smokeloader | deceb572b4fd9c2e2c964ea1a574082a7bb6cc3952ad0c2eaeabe64f20d706fe

Analysis

max time kernel
76s
max time network
77s
platform
windows10_x64
resource
win10v20201028
submitted
31-03-2021 13:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

7a2899fc058c83f293b08384dd2922d1.exe
Size

176KB
MD5

7a2899fc058c83f293b08384dd2922d1
SHA1

ff28d906cae7fb816caebbf2ae1bdaf583e3ae32
SHA256

deceb572b4fd9c2e2c964ea1a574082a7bb6cc3952ad0c2eaeabe64f20d706fe
SHA512

acb914443fb000e88262eed0f6509d89c81d6a244d35bab6f1c4991c8599739155bf5db05f2c5218f54d9c10f58e070c80851caec522e09c0a0e569d496fd1e4

Score

10^/10

smokeloader tofsee vidar backdoor bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1348 created 1800 1348 WerFault.exe 5.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 10 IoCs

Processes:

34DC.exe34DC.exe3FBA.exeupdatewin1.exeupdatewin2.exeupdatewin.exe5.exe4D77.exe5383.exehfopyujf.exe

pid process

2768 34DC.exe
2124 34DC.exe
3820 3FBA.exe
1932 updatewin1.exe
3976 updatewin2.exe
3340 updatewin.exe
1800 5.exe
1432 4D77.exe
1512 5383.exe
1176 hfopyujf.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

pid process

3012
Loads dropped DLL 3 IoCs

Processes:

7a2899fc058c83f293b08384dd2922d1.exe3FBA.exe

pid process

1048 7a2899fc058c83f293b08384dd2922d1.exe
3820 3FBA.exe
3820 3FBA.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2984 icacls.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1348 created 1800	1348	WerFault.exe	5.exe

pid	process
2768	34DC.exe
2124	34DC.exe
3820	3FBA.exe
1932	updatewin1.exe
3976	updatewin2.exe
3340	updatewin.exe
1800	5.exe
1432	4D77.exe
1512	5383.exe
1176	hfopyujf.exe

pid	process
3012

pid	process
2984	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

34DC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9f3b8d01-d58f-4cc1-bfd3-98be6d298b6e\\34DC.exe\" --AutoStart"	34DC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 api.2ip.ua
33 api.2ip.ua
34 api.2ip.ua
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

5383.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 5383.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

hfopyujf.exe

description pid process target process

PID 1176 set thread context of 812 1176 hfopyujf.exe svchost.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1348 1800 WerFault.exe 5.exe

flow	ioc
46	api.2ip.ua
33	api.2ip.ua
34	api.2ip.ua

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	5383.exe

description	pid	process	target process
PID 1176 set thread context of 812	1176	hfopyujf.exe	svchost.exe

pid	pid_target	process	target process
1348	1800	WerFault.exe	5.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7a2899fc058c83f293b08384dd2922d1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7a2899fc058c83f293b08384dd2922d1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7a2899fc058c83f293b08384dd2922d1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7a2899fc058c83f293b08384dd2922d1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3FBA.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3FBA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3FBA.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3588 timeout.exe
2016 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2184 taskkill.exe

pid	process
3588	timeout.exe
2016	timeout.exe

pid	process
2184	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

34DC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	34DC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	34DC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7a2899fc058c83f293b08384dd2922d1.exe

pid	process
1048	7a2899fc058c83f293b08384dd2922d1.exe
1048	7a2899fc058c83f293b08384dd2922d1.exe
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

7a2899fc058c83f293b08384dd2922d1.exe

pid process

1048 7a2899fc058c83f293b08384dd2922d1.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

