3020		58C2.exe
PID 3020 wrote to memory of 2832	3020		58C2.exe
PID 3020 wrote to memory of 2832	3020		58C2.exe
PID 2264 wrote to memory of 3916	2264	471E.exe	sc.exe
PID 2264 wrote to memory of 3916	2264	471E.exe	sc.exe
PID 2264 wrote to memory of 3916	2264	471E.exe	sc.exe
PID 2264 wrote to memory of 3876	2264	471E.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.GandCrypt-A.26403.26463.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1908

C:\Users\Admin\AppData\Roaming\viivgvw
C:\Users\Admin\AppData\Roaming\viivgvw
1⤵
- Executes dropped EXE
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 484
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Users\Admin\AppData\Local\Temp\1492.exe
C:\Users\Admin\AppData\Local\Temp\1492.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\19a4b7da-4d2e-4577-9b4b-1ba1d63ee53b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:3216

C:\Users\Admin\AppData\Local\Temp\1492.exe
"C:\Users\Admin\AppData\Local\Temp\1492.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exe
"C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exe
"C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exe" --Admin
4⤵
- Executes dropped EXE
PID:2964

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
5⤵
- Deletes Windows Defender Definitions
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
5⤵
PID:1572

C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin2.exe
"C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin2.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2364

C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin.exe
"C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:608

C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\5.exe
"C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\5.exe"
3⤵
- Executes dropped EXE
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 764
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Users\Admin\AppData\Local\Temp\327C.exe
C:\Users\Admin\AppData\Local\Temp\327C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 327C.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\327C.exe" & del C:\ProgramData\*.dll & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 327C.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:2764

C:\Users\Admin\AppData\Local\Temp\471E.exe
C:\Users\Admin\AppData\Local\Temp\471E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\eqhogsrt\
2⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xjiwhrzt.exe" C:\Windows\SysWOW64\eqhogsrt\
2⤵
PID:1408

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create eqhogsrt binPath= "C:\Windows\SysWOW64\eqhogsrt\xjiwhrzt.exe /d\"C:\Users\Admin\AppData\Local\Temp\471E.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:504

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description eqhogsrt "wifi internet conection"
2⤵
PID:1060

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start eqhogsrt
2⤵
PID:3916

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\58C2.exe
C:\Users\Admin\AppData\Local\Temp\58C2.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\SysWOW64\eqhogsrt\xjiwhrzt.exe
C:\Windows\SysWOW64\eqhogsrt\xjiwhrzt.exe /d"C:\Users\Admin\AppData\Local\Temp\471E.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3532

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Bootkit

T1067

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
0936d19232cfcdafbced53ad410a7302

SHA1
7ecf78bc4b20f07d1b4e37d3b6d23276d559b18a

SHA256
9046bb77872ac1e6d8b9a6af797f1fdd5cac5b833de440cbd285f396938c54fa

SHA512
642215bbc005909a0a4ff3e1cfd9fb3017838e7a6bdf03c5716e980b59d46a793fd24d63ce8e27867d58daa644112e53e63fac7f671ee6f3a9b28bbde805805c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
9c381e1c05936ad539bc8d0fe34981c3

SHA1
cff61eb4121208e3fc90e0ae7cc605fc44e65ab9

SHA256
bde1d8daaa1cb82ecab9742c4e06ae955070fb10be6689f5f177efe3496d32e3

SHA512
bdc49a8fd3318658de368d640198e91a07dac3365fd1a6eff2265b1d909fb5a32d398b4fa94a6d8dd04876980b138217f15a579d1b47df0820f58ee4db295d65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
76f439a6a398afe5b0b20727b0901439

SHA1
5748620240760fd6ad0d9bdf1e939ff43c633dd8

SHA256
f7dab184c24837703e198e3abe045d557d6ee5d2b68589f253c9203465834fd0

SHA512
31647caa011e97fb9fc3421f2575384e791d3d5026444ae3e038626e883d5c3003289fde566ae1be324bc41d8e10bc438433d674d6fcab74e6b653d0833bf19c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
7fb390e7b2e32ef49b44eac2d7665251

SHA1
8f4052efe3ec192d2065bb722ea44e8bea99330f

SHA256
7edd38eec7a29055ec0c4c5ad734d0431f66c25e64fbdd42029a76c14433baec

SHA512
4b70b9c962f4b1485319a9776d7b51096410587fee3a4329018fe3ca6d9ee0f88fe10469f328522f256ec99f71f31306a7bbabe24cdeb39943b8a47563fa9e2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
eedc667ab69d316b76341ad28b7b9b08

SHA1
dbfc1023e934fc1ffa71f9fb7ebfccf00270a8c5

SHA256
4c981c355d4031630d19859798938896e44c63908af93d68ccbc349837e91f89

SHA512
5a797449981aa1e76ac5aad428eb260a9344e56b27f441894810da944ac4dd3257f7df16fd7ea542797cfed3f60804fc4f2f5d684db96f3f404a344e5714478b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
fe6cbb8e9a3902acef4f95cabc89c41f

