Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-08-2021 06:33
Static task
static1
Behavioral task
behavioral1
Sample
27f8a512e8c010f338893076c00bb848.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
27f8a512e8c010f338893076c00bb848.exe
Resource
win10v20210408
General
-
Target
27f8a512e8c010f338893076c00bb848.exe
-
Size
179KB
-
MD5
27f8a512e8c010f338893076c00bb848
-
SHA1
bb8bc6f7f277ebdae7e84895c621b15a1876eee5
-
SHA256
6af4561fbac47bfe47db9d90beda964637aab451521caea9a2e60e1806d96c48
-
SHA512
d8001e276d22126cacce510bac8676e9275cd408e904ece1ad153ad42def20adf032caf55637189a005c8f5b981671e5b7f36afbe1917129eb06e6cededee6ff
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
redline
MIX#13.08
qusshedrni.xyz:80
Extracted
vidar
40
936
https://lenak513.tumblr.com/
-
profile_id
936
Signatures
-
Raccoon Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/572-145-0x0000000000400000-0x0000000002D01000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3256-142-0x0000000004A50000-0x0000000004A6C000-memory.dmp family_redline behavioral2/memory/3256-148-0x0000000004AF0000-0x0000000004B0A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3544 created 572 3544 WerFault.exe 590.exe -
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4188-202-0x0000000000400000-0x00000000004A1000-memory.dmp family_vidar behavioral2/memory/4188-203-0x000000000046B77D-mapping.dmp family_vidar behavioral2/memory/4188-205-0x0000000000400000-0x00000000004A1000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
4F2.exe590.exe794.exe90C.exeA65.exehhhhhhhhhhh.exewinappmgr.exe4F2.exepid process 2284 4F2.exe 572 590.exe 3256 794.exe 828 90C.exe 3928 A65.exe 3868 hhhhhhhhhhh.exe 1620 winappmgr.exe 4188 4F2.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
hhhhhhhhhhh.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation hhhhhhhhhhh.exe -
Deletes itself 1 IoCs
Processes:
pid process 3008 -
Loads dropped DLL 2 IoCs
Processes:
4F2.exepid process 4188 4F2.exe 4188 4F2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hhhhhhhhhhh.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Application Manager = "C:\\Users\\Admin\\Windows Application Manager\\winappmgr.exe" hhhhhhhhhhh.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
27f8a512e8c010f338893076c00bb848.exe4F2.exedescription pid process target process PID 1456 set thread context of 3164 1456 27f8a512e8c010f338893076c00bb848.exe 27f8a512e8c010f338893076c00bb848.exe PID 2284 set thread context of 4188 2284 4F2.exe 4F2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 504 572 WerFault.exe 590.exe 2112 572 WerFault.exe 590.exe 3940 572 WerFault.exe 590.exe 1872 572 WerFault.exe 590.exe 3544 572 WerFault.exe 590.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
27f8a512e8c010f338893076c00bb848.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 27f8a512e8c010f338893076c00bb848.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 27f8a512e8c010f338893076c00bb848.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 27f8a512e8c010f338893076c00bb848.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4F2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4F2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4F2.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4396 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4348 taskkill.exe -
Modifies registry class 3 IoCs
Processes:
hhhhhhhhhhh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance hhhhhhhhhhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Processes:
4F2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 4F2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4F2.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
winappmgr.exepid process 1620 winappmgr.exe 1620 winappmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
27f8a512e8c010f338893076c00bb848.exepid process 3164 27f8a512e8c010f338893076c00bb848.exe 3164 27f8a512e8c010f338893076c00bb848.exe 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3008 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
27f8a512e8c010f338893076c00bb848.exepid process 3164 27f8a512e8c010f338893076c00bb848.exe 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exe794.exeWerFault.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeRestorePrivilege 504 WerFault.exe Token: SeBackupPrivilege 504 WerFault.exe Token: SeDebugPrivilege 504 WerFault.exe Token: SeDebugPrivilege 2112 WerFault.exe Token: SeDebugPrivilege 3940 WerFault.exe Token: SeDebugPrivilege 1872 WerFault.exe Token: SeDebugPrivilege 3256 794.exe Token: SeDebugPrivilege 3544 WerFault.exe Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeDebugPrivilege 4348 taskkill.exe Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3008 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
27f8a512e8c010f338893076c00bb848.exe90C.exehhhhhhhhhhh.exewinappmgr.execmd.exedescription pid process target process PID 1456 wrote to memory of 3164 1456 27f8a512e8c010f338893076c00bb848.exe 27f8a512e8c010f338893076c00bb848.exe PID 1456 wrote to memory of 3164 1456 27f8a512e8c010f338893076c00bb848.exe 27f8a512e8c010f338893076c00bb848.exe PID 1456 wrote to memory of 3164 1456 27f8a512e8c010f338893076c00bb848.exe 27f8a512e8c010f338893076c00bb848.exe PID 1456 wrote to memory of 3164 1456 27f8a512e8c010f338893076c00bb848.exe 27f8a512e8c010f338893076c00bb848.exe PID 1456 wrote to memory of 3164 1456 27f8a512e8c010f338893076c00bb848.exe 27f8a512e8c010f338893076c00bb848.exe PID 1456 wrote to memory of 3164 1456 27f8a512e8c010f338893076c00bb848.exe 27f8a512e8c010f338893076c00bb848.exe PID 3008 wrote to memory of 2284 3008 4F2.exe PID 3008 wrote to memory of 2284 3008 4F2.exe PID 3008 wrote to memory of 2284 3008 4F2.exe PID 3008 wrote to memory of 572 3008 590.exe PID 3008 wrote to memory of 572 3008 590.exe PID 3008 wrote to memory of 572 3008 590.exe PID 3008 wrote to memory of 3256 3008 794.exe PID 3008 wrote to memory of 3256 3008 794.exe PID 3008 wrote to memory of 3256 3008 794.exe PID 3008 wrote to memory of 828 3008 90C.exe PID 3008 wrote to memory of 828 3008 90C.exe PID 3008 wrote to memory of 828 3008 90C.exe PID 3008 wrote to memory of 3928 3008 A65.exe PID 3008 wrote to memory of 3928 3008 A65.exe PID 3008 wrote to memory of 3928 3008 A65.exe PID 3008 wrote to memory of 1600 3008 explorer.exe PID 3008 wrote to memory of 1600 3008 explorer.exe PID 3008 wrote to memory of 1600 3008 explorer.exe PID 3008 wrote to memory of 1600 3008 explorer.exe PID 3008 wrote to memory of 636 3008 explorer.exe PID 3008 wrote to memory of 636 3008 explorer.exe PID 3008 wrote to memory of 636 3008 explorer.exe PID 3008 wrote to memory of 2292 3008 explorer.exe PID 3008 wrote to memory of 2292 3008 explorer.exe PID 3008 wrote to memory of 2292 3008 explorer.exe PID 3008 wrote to memory of 2292 3008 explorer.exe PID 828 wrote to memory of 3868 828 90C.exe hhhhhhhhhhh.exe PID 828 wrote to memory of 3868 828 90C.exe hhhhhhhhhhh.exe PID 828 wrote to memory of 3868 828 90C.exe hhhhhhhhhhh.exe PID 3008 wrote to memory of 2052 3008 explorer.exe PID 3008 wrote to memory of 2052 3008 explorer.exe PID 3008 wrote to memory of 2052 3008 explorer.exe PID 3008 wrote to memory of 3020 3008 explorer.exe PID 3008 wrote to memory of 3020 3008 explorer.exe PID 3008 wrote to memory of 3020 3008 explorer.exe PID 3008 wrote to memory of 3020 3008 explorer.exe PID 3008 wrote to memory of 1512 3008 explorer.exe PID 3008 wrote to memory of 1512 3008 explorer.exe PID 3008 wrote to memory of 1512 3008 explorer.exe PID 3008 wrote to memory of 1516 3008 explorer.exe PID 3008 wrote to memory of 1516 3008 explorer.exe PID 3008 wrote to memory of 1516 3008 explorer.exe PID 3008 wrote to memory of 1516 3008 explorer.exe PID 3008 wrote to memory of 3156 3008 explorer.exe PID 3008 wrote to memory of 3156 3008 explorer.exe PID 3008 wrote to memory of 3156 3008 explorer.exe PID 3008 wrote to memory of 2264 3008 explorer.exe PID 3008 wrote to memory of 2264 3008 explorer.exe PID 3008 wrote to memory of 2264 3008 explorer.exe PID 3008 wrote to memory of 2264 3008 explorer.exe PID 3868 wrote to memory of 1620 3868 hhhhhhhhhhh.exe winappmgr.exe PID 3868 wrote to memory of 1620 3868 hhhhhhhhhhh.exe winappmgr.exe PID 3868 wrote to memory of 1620 3868 hhhhhhhhhhh.exe winappmgr.exe PID 1620 wrote to memory of 3192 1620 winappmgr.exe cmd.exe PID 1620 wrote to memory of 3192 1620 winappmgr.exe cmd.exe PID 1620 wrote to memory of 3192 1620 winappmgr.exe cmd.exe PID 3192 wrote to memory of 3252 3192 cmd.exe netsh.exe PID 3192 wrote to memory of 3252 3192 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27f8a512e8c010f338893076c00bb848.exe"C:\Users\Admin\AppData\Local\Temp\27f8a512e8c010f338893076c00bb848.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\27f8a512e8c010f338893076c00bb848.exe"C:\Users\Admin\AppData\Local\Temp\27f8a512e8c010f338893076c00bb848.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4F2.exeC:\Users\Admin\AppData\Local\Temp\4F2.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4F2.exe"C:\Users\Admin\AppData\Local\Temp\4F2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 4F2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\4F2.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 4F2.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\590.exeC:\Users\Admin\AppData\Local\Temp\590.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 7362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 7482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 8482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 8842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 8282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\794.exeC:\Users\Admin\AppData\Local\Temp\794.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\90C.exeC:\Users\Admin\AppData\Local\Temp\90C.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exeC:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Windows Application Manager\winappmgr.exe"C:\Users\Admin\Windows Application Manager\winappmgr.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name="c:\users\admin\windows application manager\winappmgr.exe" || netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\admin\windows application manager\winappmgr.exe" program="C:\Users\Admin\Windows Application Manager\winappmgr.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall show rule name="c:\users\admin\windows application manager\winappmgr.exe"5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\admin\windows application manager\winappmgr.exe" program="C:\Users\Admin\Windows Application Manager\winappmgr.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\A65.exeC:\Users\Admin\AppData\Local\Temp\A65.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\freebl3.dllMD5
ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\softokn3.dllMD5
a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\ProgramData\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\4F2.exeMD5
42c33b9a16b4942491702076b3688598
SHA1fd931689d541d3b82ce38622ef60cff25f2eea3f
SHA25622cfe61a2ee0f1f0cba957fb313ca979e7fc41a2f9a1b5dddf8d9af798113389
SHA512cd0cfc3a68ff9e84d71b776f187b906bd10e4eb89190ee5b2587ff3ac340b4a5c9516966339c064141b064b9bcd3e354aeb2ec7c6cba424affd5cd886bacb366
-
C:\Users\Admin\AppData\Local\Temp\4F2.exeMD5
42c33b9a16b4942491702076b3688598
SHA1fd931689d541d3b82ce38622ef60cff25f2eea3f
SHA25622cfe61a2ee0f1f0cba957fb313ca979e7fc41a2f9a1b5dddf8d9af798113389
SHA512cd0cfc3a68ff9e84d71b776f187b906bd10e4eb89190ee5b2587ff3ac340b4a5c9516966339c064141b064b9bcd3e354aeb2ec7c6cba424affd5cd886bacb366
-
C:\Users\Admin\AppData\Local\Temp\4F2.exeMD5
42c33b9a16b4942491702076b3688598
SHA1fd931689d541d3b82ce38622ef60cff25f2eea3f
SHA25622cfe61a2ee0f1f0cba957fb313ca979e7fc41a2f9a1b5dddf8d9af798113389
SHA512cd0cfc3a68ff9e84d71b776f187b906bd10e4eb89190ee5b2587ff3ac340b4a5c9516966339c064141b064b9bcd3e354aeb2ec7c6cba424affd5cd886bacb366
-
C:\Users\Admin\AppData\Local\Temp\590.exeMD5
ed20a01ec2d93943bd0664fafb76daa6
SHA14736f0170c32b4757e062eb6b1d47d46c7d5ab29
SHA2565bc02ebc009910c9625991d64f2170d0c1ddd2b403d34674e3b48e8fd0f22242
SHA512b22360f22bb48529b2b986f7ef37eb9d1cdb42eaaea7fa44b93fc48a0f2b02ee4d4029d1d0e80867ce0a8d8a322f9c463182910c83cc36d4b53fb2c50c470ccf
-
C:\Users\Admin\AppData\Local\Temp\590.exeMD5
ed20a01ec2d93943bd0664fafb76daa6
SHA14736f0170c32b4757e062eb6b1d47d46c7d5ab29
SHA2565bc02ebc009910c9625991d64f2170d0c1ddd2b403d34674e3b48e8fd0f22242
SHA512b22360f22bb48529b2b986f7ef37eb9d1cdb42eaaea7fa44b93fc48a0f2b02ee4d4029d1d0e80867ce0a8d8a322f9c463182910c83cc36d4b53fb2c50c470ccf
-
C:\Users\Admin\AppData\Local\Temp\794.exeMD5
5d7a2f3127f3faa3777e4b61c6d3a650
SHA15d1ee1d08f62309d55f7a9be5d0cbe048455f5aa
SHA2560c94e48c304317df32d5a06e21d350ae528276ead8da38b7e33649cfa21f438f
SHA5122332d62b943465e2b1409c5d4c1aa2dfe8e3808bd2ec6ad22b3e4136a94ff9d2c90776e74b84226e280e27ef0b36b69eb3a0ddfdc8115540e1f7e50dce6eb7df
-
C:\Users\Admin\AppData\Local\Temp\794.exeMD5
5d7a2f3127f3faa3777e4b61c6d3a650
SHA15d1ee1d08f62309d55f7a9be5d0cbe048455f5aa
SHA2560c94e48c304317df32d5a06e21d350ae528276ead8da38b7e33649cfa21f438f
SHA5122332d62b943465e2b1409c5d4c1aa2dfe8e3808bd2ec6ad22b3e4136a94ff9d2c90776e74b84226e280e27ef0b36b69eb3a0ddfdc8115540e1f7e50dce6eb7df
-
C:\Users\Admin\AppData\Local\Temp\90C.exeMD5
627fc88e4e32885ef3eb655f353d3d73
SHA1d41f2cd39501c8df8f71e64cf0b45d0ff6931ec6
SHA256789a247aac003f6562a3809a60d214843d77f8c0e0fa24ba479a229a4b86cf69
SHA512c5113af91da5df84108ffb14af33167a54b793789a0eb1aa2ec03d7282dcd05b8a6d10ebe3646102c9d430a2f785fd7bccf58fd22b45d73c1e74bbc93677d4f4
-
C:\Users\Admin\AppData\Local\Temp\90C.exeMD5
627fc88e4e32885ef3eb655f353d3d73
SHA1d41f2cd39501c8df8f71e64cf0b45d0ff6931ec6
SHA256789a247aac003f6562a3809a60d214843d77f8c0e0fa24ba479a229a4b86cf69
SHA512c5113af91da5df84108ffb14af33167a54b793789a0eb1aa2ec03d7282dcd05b8a6d10ebe3646102c9d430a2f785fd7bccf58fd22b45d73c1e74bbc93677d4f4
-
C:\Users\Admin\AppData\Local\Temp\A65.exeMD5
627fc88e4e32885ef3eb655f353d3d73
SHA1d41f2cd39501c8df8f71e64cf0b45d0ff6931ec6
SHA256789a247aac003f6562a3809a60d214843d77f8c0e0fa24ba479a229a4b86cf69
SHA512c5113af91da5df84108ffb14af33167a54b793789a0eb1aa2ec03d7282dcd05b8a6d10ebe3646102c9d430a2f785fd7bccf58fd22b45d73c1e74bbc93677d4f4
-
C:\Users\Admin\AppData\Local\Temp\A65.exeMD5
627fc88e4e32885ef3eb655f353d3d73
SHA1d41f2cd39501c8df8f71e64cf0b45d0ff6931ec6
SHA256789a247aac003f6562a3809a60d214843d77f8c0e0fa24ba479a229a4b86cf69
SHA512c5113af91da5df84108ffb14af33167a54b793789a0eb1aa2ec03d7282dcd05b8a6d10ebe3646102c9d430a2f785fd7bccf58fd22b45d73c1e74bbc93677d4f4
-
C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exeMD5
39d6ec1892af37c0fd5c5c2ea89ea782
SHA18ec2c72146cbb96c940b6b1d1057b2eb72fc36d0
SHA256439386a1dfa86c57251f8ee7eeafe15170f6999a97dfeb257ea139829af601c7
SHA512fd6260b87cfe54a1d81d88d57a49754c6c39bc9c11cd6dbe515fe845958f97a9a2abb3ecd08ed65e8eaec541056b4a7dfe50598b5bd2c807270617a94bec6102
-
C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exeMD5
39d6ec1892af37c0fd5c5c2ea89ea782
SHA18ec2c72146cbb96c940b6b1d1057b2eb72fc36d0
SHA256439386a1dfa86c57251f8ee7eeafe15170f6999a97dfeb257ea139829af601c7
SHA512fd6260b87cfe54a1d81d88d57a49754c6c39bc9c11cd6dbe515fe845958f97a9a2abb3ecd08ed65e8eaec541056b4a7dfe50598b5bd2c807270617a94bec6102
-
C:\Users\Admin\Windows Application Manager\winappmgr.exeMD5
39d6ec1892af37c0fd5c5c2ea89ea782
SHA18ec2c72146cbb96c940b6b1d1057b2eb72fc36d0
SHA256439386a1dfa86c57251f8ee7eeafe15170f6999a97dfeb257ea139829af601c7
SHA512fd6260b87cfe54a1d81d88d57a49754c6c39bc9c11cd6dbe515fe845958f97a9a2abb3ecd08ed65e8eaec541056b4a7dfe50598b5bd2c807270617a94bec6102
-
C:\Users\Admin\Windows Application Manager\winappmgr.exeMD5
39d6ec1892af37c0fd5c5c2ea89ea782
SHA18ec2c72146cbb96c940b6b1d1057b2eb72fc36d0
SHA256439386a1dfa86c57251f8ee7eeafe15170f6999a97dfeb257ea139829af601c7
SHA512fd6260b87cfe54a1d81d88d57a49754c6c39bc9c11cd6dbe515fe845958f97a9a2abb3ecd08ed65e8eaec541056b4a7dfe50598b5bd2c807270617a94bec6102
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
memory/572-145-0x0000000000400000-0x0000000002D01000-memory.dmpFilesize
41.0MB
-
memory/572-135-0x0000000002E00000-0x0000000002F4A000-memory.dmpFilesize
1.3MB
-
memory/572-121-0x0000000000000000-mapping.dmp
-
memory/636-153-0x0000000000000000-mapping.dmp
-
memory/636-159-0x0000000000500000-0x0000000000507000-memory.dmpFilesize
28KB
-
memory/636-160-0x00000000004F0000-0x00000000004FC000-memory.dmpFilesize
48KB
-
memory/828-132-0x0000000000000000-mapping.dmp
-
memory/1456-116-0x0000000002EA0000-0x0000000002EAA000-memory.dmpFilesize
40KB
-
memory/1512-178-0x0000000000A10000-0x0000000000A1C000-memory.dmpFilesize
48KB
-
memory/1512-175-0x0000000000000000-mapping.dmp
-
memory/1512-177-0x0000000000A20000-0x0000000000A26000-memory.dmpFilesize
24KB
-
memory/1516-182-0x00000000003F0000-0x00000000003F9000-memory.dmpFilesize
36KB
-
memory/1516-180-0x0000000000600000-0x0000000000604000-memory.dmpFilesize
16KB
-
memory/1516-179-0x0000000000000000-mapping.dmp
-
memory/1600-141-0x0000000000000000-mapping.dmp
-
memory/1600-157-0x0000000000870000-0x00000000008E4000-memory.dmpFilesize
464KB
-
memory/1600-158-0x0000000000800000-0x000000000086B000-memory.dmpFilesize
428KB
-
memory/1620-188-0x0000000000000000-mapping.dmp
-
memory/2052-173-0x0000000000B10000-0x0000000000B1F000-memory.dmpFilesize
60KB
-
memory/2052-171-0x0000000000B20000-0x0000000000B29000-memory.dmpFilesize
36KB
-
memory/2052-169-0x0000000000000000-mapping.dmp
-
memory/2264-187-0x0000000000A70000-0x0000000000A79000-memory.dmpFilesize
36KB
-
memory/2264-184-0x0000000000000000-mapping.dmp
-
memory/2264-186-0x0000000000A80000-0x0000000000A85000-memory.dmpFilesize
20KB
-
memory/2284-143-0x0000000005010000-0x00000000050AC000-memory.dmpFilesize
624KB
-
memory/2284-154-0x0000000005640000-0x0000000005658000-memory.dmpFilesize
96KB
-
memory/2284-200-0x0000000008880000-0x000000000896F000-memory.dmpFilesize
956KB
-
memory/2284-201-0x000000000ADA0000-0x000000000AE3D000-memory.dmpFilesize
628KB
-
memory/2284-127-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/2284-118-0x0000000000000000-mapping.dmp
-
memory/2284-140-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/2284-139-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/2284-124-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/2284-129-0x0000000005160000-0x0000000005161000-memory.dmpFilesize
4KB
-
memory/2284-126-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/2292-166-0x0000000000CE0000-0x0000000000CEB000-memory.dmpFilesize
44KB
-
memory/2292-161-0x0000000000000000-mapping.dmp
-
memory/2292-164-0x0000000000CF0000-0x0000000000CF7000-memory.dmpFilesize
28KB
-
memory/3008-117-0x0000000000C90000-0x0000000000CA6000-memory.dmpFilesize
88KB
-
memory/3020-172-0x0000000000000000-mapping.dmp
-
memory/3020-174-0x0000000000F40000-0x0000000000F45000-memory.dmpFilesize
20KB
-
memory/3020-176-0x0000000000F30000-0x0000000000F39000-memory.dmpFilesize
36KB
-
memory/3156-183-0x0000000000680000-0x0000000000685000-memory.dmpFilesize
20KB
-
memory/3156-181-0x0000000000000000-mapping.dmp
-
memory/3156-185-0x00000000003F0000-0x00000000003F9000-memory.dmpFilesize
36KB
-
memory/3164-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3164-115-0x0000000000402E1A-mapping.dmp
-
memory/3192-197-0x0000000000000000-mapping.dmp
-
memory/3252-198-0x0000000000000000-mapping.dmp
-
memory/3256-196-0x0000000009AF0000-0x0000000009AF1000-memory.dmpFilesize
4KB
-
memory/3256-151-0x0000000007413000-0x0000000007414000-memory.dmpFilesize
4KB
-
memory/3256-152-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/3256-191-0x0000000008CD0000-0x0000000008CD1000-memory.dmpFilesize
4KB
-
memory/3256-192-0x0000000008EA0000-0x0000000008EA1000-memory.dmpFilesize
4KB
-
memory/3256-193-0x00000000094D0000-0x00000000094D1000-memory.dmpFilesize
4KB
-
memory/3256-194-0x0000000009830000-0x0000000009831000-memory.dmpFilesize
4KB
-
memory/3256-156-0x00000000072E0000-0x00000000072E1000-memory.dmpFilesize
4KB
-
memory/3256-162-0x0000000007340000-0x0000000007341000-memory.dmpFilesize
4KB
-
memory/3256-163-0x0000000007414000-0x0000000007416000-memory.dmpFilesize
8KB
-
memory/3256-142-0x0000000004A50000-0x0000000004A6C000-memory.dmpFilesize
112KB
-
memory/3256-144-0x0000000002CE0000-0x0000000002D8E000-memory.dmpFilesize
696KB
-
memory/3256-148-0x0000000004AF0000-0x0000000004B0A000-memory.dmpFilesize
104KB
-
memory/3256-155-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/3256-170-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/3256-150-0x0000000007412000-0x0000000007413000-memory.dmpFilesize
4KB
-
memory/3256-128-0x0000000000000000-mapping.dmp
-
memory/3256-149-0x0000000007410000-0x0000000007411000-memory.dmpFilesize
4KB
-
memory/3256-147-0x0000000000400000-0x0000000002CD5000-memory.dmpFilesize
40.8MB
-
memory/3868-165-0x0000000000000000-mapping.dmp
-
memory/3928-136-0x0000000000000000-mapping.dmp
-
memory/4104-199-0x0000000000000000-mapping.dmp
-
memory/4188-202-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/4188-205-0x0000000000400000-0x00000000004A1000-memory.dmpFilesize
644KB
-
memory/4188-203-0x000000000046B77D-mapping.dmp
-
memory/4300-208-0x0000000000000000-mapping.dmp
-
memory/4348-209-0x0000000000000000-mapping.dmp
-
memory/4396-210-0x0000000000000000-mapping.dmp