WerFault.exetaskkill.exe5383.exe

description	pid	process
Token: SeRestorePrivilege	1348	WerFault.exe
Token: SeBackupPrivilege	1348	WerFault.exe
Token: SeDebugPrivilege	1348	WerFault.exe
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeShutdownPrivilege	1512	5383.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3012

pid	process
3012

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

34DC.exe34DC.exe4D77.exeupdatewin.execmd.exe3FBA.exehfopyujf.execmd.exe

description	pid	process	target process
PID 3012 wrote to memory of 2768	3012		34DC.exe
PID 3012 wrote to memory of 2768	3012		34DC.exe
PID 3012 wrote to memory of 2768	3012		34DC.exe
PID 2768 wrote to memory of 2984	2768	34DC.exe	icacls.exe
PID 2768 wrote to memory of 2984	2768	34DC.exe	icacls.exe
PID 2768 wrote to memory of 2984	2768	34DC.exe	icacls.exe
PID 2768 wrote to memory of 2124	2768	34DC.exe	34DC.exe
PID 2768 wrote to memory of 2124	2768	34DC.exe	34DC.exe
PID 2768 wrote to memory of 2124	2768	34DC.exe	34DC.exe
PID 3012 wrote to memory of 3820	3012		3FBA.exe
PID 3012 wrote to memory of 3820	3012		3FBA.exe
PID 3012 wrote to memory of 3820	3012		3FBA.exe
PID 2124 wrote to memory of 1932	2124	34DC.exe	updatewin1.exe
PID 2124 wrote to memory of 1932	2124	34DC.exe	updatewin1.exe
PID 2124 wrote to memory of 1932	2124	34DC.exe	updatewin1.exe
PID 2124 wrote to memory of 3976	2124	34DC.exe	updatewin2.exe
PID 2124 wrote to memory of 3976	2124	34DC.exe	updatewin2.exe
PID 2124 wrote to memory of 3976	2124	34DC.exe	updatewin2.exe
PID 2124 wrote to memory of 3340	2124	34DC.exe	updatewin.exe
PID 2124 wrote to memory of 3340	2124	34DC.exe	updatewin.exe
PID 2124 wrote to memory of 3340	2124	34DC.exe	updatewin.exe
PID 2124 wrote to memory of 1800	2124	34DC.exe	5.exe
PID 2124 wrote to memory of 1800	2124	34DC.exe	5.exe
PID 2124 wrote to memory of 1800	2124	34DC.exe	5.exe
PID 3012 wrote to memory of 1432	3012		4D77.exe
PID 3012 wrote to memory of 1432	3012		4D77.exe
PID 3012 wrote to memory of 1432	3012		4D77.exe
PID 3012 wrote to memory of 1512	3012		5383.exe
PID 3012 wrote to memory of 1512	3012		5383.exe
PID 3012 wrote to memory of 1512	3012		5383.exe
PID 1432 wrote to memory of 1716	1432	4D77.exe	cmd.exe
PID 1432 wrote to memory of 1716	1432	4D77.exe	cmd.exe
PID 1432 wrote to memory of 1716	1432	4D77.exe	cmd.exe
PID 1432 wrote to memory of 588	1432	4D77.exe	cmd.exe
PID 1432 wrote to memory of 588	1432	4D77.exe	cmd.exe
PID 1432 wrote to memory of 588	1432	4D77.exe	cmd.exe
PID 1432 wrote to memory of 3972	1432	4D77.exe	sc.exe
PID 1432 wrote to memory of 3972	1432	4D77.exe	sc.exe
PID 1432 wrote to memory of 3972	1432	4D77.exe	sc.exe
PID 1432 wrote to memory of 856	1432	4D77.exe	sc.exe
PID 1432 wrote to memory of 856	1432	4D77.exe	sc.exe
PID 1432 wrote to memory of 856	1432	4D77.exe	sc.exe
PID 3340 wrote to memory of 2824	3340	updatewin.exe	cmd.exe
PID 3340 wrote to memory of 2824	3340	updatewin.exe	cmd.exe
PID 3340 wrote to memory of 2824	3340	updatewin.exe	cmd.exe
PID 2824 wrote to memory of 3588	2824	cmd.exe	timeout.exe
PID 2824 wrote to memory of 3588	2824	cmd.exe	timeout.exe
PID 2824 wrote to memory of 3588	2824	cmd.exe	timeout.exe
PID 1432 wrote to memory of 1728	1432	4D77.exe	sc.exe
PID 1432 wrote to memory of 1728	1432	4D77.exe	sc.exe
PID 1432 wrote to memory of 1728	1432	4D77.exe	sc.exe
PID 1432 wrote to memory of 3336	1432	4D77.exe	netsh.exe
PID 1432 wrote to memory of 3336	1432	4D77.exe	netsh.exe
PID 1432 wrote to memory of 3336	1432	4D77.exe	netsh.exe
PID 3820 wrote to memory of 3892	3820	3FBA.exe	cmd.exe
PID 3820 wrote to memory of 3892	3820	3FBA.exe	cmd.exe
PID 3820 wrote to memory of 3892	3820	3FBA.exe	cmd.exe
PID 1176 wrote to memory of 812	1176	hfopyujf.exe	svchost.exe
PID 1176 wrote to memory of 812	1176	hfopyujf.exe	svchost.exe
PID 1176 wrote to memory of 812	1176	hfopyujf.exe	svchost.exe
PID 1176 wrote to memory of 812	1176	hfopyujf.exe	svchost.exe
PID 1176 wrote to memory of 812	1176	hfopyujf.exe	svchost.exe
PID 3892 wrote to memory of 2184	3892	cmd.exe	taskkill.exe
PID 3892 wrote to memory of 2184	3892	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\7a2899fc058c83f293b08384dd2922d1.exe
"C:\Users\Admin\AppData\Local\Temp\7a2899fc058c83f293b08384dd2922d1.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1048

C:\Users\Admin\AppData\Local\Temp\34DC.exe
C:\Users\Admin\AppData\Local\Temp\34DC.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\9f3b8d01-d58f-4cc1-bfd3-98be6d298b6e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:2984

C:\Users\Admin\AppData\Local\Temp\34DC.exe
"C:\Users\Admin\AppData\Local\Temp\34DC.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin1.exe
"C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin1.exe"
3⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin2.exe
"C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin2.exe"
3⤵
- Executes dropped EXE
PID:3976

C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin.exe
"C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:3588

C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\5.exe
"C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\5.exe"
3⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1456
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Users\Admin\AppData\Local\Temp\3FBA.exe
C:\Users\Admin\AppData\Local\Temp\3FBA.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 3FBA.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3FBA.exe" & del C:\ProgramData\*.dll & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 3FBA.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:2016

C:\Users\Admin\AppData\Local\Temp\4D77.exe
C:\Users\Admin\AppData\Local\Temp\4D77.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hwawvigy\
2⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hfopyujf.exe" C:\Windows\SysWOW64\hwawvigy\
2⤵
PID:588

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create hwawvigy binPath= "C:\Windows\SysWOW64\hwawvigy\hfopyujf.exe /d\"C:\Users\Admin\AppData\Local\Temp\4D77.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:3972

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description hwawvigy "wifi internet conection"
2⤵
PID:856

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start hwawvigy
2⤵
PID:1728

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\5383.exe
C:\Users\Admin\AppData\Local\Temp\5383.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\hwawvigy\hfopyujf.exe
C:\Windows\SysWOW64\hwawvigy\hfopyujf.exe /d"C:\Users\Admin\AppData\Local\Temp\4D77.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
0936d19232cfcdafbced53ad410a7302

SHA1
7ecf78bc4b20f07d1b4e37d3b6d23276d559b18a

SHA256
9046bb77872ac1e6d8b9a6af797f1fdd5cac5b833de440cbd285f396938c54fa

SHA512
642215bbc005909a0a4ff3e1cfd9fb3017838e7a6bdf03c5716e980b59d46a793fd24d63ce8e27867d58daa644112e53e63fac7f671ee6f3a9b28bbde805805c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
9c381e1c05936ad539bc8d0fe34981c3