SHA1
02e9c33d45a7c8cea35a04135ec8068db90dcae6

SHA256
720a5f90965f67ecd51bc9e4ba4079687ff76f7f7744dd86e28544c888f49787

SHA512
425539ad17a61358201c0663e97b1140e8c275bc8d2a5a8e630ce58e9430389697d7f8da52ded35eb7616d6f574269c3aab18187d800d960d3c8375a08ce4420

Download Submit
C:\Users\Admin\AppData\Local\19a4b7da-4d2e-4577-9b4b-1ba1d63ee53b\1492.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\5.exe
MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\5.exe
MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin.exe
MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin.exe
MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\4ab960c4-ed8e-405a-88c4-6c064abe8eb3\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\73LD4XN6.cookie
MD5
329fe6efebd56dfca4484b38d563bf73

SHA1
a70878499ecc0f23257c68b2e68293f4525c1e21

SHA256
77d5e1ab38663e1f7e8801e1a01682aaad09428522865436ba7d627a871bc111

SHA512
6103a0986fc0916e813978bc3f67749e22acba526e82c6380c7acddb2e0f99c7e3a3dc5b2f10aaa6a394a61f227b69177188c929efae21f02f4c3de9b87ecdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1492.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1492.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1492.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\327C.exe
MD5
4328b263719a51a40732349a08ba3bb6

SHA1
904bd397a12c124af4a24021c6a21060955c79a3

SHA256
a351c1d494a1060fc9cd1c914bb846d87318181202c4f9c06c6931a73c933522

SHA512
75a6cdea5867875cab4c8c446c950805ab643a81d5acba6e2fc459f2859f7606690a7f19b00fb4ab22ece57236bbeaaf83295901a1807eba1881c7342f298107

Download Submit
C:\Users\Admin\AppData\Local\Temp\327C.exe
MD5
4328b263719a51a40732349a08ba3bb6

SHA1
904bd397a12c124af4a24021c6a21060955c79a3

SHA256
a351c1d494a1060fc9cd1c914bb846d87318181202c4f9c06c6931a73c933522

SHA512
75a6cdea5867875cab4c8c446c950805ab643a81d5acba6e2fc459f2859f7606690a7f19b00fb4ab22ece57236bbeaaf83295901a1807eba1881c7342f298107

Download Submit
C:\Users\Admin\AppData\Local\Temp\471E.exe
MD5
f0ec8474c63bb4e444e1599c0ae13bdc

SHA1
54e55cb1cfe9f0740606440dcec373cd77b039ce

SHA256
99c144c609271eb14b404fb5966761c1e0b3910dec6fc785eb303cbe14de380b

SHA512
07499872199ec83c5d33aad7f9b3eebbab07f1ba0feb32e8966840827139c364e1ff121065a64614c90f90453f36fb3d2ef9a20da087ce20f60441caa24720ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\471E.exe
MD5
f0ec8474c63bb4e444e1599c0ae13bdc

SHA1
54e55cb1cfe9f0740606440dcec373cd77b039ce

SHA256
99c144c609271eb14b404fb5966761c1e0b3910dec6fc785eb303cbe14de380b

SHA512
07499872199ec83c5d33aad7f9b3eebbab07f1ba0feb32e8966840827139c364e1ff121065a64614c90f90453f36fb3d2ef9a20da087ce20f60441caa24720ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\58C2.exe
MD5
6dbd51216cd2949871a16a9a7d053570

SHA1
1b348105ab9f358544960a3736418d11219767dd

SHA256
d7d500029478331ae0485f3b1b806c319be5644c94318f73fc66f39f0da6cc0c

SHA512
f502f5b207296c02a9e165b7589f53298fbd07b101ed8079ca31add36e088e5b1d2bc8b14d3638a7b1b01725e9b0002e1ada75d29ad5ac097518ce95556e7528

Download Submit
C:\Users\Admin\AppData\Local\Temp\58C2.exe
MD5
6dbd51216cd2949871a16a9a7d053570

SHA1
1b348105ab9f358544960a3736418d11219767dd

SHA256
d7d500029478331ae0485f3b1b806c319be5644c94318f73fc66f39f0da6cc0c

SHA512
f502f5b207296c02a9e165b7589f53298fbd07b101ed8079ca31add36e088e5b1d2bc8b14d3638a7b1b01725e9b0002e1ada75d29ad5ac097518ce95556e7528

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjiwhrzt.exe
MD5
17ef41e1a7c31c609267f4c43b75869f

SHA1
55ba2b441289049b5f1431701dcd065dce120571

SHA256
24ef6ed3fecdc58330d090302299d27f4d401069f54254edccbd537c3716a22b

SHA512
e3ae2d331b5b3928f7c56d9773114cefe755324166f65f7cd01003e3666ef422b2deb7eefe3b0e3d0d43c31799755b86a4f58c80bfb40fd36c83fc4b6fcef551

