smokeloader | 3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd

Analysis

max time kernel
301s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
22-03-2022 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe
Size

2.6MB
MD5

c4cadec9357bec022e6ce6a11f67289c
SHA1

5d4f5f80e946724aadedbd1ea833d5e582e98bd8
SHA256

3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd
SHA512

9d113f7681e4304fc30a312aae75f9958a6f0aedba0e5d2830897ecf67fba1c4542fdd9b7b249ea07abe960776526297f356b68e9f8676ce91b33b8f4fc54fb0

Score

10^/10

smokeloader vidar 933 aspackv2 backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

39.7

Botnet

933

https://shpak125.tumblr.com/

Attributes

profile_id
933

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	5096	rUNdlL32.eXe	104

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/3196-194-0x00000000048B0000-0x000000000494D000-memory.dmp	family_vidar
behavioral2/memory/3196-198-0x0000000000400000-0x0000000002BD7000-memory.dmp	family_vidar

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000020633-134.dat	aspack_v212_v242
behavioral2/files/0x0003000000020633-135.dat	aspack_v212_v242
behavioral2/files/0x0003000000020629-136.dat	aspack_v212_v242
behavioral2/files/0x000300000002061f-137.dat	aspack_v212_v242
behavioral2/files/0x000300000002061f-145.dat	aspack_v212_v242
behavioral2/files/0x000300000002061f-144.dat	aspack_v212_v242
behavioral2/files/0x0003000000020629-139.dat	aspack_v212_v242
behavioral2/files/0x000300000002062b-143.dat	aspack_v212_v242
behavioral2/files/0x000300000002062b-146.dat	aspack_v212_v242

Executes dropped EXE 9 IoCs

pid	Process
872	setup_install.exe
2820	sonia_4.exe
4140	sonia_6.exe
5104	sonia_5.exe
3640	sonia_1.exe
3644	sonia_2.exe
4576	sonia_7.exe
3196	sonia_3.exe
1216	sonia_1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	sonia_1.exe

Loads dropped DLL 8 IoCs

pid	Process
872	setup_install.exe
872	setup_install.exe
872	setup_install.exe
872	setup_install.exe
872	setup_install.exe
872	setup_install.exe
3644	sonia_2.exe
976	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ipinfo.io
23	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4676	872	WerFault.exe	82
1548	976	WerFault.exe	106

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sonia_3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sonia_3.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sonia_3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sonia_3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	sonia_2.exe
3644	sonia_2.exe
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3644	sonia_2.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	sonia_4.exe
Token: SeDebugPrivilege	5104	sonia_5.exe
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found
Token: SeShutdownPrivilege	2772	Process not Found
Token: SeCreatePagefilePrivilege	2772	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found
2772	Process not Found

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 872	4896	3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe	82
PID 4896 wrote to memory of 872	4896	3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe	82
PID 4896 wrote to memory of 872	4896	3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe	82
PID 872 wrote to memory of 1952	872	setup_install.exe	100
PID 872 wrote to memory of 1952	872	setup_install.exe	100
PID 872 wrote to memory of 1952	872	setup_install.exe	100
PID 872 wrote to memory of 1720	872	setup_install.exe	92
PID 872 wrote to memory of 1720	872	setup_install.exe	92
PID 872 wrote to memory of 1720	872	setup_install.exe	92
PID 872 wrote to memory of 2744	872	setup_install.exe	90
PID 872 wrote to memory of 2744	872	setup_install.exe	90
PID 872 wrote to memory of 2744	872	setup_install.exe	90
PID 872 wrote to memory of 1948	872	setup_install.exe	89
PID 872 wrote to memory of 1948	872	setup_install.exe	89
PID 872 wrote to memory of 1948	872	setup_install.exe	89
PID 872 wrote to memory of 3868	872	setup_install.exe	87
PID 872 wrote to memory of 3868	872	setup_install.exe	87
PID 872 wrote to memory of 3868	872	setup_install.exe	87
PID 872 wrote to memory of 2244	872	setup_install.exe	86
PID 872 wrote to memory of 2244	872	setup_install.exe	86
PID 872 wrote to memory of 2244	872	setup_install.exe	86
PID 872 wrote to memory of 2128	872	setup_install.exe	85
PID 872 wrote to memory of 2128	872	setup_install.exe	85
PID 872 wrote to memory of 2128	872	setup_install.exe	85
PID 1948 wrote to memory of 2820	1948	cmd.exe	88
PID 1948 wrote to memory of 2820	1948	cmd.exe	88
PID 2244 wrote to memory of 4140	2244	cmd.exe	91
PID 2244 wrote to memory of 4140	2244	cmd.exe	91
PID 2244 wrote to memory of 4140	2244	cmd.exe	91
PID 3868 wrote to memory of 5104	3868	cmd.exe	99
PID 3868 wrote to memory of 5104	3868	cmd.exe	99
PID 1952 wrote to memory of 3640	1952	cmd.exe	98
PID 1952 wrote to memory of 3640	1952	cmd.exe	98
PID 1952 wrote to memory of 3640	1952	cmd.exe	98
PID 1720 wrote to memory of 3644	1720	cmd.exe	94
PID 1720 wrote to memory of 3644	1720	cmd.exe	94
PID 1720 wrote to memory of 3644	1720	cmd.exe	94
PID 2128 wrote to memory of 4576	2128	cmd.exe	95
PID 2128 wrote to memory of 4576	2128	cmd.exe	95
PID 2744 wrote to memory of 3196	2744	cmd.exe	97
PID 2744 wrote to memory of 3196	2744	cmd.exe	97
PID 2744 wrote to memory of 3196	2744	cmd.exe	97
PID 3640 wrote to memory of 1216	3640	sonia_1.exe	101
PID 3640 wrote to memory of 1216	3640	sonia_1.exe	101
PID 3640 wrote to memory of 1216	3640	sonia_1.exe	101
PID 4448 wrote to memory of 976	4448	rUNdlL32.eXe	106
PID 4448 wrote to memory of 976	4448	rUNdlL32.eXe	106
PID 4448 wrote to memory of 976	4448	rUNdlL32.eXe	106

C:\Users\Admin\AppData\Local\Temp\3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe
"C:\Users\Admin\AppData\Local\Temp\3c362636f19b4626866ca745bb197ebcc4f2fab1f2bec6b7f208c0748dc39dcd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_7.exe
      sonia_7.exe
      4⤵
      Executes dropped EXE
      PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_6.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_6.exe
      sonia_6.exe
      4⤵
      Executes dropped EXE
      PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_5.exe
      sonia_5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_4.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_3.exe
      sonia_3.exe
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Modifies system certificate store
      PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_2.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_2.exe
      sonia_2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_1.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 516
    3⤵
    - Program crash
    PID:4676

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_4.exe
sonia_4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 872 -ip 872
1⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_1.exe
sonia_1.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_1.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS023ED12D\sonia_1.exe" -a
  2⤵
  - Executes dropped EXE
  PID:1216

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 608
    3⤵
    - Program crash
    PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 976 -ip 976
1⤵
PID:1184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 2328 -ip 2328
1⤵
PID:3900

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4004

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4808

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:668

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1020 -ip 1020
1⤵
PID:4968

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-149-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/872-156-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-190-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/872-160-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/872-158-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-157-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-189-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/872-155-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-147-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/872-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/872-152-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/872-151-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/872-150-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/872-188-0x0000000000F20000-0x0000000000FAF000-memory.dmp

Filesize
572KB

Download
memory/872-187-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/872-186-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/872-159-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/872-154-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/872-185-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2772-199-0x0000000002A80000-0x0000000002A95000-memory.dmp

Filesize
84KB

Download
memory/2820-170-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/2820-193-0x000000001B520000-0x000000001B522000-memory.dmp

Filesize
8KB

Download
memory/2820-191-0x00007FFFED010000-0x00007FFFEDAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3196-194-0x00000000048B0000-0x000000000494D000-memory.dmp

Filesize
628KB

Download
memory/3196-192-0x0000000002EFD000-0x0000000002F61000-memory.dmp

Filesize
400KB

Download
memory/3196-198-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/3196-178-0x0000000002EFD000-0x0000000002F61000-memory.dmp

Filesize
400KB

Download
memory/3644-174-0x0000000002E2D000-0x0000000002E36000-memory.dmp

Filesize
36KB

Download
memory/3644-195-0x0000000002E2D000-0x0000000002E36000-memory.dmp

Filesize
36KB

Download
memory/3644-196-0x0000000002C80000-0x0000000002C89000-memory.dmp

Filesize
36KB

Download
memory/3644-197-0x0000000000400000-0x0000000002B7B000-memory.dmp

Filesize
39.5MB

Download
memory/5104-176-0x0000000000870000-0x00000000008AE000-memory.dmp

Filesize
248KB

Download
memory/5104-180-0x00007FFFED010000-0x00007FFFEDAD1000-memory.dmp

Filesize
10.8MB

Download