SHA1
cff61eb4121208e3fc90e0ae7cc605fc44e65ab9

SHA256
bde1d8daaa1cb82ecab9742c4e06ae955070fb10be6689f5f177efe3496d32e3

SHA512
bdc49a8fd3318658de368d640198e91a07dac3365fd1a6eff2265b1d909fb5a32d398b4fa94a6d8dd04876980b138217f15a579d1b47df0820f58ee4db295d65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
67dd510c04deca4a2f9073df392119cd

SHA1
4167d9f7e9c61c4684c58a01aab1a2d7dd8c5418

SHA256
057a9df58f855a0c52a70d3983bacd4d69e60010daf03c6b731dc96d025fa07f

SHA512
913a1d15c2dd4154ac52f2fe43ee6010bdbaa0cd9a409262ce8281d152159b463eeb186a3467653a38c3cea74d3e2f194886abe19e1bff45534f90c6b83b7eb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
87964730a6c588834b21a4316e7569c7

SHA1
6ea2091c9367e3bbbad5705aea44c87469ff105f

SHA256
5d5863ecf6107ff149c3d5107b68cbef3277ce449f89af5ba1f6d8a35121e3be

SHA512
0a4c37e03356b2ecd5ae18985d81198fd81e313a4571c21272dda455a48d1cd292dbb006779ef4b3eb586eb3a3cd123c316c167c5d911599ca95f3805ccd6a55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
249dfbe4f1da9b40b44a2aa91945f8ae

SHA1
ca742cb8c302401fcd4ab17a253f609352aee5f4

SHA256
739b82931143136d774a4dfdce9fe629ff41b300b4bacebc6f29742fafad3275

SHA512
1f9d6ee5283434f32451675d42a35ae9ad0d684710b549d5edf6b3b77b38046467bfedebd6e31ed87e2e6c6b142c87412acf029b5804063380d5708a40b340bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
bca7c50677fa468f13ad7b807d8b4bbd

SHA1
0e8ad81bfaf1ad07f351f7fdee3194c6e4d54adc

SHA256
f173e317abdbdd81805966c92c4fcd410a694e0c82524e48ce7c4e67cd761662

SHA512
e2dc44359fe5d13953e651a0de771202066e1302f38f611e93737883a58d66e5908f682ac1e1118816090fe90e9155aa190b7f6da531c8ed88a316124b3a05f4

Download Submit
C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\5.exe
MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\5.exe
MD5
e1edad05494a14cefa05fa28c3611a6e

SHA1
718fe9cf4e4a7272ffa0583c0851e3134d6f1547

SHA256
00b09aba4c90b634ce887da826fc74284f171698c203dcfd7da3e8b529ac6db1

SHA512
7230dd424bb0e28f436239ab45a7bb93867e9ec8533b3fdd780b430762a0f5f6e8bc514841f09e49be608334f77c8d11b1ae884f032df2c05aca5739cfdacca5

Download Submit
C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin.exe
MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin.exe
MD5
2ba02a23e7b421bb51d9c47665ed540b

SHA1
f5e6d401c61760fe7f6edad47a0517fb85d9cdeb

SHA256
53430b4106efc011a26b50b14b9cead42607cb1de2a6a7ef7bbb04b960baea92

SHA512
16c9c254b8f78212f949d78c5e4679dcc9d365ad3188ffa0d12d6ad7f6f3e41b7db229075c99f31e35b58f7e6764f9177f9d1c4bf3bc5827503a8a793b54ade2

Download Submit
C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\83c41cba-d24d-471e-b6cc-00aaeb1f6ad7\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\9f3b8d01-d58f-4cc1-bfd3-98be6d298b6e\34DC.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1H53B9F7.cookie
MD5
2778f62ff759be522dfb2dc139bc1273