Download Submit
C:\Users\Admin\AppData\Roaming\viivgvw
MD5
de276c3b5b196028e89b37f04230a39d

SHA1
77df36a5cccf073b4fb998efe4e42df8b78e3277

SHA256
ed4c8f72e049a22a51ff3d1b871fb42c1e333d4831710b7180e040d5a27a8b24

SHA512
0268a4deb27a2874a7796086e1635b325ac98d2a83d93521a8b3fb7fc3142d3165a55724b411bf5934a1c80c7096374690afebf4edbf0d57a954343de4a5a4ea

Download Submit
C:\Users\Admin\AppData\Roaming\viivgvw
MD5
de276c3b5b196028e89b37f04230a39d

SHA1
77df36a5cccf073b4fb998efe4e42df8b78e3277

SHA256
ed4c8f72e049a22a51ff3d1b871fb42c1e333d4831710b7180e040d5a27a8b24

SHA512
0268a4deb27a2874a7796086e1635b325ac98d2a83d93521a8b3fb7fc3142d3165a55724b411bf5934a1c80c7096374690afebf4edbf0d57a954343de4a5a4ea

Download Submit
C:\Windows\SysWOW64\eqhogsrt\xjiwhrzt.exe
MD5
17ef41e1a7c31c609267f4c43b75869f

SHA1
55ba2b441289049b5f1431701dcd065dce120571

SHA256
24ef6ed3fecdc58330d090302299d27f4d401069f54254edccbd537c3716a22b

SHA512
e3ae2d331b5b3928f7c56d9773114cefe755324166f65f7cd01003e3666ef422b2deb7eefe3b0e3d0d43c31799755b86a4f58c80bfb40fd36c83fc4b6fcef551

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/208-31-0x0000000000000000-mapping.dmp

Download
memory/208-34-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/208-78-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/412-40-0x0000000000000000-mapping.dmp

Download
memory/412-49-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/412-47-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/412-48-0x0000000000AA0000-0x0000000000AD6000-memory.dmp

Filesize
216KB

Download
memory/504-89-0x0000000000000000-mapping.dmp

Download
memory/608-63-0x0000000000000000-mapping.dmp

Download
memory/1060-90-0x0000000000000000-mapping.dmp

Download
memory/1136-68-0x0000000002500000-0x0000000002594000-memory.dmp

Filesize
592KB

Download
memory/1136-64-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1136-59-0x0000000000000000-mapping.dmp

Download
memory/1136-69-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1408-85-0x0000000000000000-mapping.dmp

Download
memory/1576-101-0x0000000002BD9A6B-mapping.dmp

Download
memory/1576-99-0x0000000002BD0000-0x0000000002BE5000-memory.dmp

Filesize
84KB

Download
memory/1908-2-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1908-4-0x0000000002C00000-0x0000000002C09000-memory.dmp

Filesize
36KB

Download
memory/1908-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1916-62-0x0000000000000000-mapping.dmp

Download
memory/2224-56-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/2224-53-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2224-52-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2232-82-0x0000000000000000-mapping.dmp

Download
memory/2264-72-0x0000000000000000-mapping.dmp

Download
memory/2264-88-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2264-80-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2264-87-0x00000000001D0000-0x00000000001E3000-memory.dmp

Filesize
76KB

Download
memory/2364-35-0x0000000000000000-mapping.dmp

Download
memory/2364-38-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2364-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2420-83-0x0000000000000000-mapping.dmp

Download
memory/2736-81-0x0000000000000000-mapping.dmp

Download
memory/2764-84-0x0000000000000000-mapping.dmp

Download
memory/2832-105-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2832-91-0x0000000000000000-mapping.dmp

Download
memory/2832-104-0x0000000002E80000-0x0000000002EEB000-memory.dmp

Filesize
428KB

Download
memory/2832-100-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/2964-77-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/2964-75-0x0000000000000000-mapping.dmp

Download
memory/3020-6-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/3164-12-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/3164-11-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/3216-22-0x0000000000000000-mapping.dmp

Download
memory/3532-97-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/3572-50-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3572-58-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3572-44-0x0000000000000000-mapping.dmp

Download
memory/3572-57-0x0000000000B20000-0x0000000000BB5000-memory.dmp

Filesize
596KB

Download
memory/3820-9-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3876-96-0x0000000000000000-mapping.dmp

Download
memory/3916-94-0x0000000000000000-mapping.dmp

Download
memory/3924-24-0x0000000000000000-mapping.dmp

Download
memory/3924-26-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/4012-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4012-16-0x0000000000000000-mapping.dmp

Download
memory/4012-19-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/4012-20-0x0000000001D00000-0x0000000001E1A000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads