smokeloader | 3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd

Analysis

max time kernel
301s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
22-03-2022 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe
Size

2.6MB
MD5

c4cadec9357bec022e6ce6a11f67289c
SHA1

5d4f5f80e946724aadedbd1ea833d5e582e98bd8
SHA256

3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd
SHA512

9d113f7681e4304fc30a312aae75f9958a6f0aedba0e5d2830897ecf67fba1c4542fdd9b7b249ea07abe960776526297f356b68e9f8676ce91b33b8f4fc54fb0

Score

10^/10

smokeloader vidar 933 aspackv2 backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

39.7

Botnet

933

https://shpak125.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 5096 rUNdlL32.eXe
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	5096	rUNdlL32.eXe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3196-194-0x00000000048B0000-0x000000000494D000-memory.dmp	family_vidar
behavioral2/memory/3196-198-0x0000000000400000-0x0000000002BD7000-memory.dmp	family_vidar

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\setup_install.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libstdc++-6.dll	aspack_v212_v242

Executes dropped EXE 9 IoCs

Processes:

setup_install.exesonia_4.exesonia_6.exesonia_5.exesonia_1.exesonia_2.exesonia_7.exesonia_3.exesonia_1.exe

pid	process
872	setup_install.exe
2820	sonia_4.exe
4140	sonia_6.exe
5104	sonia_5.exe
3640	sonia_1.exe
3644	sonia_2.exe
4576	sonia_7.exe
3196	sonia_3.exe
1216	sonia_1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exesonia_1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sonia_1.exe

Loads dropped DLL 8 IoCs

Processes:

setup_install.exesonia_2.exerundll32.exe

pid	process
872	setup_install.exe
872	setup_install.exe
872	setup_install.exe
872	setup_install.exe
872	setup_install.exe
872	setup_install.exe
3644	sonia_2.exe
976	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ipinfo.io
23 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4676 872 WerFault.exe setup_install.exe
1548 976 WerFault.exe rundll32.exe

flow	ioc
22	ipinfo.io
23	ipinfo.io

pid	pid_target	process	target process
4676	872	WerFault.exe	setup_install.exe
1548	976	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sonia_2.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sonia_3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sonia_3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sonia_3.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sonia_3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sonia_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sonia_2.exe

pid	process
3644	sonia_2.exe
3644	sonia_2.exe
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2772
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sonia_2.exe

pid process

3644 sonia_2.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

sonia_4.exesonia_5.exe

description	pid	process
Token: SeDebugPrivilege	2820	sonia_4.exe
Token: SeDebugPrivilege	5104	sonia_5.exe
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772
Token: SeShutdownPrivilege	2772
Token: SeCreatePagefilePrivilege	2772

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

pid	process
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

pid process

2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772
2772

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exesonia_1.exerUNdlL32.eXe

description	pid	process	target process
PID 4896 wrote to memory of 872	4896	3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe	setup_install.exe
PID 4896 wrote to memory of 872	4896	3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe	setup_install.exe
PID 4896 wrote to memory of 872	4896	3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe	setup_install.exe
PID 872 wrote to memory of 1952	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 1952	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 1952	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 1720	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 1720	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 1720	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 2744	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 2744	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 2744	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 1948	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 1948	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 1948	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 3868	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 3868	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 3868	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 2244	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 2244	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 2244	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 2128	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 2128	872	setup_install.exe	cmd.exe
PID 872 wrote to memory of 2128	872	setup_install.exe	cmd.exe
PID 1948 wrote to memory of 2820	1948	cmd.exe	sonia_4.exe
PID 1948 wrote to memory of 2820	1948	cmd.exe	sonia_4.exe
PID 2244 wrote to memory of 4140	2244	cmd.exe	sonia_6.exe
PID 2244 wrote to memory of 4140	2244	cmd.exe	sonia_6.exe
PID 2244 wrote to memory of 4140	2244	cmd.exe	sonia_6.exe
PID 3868 wrote to memory of 5104	3868	cmd.exe	sonia_5.exe
PID 3868 wrote to memory of 5104	3868	cmd.exe	sonia_5.exe
PID 1952 wrote to memory of 3640	1952	cmd.exe	sonia_1.exe
PID 1952 wrote to memory of 3640	1952	cmd.exe	sonia_1.exe
PID 1952 wrote to memory of 3640	1952	cmd.exe	sonia_1.exe
PID 1720 wrote to memory of 3644	1720	cmd.exe	sonia_2.exe
PID 1720 wrote to memory of 3644	1720	cmd.exe	sonia_2.exe
PID 1720 wrote to memory of 3644	1720	cmd.exe	sonia_2.exe
PID 2128 wrote to memory of 4576	2128	cmd.exe	sonia_7.exe
PID 2128 wrote to memory of 4576	2128	cmd.exe	sonia_7.exe
PID 2744 wrote to memory of 3196	2744	cmd.exe	sonia_3.exe
PID 2744 wrote to memory of 3196	2744	cmd.exe	sonia_3.exe
PID 2744 wrote to memory of 3196	2744	cmd.exe	sonia_3.exe
PID 3640 wrote to memory of 1216	3640	sonia_1.exe	sonia_1.exe
PID 3640 wrote to memory of 1216	3640	sonia_1.exe	sonia_1.exe
PID 3640 wrote to memory of 1216	3640	sonia_1.exe	sonia_1.exe
PID 4448 wrote to memory of 976	4448	rUNdlL32.eXe	rundll32.exe
PID 4448 wrote to memory of 976	4448	rUNdlL32.eXe	rundll32.exe
PID 4448 wrote to memory of 976	4448	rUNdlL32.eXe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe
"C:\Users\Admin\AppData\Local\Temp\3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_7.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_7.exe
sonia_7.exe
4⤵
- Executes dropped EXE
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_6.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_6.exe
sonia_6.exe
4⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_5.exe
sonia_5.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_4.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_3.exe
sonia_3.exe
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_2.exe
sonia_2.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sonia_1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 516
3⤵
- Program crash
PID:4676

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_4.exe
sonia_4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 872 -ip 872
1⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_1.exe
sonia_1.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_1.exe" -a
2⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 608
3⤵
- Program crash
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 976 -ip 976
1⤵
PID:1184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 2328 -ip 2328
1⤵
PID:3900

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4004

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4808

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:668

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1020 -ip 1020
1⤵
PID:4968

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:3956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\setup_install.exe
MD5
94d61acb8ead3c63fc62f515d74662c4

SHA1
811d474b2a1b972b8ac541f09ad3ec85940e9aa5

SHA256
2f31c41a424af2fe01e305b6b855f8a199984c9adef2a2c6a64c0c20967cd737

SHA512
565ef8bb3d00e19f516ff475ede2aa241bbfd2ad16e8b9808c3c16115b3be5b990ba05dfcc9b408bd321158dd998d3477a2eafb469db4b427d43dd641f22a0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\setup_install.exe
MD5
94d61acb8ead3c63fc62f515d74662c4

SHA1
811d474b2a1b972b8ac541f09ad3ec85940e9aa5

SHA256
2f31c41a424af2fe01e305b6b855f8a199984c9adef2a2c6a64c0c20967cd737

SHA512
565ef8bb3d00e19f516ff475ede2aa241bbfd2ad16e8b9808c3c16115b3be5b990ba05dfcc9b408bd321158dd998d3477a2eafb469db4b427d43dd641f22a0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_1.exe
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_1.exe
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_1.txt
MD5
6e43430011784cff369ea5a5ae4b000f

SHA1
5999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f

SHA256
a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a

SHA512
33ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_2.exe
MD5
b2b7684fe17010de2b87a9beb343a4bb

SHA1
2f853ff88a70fec2992bd34c3b2eb2d007c19216

SHA256
7d0941dee259d46765d2af9ed98fc659c7674ed5da34179eeda2510095b716e6

SHA512
ecaef2573aab553ac15479172bae9f67d93e8240a6dd351fa7929550d03fe5eadbab4c18138b4dfc7e3a20674f69cf50900b1fa5d2063a976bcb0e3c760fb7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_2.txt
MD5
b2b7684fe17010de2b87a9beb343a4bb

SHA1
2f853ff88a70fec2992bd34c3b2eb2d007c19216

SHA256
7d0941dee259d46765d2af9ed98fc659c7674ed5da34179eeda2510095b716e6

SHA512
ecaef2573aab553ac15479172bae9f67d93e8240a6dd351fa7929550d03fe5eadbab4c18138b4dfc7e3a20674f69cf50900b1fa5d2063a976bcb0e3c760fb7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_3.exe
MD5
c001ecb614250e5553c56e5193902d6c

SHA1
ffaa0d202dbd377c64ecd3a63805b25e30ab473e

SHA256
6d1edf242a134b1813e7a075c5c9ccfc903fc789f80ca04db8e32b64e5662354

SHA512
ac3875cc36601907ec5edd69a6207ffd9821f7f9105a36bdfc1187d94b367f101ddb7c9b1e656613f4981b2dc1aba22af21bcad5acc6bab013a21071265bb914

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_3.txt
MD5
c001ecb614250e5553c56e5193902d6c

SHA1
ffaa0d202dbd377c64ecd3a63805b25e30ab473e

SHA256
6d1edf242a134b1813e7a075c5c9ccfc903fc789f80ca04db8e32b64e5662354

SHA512
ac3875cc36601907ec5edd69a6207ffd9821f7f9105a36bdfc1187d94b367f101ddb7c9b1e656613f4981b2dc1aba22af21bcad5acc6bab013a21071265bb914

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_4.exe
MD5
aa76e329fd4fc560c0f8f6b2f224d3da

SHA1
bbbd3c4843bed7d90d7d3c5ce62c6e47639f8a14

SHA256
dd5ac4469562c4d32e10983c14285e3c33849267cbf4c198d0427b21c56c49b2

SHA512
d79753c703dc0bc34c56e1d9afcf47c5bbaad37527339b95c7e9d7f7ab17ee67320f254575049b622bc4a8ef572d526b13f01a8a707d4c57da3599c548c83934

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_4.txt
MD5
aa76e329fd4fc560c0f8f6b2f224d3da

SHA1
bbbd3c4843bed7d90d7d3c5ce62c6e47639f8a14

SHA256
dd5ac4469562c4d32e10983c14285e3c33849267cbf4c198d0427b21c56c49b2

SHA512
d79753c703dc0bc34c56e1d9afcf47c5bbaad37527339b95c7e9d7f7ab17ee67320f254575049b622bc4a8ef572d526b13f01a8a707d4c57da3599c548c83934

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_5.exe
MD5
1cc35bf07b551ce45921ae41602ec87d

SHA1
5eca79da173ad9912d669d85133561501976c12c

SHA256
1371046b187faec8708e3732fc760515a7b96236c62094598340b1dc6331ac05

SHA512
852134d0f6e4bbb2930225655068a468d49c7b980f604ef31ce308abc4534c3fed4086adf93e8df9287de6ec9f3734c7468ef5c6f436f08cc7112a30e816afc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_5.txt
MD5
1cc35bf07b551ce45921ae41602ec87d

SHA1
5eca79da173ad9912d669d85133561501976c12c

SHA256
1371046b187faec8708e3732fc760515a7b96236c62094598340b1dc6331ac05

SHA512
852134d0f6e4bbb2930225655068a468d49c7b980f604ef31ce308abc4534c3fed4086adf93e8df9287de6ec9f3734c7468ef5c6f436f08cc7112a30e816afc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_6.exe
MD5
e44b6cb9e7111de178fbabf3ac1cba76

SHA1
b15d8d52864a548c42a331a574828824a65763ff

SHA256
c74894fe98864ade516c9e54f2258a23ed451feadfa2de53a7c626385b549b22

SHA512
24129e1de024d61bcc23654450f416307be3e7911de2baced47476e02cd7df737ce012f379eb0ea5d84367113619f53d6a80971ccc652a569d6b494150bbb6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_6.txt
MD5
e44b6cb9e7111de178fbabf3ac1cba76

SHA1
b15d8d52864a548c42a331a574828824a65763ff

SHA256
c74894fe98864ade516c9e54f2258a23ed451feadfa2de53a7c626385b549b22

SHA512
24129e1de024d61bcc23654450f416307be3e7911de2baced47476e02cd7df737ce012f379eb0ea5d84367113619f53d6a80971ccc652a569d6b494150bbb6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_7.exe
MD5
0bc56e17cb974ddd06782939dcee2606

SHA1
459f61b929c5925327eaa8495bf401cac9e2814f

SHA256
76ef9d99c7e37d132f6803ec46f8e2663b1cc282a5d2022946f1598965673fa1

SHA512
d260597ac09d2e6109fdbf7e5ca5817b73f3ed690529da067d2dbcde8d35959018837beb3ea7183f6f4ce52b911996d07f0b9712274021cc20bfbcc2c5e7fc1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_7.txt
MD5
0bc56e17cb974ddd06782939dcee2606

SHA1
459f61b929c5925327eaa8495bf401cac9e2814f

SHA256
76ef9d99c7e37d132f6803ec46f8e2663b1cc282a5d2022946f1598965673fa1

SHA512
d260597ac09d2e6109fdbf7e5ca5817b73f3ed690529da067d2dbcde8d35959018837beb3ea7183f6f4ce52b911996d07f0b9712274021cc20bfbcc2c5e7fc1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
99ab358c6f267b09d7a596548654a6ba

SHA1
d5a643074b69be2281a168983e3f6bef7322f676

SHA256
586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380

SHA512
952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
memory/872-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/872-156-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-190-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/872-160-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/872-158-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-157-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-189-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/872-155-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/872-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/872-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/872-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/872-150-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/872-188-0x0000000000F20000-0x0000000000FAF000-memory.dmp

Filesize
572KB

Download
memory/872-187-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/872-186-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/872-159-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-154-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/872-185-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2772-199-0x0000000002A80000-0x0000000002A95000-memory.dmp

Filesize
84KB

Download
memory/2820-170-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/2820-193-0x000000001B520000-0x000000001B522000-memory.dmp

Filesize
8KB

Download
memory/2820-191-0x00007FFFED010000-0x00007FFFEDAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3196-194-0x00000000048B0000-0x000000000494D000-memory.dmp

Filesize
628KB

Download
memory/3196-192-0x0000000002EFD000-0x0000000002F61000-memory.dmp

Filesize
400KB

Download
memory/3196-198-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/3196-178-0x0000000002EFD000-0x0000000002F61000-memory.dmp

Filesize
400KB

Download
memory/3644-174-0x0000000002E2D000-0x0000000002E36000-memory.dmp

Filesize
36KB

Download
memory/3644-195-0x0000000002E2D000-0x0000000002E36000-memory.dmp

Filesize
36KB

Download
memory/3644-196-0x0000000002C80000-0x0000000002C89000-memory.dmp

Filesize
36KB

Download
memory/3644-197-0x0000000000400000-0x0000000002B7B000-memory.dmp

Filesize
39.5MB

Download
memory/5104-176-0x0000000000870000-0x00000000008AE000-memory.dmp

Filesize
248KB

Download
memory/5104-180-0x00007FFFED010000-0x00007FFFEDAD1000-memory.dmp

Filesize
10.8MB

Download