SHA1
b04ba22ceefac56cab72da04ecbd8318cb95f3f3

SHA256
13dc8c5744c84036ddb09fbda5f88eef0149279c7263b1a544cf0fd1a6560427

SHA512
8c371a81c85cbcd657253cd03712bd1432f980cf5b0592d06c18762090eac1eb9c3a29d6cd0c980aca39ad6778930c2fd2e93bd3bb969bf28d78d5219e88bc21

Download Submit
C:\Users\Admin\AppData\Local\Temp\34DC.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\34DC.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\34DC.exe
MD5
dfbf4111aaf98ca30c0cf21e99a08ff7

SHA1
8d0fc08860666b9d619dc0f82cebc467705b46f3

SHA256
a9cdf6379f7d8c42e258db15cacbd19dbb4702319f6db096f5dda7ef817ca75d

SHA512
f248195b6fdfa87d404f6f17d4d3a772d48edda5d09f9fa3e85c626e41c3a5648c2dd2b52f0c2515d7ec6e9c01931b32a5db412996dd803f52159ac97fecb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FBA.exe
MD5
4328b263719a51a40732349a08ba3bb6

SHA1
904bd397a12c124af4a24021c6a21060955c79a3

SHA256
a351c1d494a1060fc9cd1c914bb846d87318181202c4f9c06c6931a73c933522

SHA512
75a6cdea5867875cab4c8c446c950805ab643a81d5acba6e2fc459f2859f7606690a7f19b00fb4ab22ece57236bbeaaf83295901a1807eba1881c7342f298107

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FBA.exe
MD5
4328b263719a51a40732349a08ba3bb6

SHA1
904bd397a12c124af4a24021c6a21060955c79a3

SHA256
a351c1d494a1060fc9cd1c914bb846d87318181202c4f9c06c6931a73c933522

SHA512
75a6cdea5867875cab4c8c446c950805ab643a81d5acba6e2fc459f2859f7606690a7f19b00fb4ab22ece57236bbeaaf83295901a1807eba1881c7342f298107

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D77.exe
MD5
0aea4d493d5420856fc80865efba4838

SHA1
12acfd267b76fbcdc98914902d73ff7adfd15c3d

SHA256
ff7ae82d36a61a1480ca96bc4fef2831fb5bef00d733f29bdf5f053e7cc89ac5

SHA512
763fff58c3488579f0224c45a5e9d982ddf9b33d94def7671869f91f8b03e7f8b3452014f1dd4b95113e714d9db1f5a6d9f325a51cab964decb7263688796d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D77.exe
MD5
0aea4d493d5420856fc80865efba4838

SHA1
12acfd267b76fbcdc98914902d73ff7adfd15c3d

SHA256
ff7ae82d36a61a1480ca96bc4fef2831fb5bef00d733f29bdf5f053e7cc89ac5

SHA512
763fff58c3488579f0224c45a5e9d982ddf9b33d94def7671869f91f8b03e7f8b3452014f1dd4b95113e714d9db1f5a6d9f325a51cab964decb7263688796d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\5383.exe
MD5
1073896ed8714969c25798c6b30a954c

SHA1
1b1ef4654cae70cb1bc34eb270d189edb285b46a

SHA256
4aeed5485089f1b6efe2eb92328b30f04262b2f171ca41ffcadb2407e1ddadf4

SHA512
b26bec26537603e649ebc57ab51e287d5c527d8cbdeecf8c3fdb08919cae0417fc5b0cd173c33f11657f0daca6789e6b729656b44684519586a5d862a90725bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5383.exe
MD5
1073896ed8714969c25798c6b30a954c

SHA1
1b1ef4654cae70cb1bc34eb270d189edb285b46a

SHA256
4aeed5485089f1b6efe2eb92328b30f04262b2f171ca41ffcadb2407e1ddadf4

SHA512
b26bec26537603e649ebc57ab51e287d5c527d8cbdeecf8c3fdb08919cae0417fc5b0cd173c33f11657f0daca6789e6b729656b44684519586a5d862a90725bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfopyujf.exe
MD5
ba8a789df1de396ebc3dc8a30961a104

SHA1
ea1927a18b7e03f5fc77fa07df5f8d55e7de7bf4

SHA256
e383bae5d0474b7a18283fb44f7be0f518aba9db7f24e098afbc04018c79b4a4

SHA512
521d6e1975cd7853594387e53b71f9c226be59786ac5a4c391e21190a49075d349a5b6ef8d981993dc6b28a6320de07243df273df15b32c7dceb440eed762097

Download Submit
C:\Windows\SysWOW64\hwawvigy\hfopyujf.exe
MD5
ba8a789df1de396ebc3dc8a30961a104

SHA1
ea1927a18b7e03f5fc77fa07df5f8d55e7de7bf4

SHA256
e383bae5d0474b7a18283fb44f7be0f518aba9db7f24e098afbc04018c79b4a4

SHA512
521d6e1975cd7853594387e53b71f9c226be59786ac5a4c391e21190a49075d349a5b6ef8d981993dc6b28a6320de07243df273df15b32c7dceb440eed762097

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/588-70-0x0000000000000000-mapping.dmp

Download
memory/812-85-0x0000000000A70000-0x0000000000A85000-memory.dmp

Filesize
84KB

Download
memory/812-88-0x0000000000A79A6B-mapping.dmp

Download
memory/856-74-0x0000000000000000-mapping.dmp

Download
memory/1048-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1048-3-0x0000000002D00000-0x0000000002D09000-memory.dmp

Filesize
36KB

Download
memory/1048-2-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/1176-84-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1176-83-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1348-62-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/1348-61-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/1432-68-0x0000000002CD0000-0x0000000002CE3000-memory.dmp

Filesize
76KB

Download
memory/1432-43-0x0000000000000000-mapping.dmp

Download
memory/1432-60-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1432-69-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1512-73-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1512-52-0x0000000000000000-mapping.dmp

Download
memory/1512-78-0x0000000002C80000-0x0000000002CEB000-memory.dmp

Filesize
428KB

Download
memory/1512-79-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1716-67-0x0000000000000000-mapping.dmp

Download
memory/1728-77-0x0000000000000000-mapping.dmp

Download
memory/1800-38-0x0000000000000000-mapping.dmp

Download
memory/1800-51-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1800-58-0x0000000000920000-0x00000000009B5000-memory.dmp

Filesize
596KB

Download
memory/1800-59-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1932-28-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1932-25-0x0000000000000000-mapping.dmp

Download
memory/2016-91-0x0000000000000000-mapping.dmp

Download
memory/2124-20-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/2124-15-0x0000000000000000-mapping.dmp

Download
memory/2184-87-0x0000000000000000-mapping.dmp

Download
memory/2768-10-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/2768-7-0x0000000000000000-mapping.dmp

Download
memory/2768-11-0x0000000001E60000-0x0000000001F7A000-memory.dmp

Filesize
1.1MB

Download
memory/2768-12-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2824-75-0x0000000000000000-mapping.dmp

Download
memory/2984-13-0x0000000000000000-mapping.dmp

Download
memory/3012-6-0x0000000000C30000-0x0000000000C46000-memory.dmp

Filesize
88KB

Download
memory/3336-81-0x0000000000000000-mapping.dmp

Download
memory/3340-35-0x0000000000000000-mapping.dmp

Download
memory/3340-47-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3340-49-0x00000000008D0000-0x0000000000906000-memory.dmp

Filesize
216KB

Download
memory/3340-50-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3588-76-0x0000000000000000-mapping.dmp

Download
memory/3820-41-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/3820-42-0x0000000002380000-0x0000000002414000-memory.dmp

Filesize
592KB

Download
memory/3820-17-0x0000000000000000-mapping.dmp

Download
memory/3820-44-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3892-82-0x0000000000000000-mapping.dmp

Download
memory/3972-72-0x0000000000000000-mapping.dmp

Download
memory/3976-32-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/3976-29-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads