Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
04-04-2022 03:10
Static task
static1
Behavioral task
behavioral1
Sample
3087_1647879063_1352.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
3087_1647879063_1352.exe
Resource
win10v2004-en-20220113
General
-
Target
3087_1647879063_1352.exe
-
Size
296KB
-
MD5
71d6dbe9511b9fe051d5b5e75aefe06f
-
SHA1
e47becfc1f6d724722ba7caf9f34b1dab65a76ab
-
SHA256
f8856a9be46c533273581793064b4329f7ff7e686688433fc3a792957dbf1208
-
SHA512
7eae4575a1aa33708fcaed0f57ce75d1afc3fa6184f372277bfff4610a501b9b23397d68a0f3659be937f2525fc49f9cf16e25d46b2e8071af64d0d4c1be74d2
Malware Config
Extracted
smokeloader
2020
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/
http://hydroxychl0roquine.xyz/
https://hydroxychl0roquine.xyz/
Extracted
tofsee
niflheimr.cn
jotunheim.name
Extracted
vidar
51.3
865
https://t.me/hi20220328
https://indieweb.social/@samsual
-
profile_id
865
Extracted
djvu
http://fuyt.org/lancer/get.php
-
extension
.gtys
-
offline_id
qwVQoIsE2xLety0oNWloOilSDuIBXJGK86LM3ot1
-
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-fnn5kv33Vv Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0439JIjdm
Signatures
-
Detected Djvu ransomware 4 IoCs
Processes:
resource yara_rule behavioral2/memory/624-186-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1428-190-0x0000000002240000-0x000000000235B000-memory.dmp family_djvu behavioral2/memory/624-188-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/624-191-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4080-161-0x0000000000400000-0x00000000004F2000-memory.dmp family_vidar behavioral2/memory/4080-162-0x0000000002070000-0x000000000211C000-memory.dmp family_vidar -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
C476.exeD80F.exenhpnmaw.exeE8AA.exeFA7D.exeE8AA.exe1048.exe61A6.exepid process 2984 C476.exe 4080 D80F.exe 2592 nhpnmaw.exe 1428 E8AA.exe 2940 FA7D.exe 624 E8AA.exe 2236 1048.exe 3736 61A6.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
FA7D.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FA7D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FA7D.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
C476.exeD80F.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C476.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation D80F.exe -
Loads dropped DLL 2 IoCs
Processes:
D80F.exepid process 4080 D80F.exe 4080 D80F.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
FA7D.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FA7D.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
FA7D.exepid process 2940 FA7D.exe 2940 FA7D.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nhpnmaw.exeE8AA.exe61A6.exedescription pid process target process PID 2592 set thread context of 3468 2592 nhpnmaw.exe svchost.exe PID 1428 set thread context of 624 1428 E8AA.exe E8AA.exe PID 3736 set thread context of 3676 3736 61A6.exe RegAsm.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1688 2984 WerFault.exe C476.exe 2004 2592 WerFault.exe nhpnmaw.exe 1844 624 WerFault.exe E8AA.exe 1140 372 WerFault.exe explorer.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3087_1647879063_1352.exeFA7D.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3087_1647879063_1352.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FA7D.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FA7D.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FA7D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3087_1647879063_1352.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3087_1647879063_1352.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
D80F.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 D80F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString D80F.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3260 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1736 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3087_1647879063_1352.exepid process 212 3087_1647879063_1352.exe 212 3087_1647879063_1352.exe 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 896 -
Suspicious behavior: MapViewOfSection 24 IoCs
Processes:
3087_1647879063_1352.exeFA7D.exepid process 212 3087_1647879063_1352.exe 2940 FA7D.exe 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 896 -
Suspicious use of AdjustPrivilegeToken 54 IoCs
Processes:
taskkill.exe1048.exe61A6.exeRegAsm.exedescription pid process Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeDebugPrivilege 1736 taskkill.exe Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeDebugPrivilege 2236 1048.exe Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeDebugPrivilege 3736 61A6.exe Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeDebugPrivilege 3676 RegAsm.exe Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 Token: SeShutdownPrivilege 896 Token: SeCreatePagefilePrivilege 896 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
C476.exenhpnmaw.exeE8AA.exeD80F.execmd.exedescription pid process target process PID 896 wrote to memory of 2984 896 C476.exe PID 896 wrote to memory of 2984 896 C476.exe PID 896 wrote to memory of 2984 896 C476.exe PID 2984 wrote to memory of 804 2984 C476.exe cmd.exe PID 2984 wrote to memory of 804 2984 C476.exe cmd.exe PID 2984 wrote to memory of 804 2984 C476.exe cmd.exe PID 896 wrote to memory of 4080 896 D80F.exe PID 896 wrote to memory of 4080 896 D80F.exe PID 896 wrote to memory of 4080 896 D80F.exe PID 2984 wrote to memory of 3372 2984 C476.exe cmd.exe PID 2984 wrote to memory of 3372 2984 C476.exe cmd.exe PID 2984 wrote to memory of 3372 2984 C476.exe cmd.exe PID 2984 wrote to memory of 2216 2984 C476.exe sc.exe PID 2984 wrote to memory of 2216 2984 C476.exe sc.exe PID 2984 wrote to memory of 2216 2984 C476.exe sc.exe PID 2984 wrote to memory of 3448 2984 C476.exe sc.exe PID 2984 wrote to memory of 3448 2984 C476.exe sc.exe PID 2984 wrote to memory of 3448 2984 C476.exe sc.exe PID 2984 wrote to memory of 840 2984 C476.exe sc.exe PID 2984 wrote to memory of 840 2984 C476.exe sc.exe PID 2984 wrote to memory of 840 2984 C476.exe sc.exe PID 2984 wrote to memory of 1888 2984 C476.exe netsh.exe PID 2984 wrote to memory of 1888 2984 C476.exe netsh.exe PID 2984 wrote to memory of 1888 2984 C476.exe netsh.exe PID 896 wrote to memory of 1428 896 E8AA.exe PID 896 wrote to memory of 1428 896 E8AA.exe PID 896 wrote to memory of 1428 896 E8AA.exe PID 896 wrote to memory of 2940 896 FA7D.exe PID 896 wrote to memory of 2940 896 FA7D.exe PID 896 wrote to memory of 2940 896 FA7D.exe PID 2592 wrote to memory of 3468 2592 nhpnmaw.exe svchost.exe PID 2592 wrote to memory of 3468 2592 nhpnmaw.exe svchost.exe PID 2592 wrote to memory of 3468 2592 nhpnmaw.exe svchost.exe PID 2592 wrote to memory of 3468 2592 nhpnmaw.exe svchost.exe PID 2592 wrote to memory of 3468 2592 nhpnmaw.exe svchost.exe PID 1428 wrote to memory of 624 1428 E8AA.exe E8AA.exe PID 1428 wrote to memory of 624 1428 E8AA.exe E8AA.exe PID 1428 wrote to memory of 624 1428 E8AA.exe E8AA.exe PID 1428 wrote to memory of 624 1428 E8AA.exe E8AA.exe PID 1428 wrote to memory of 624 1428 E8AA.exe E8AA.exe PID 1428 wrote to memory of 624 1428 E8AA.exe E8AA.exe PID 1428 wrote to memory of 624 1428 E8AA.exe E8AA.exe PID 1428 wrote to memory of 624 1428 E8AA.exe E8AA.exe PID 1428 wrote to memory of 624 1428 E8AA.exe E8AA.exe PID 1428 wrote to memory of 624 1428 E8AA.exe E8AA.exe PID 896 wrote to memory of 2236 896 1048.exe PID 896 wrote to memory of 2236 896 1048.exe PID 896 wrote to memory of 2236 896 1048.exe PID 4080 wrote to memory of 3904 4080 D80F.exe cmd.exe PID 4080 wrote to memory of 3904 4080 D80F.exe cmd.exe PID 4080 wrote to memory of 3904 4080 D80F.exe cmd.exe PID 896 wrote to memory of 372 896 explorer.exe PID 896 wrote to memory of 372 896 explorer.exe PID 896 wrote to memory of 372 896 explorer.exe PID 896 wrote to memory of 372 896 explorer.exe PID 3904 wrote to memory of 1736 3904 cmd.exe taskkill.exe PID 3904 wrote to memory of 1736 3904 cmd.exe taskkill.exe PID 3904 wrote to memory of 1736 3904 cmd.exe taskkill.exe PID 3904 wrote to memory of 3260 3904 cmd.exe timeout.exe PID 3904 wrote to memory of 3260 3904 cmd.exe timeout.exe PID 3904 wrote to memory of 3260 3904 cmd.exe timeout.exe PID 896 wrote to memory of 3020 896 explorer.exe PID 896 wrote to memory of 3020 896 explorer.exe PID 896 wrote to memory of 3020 896 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3087_1647879063_1352.exe"C:\Users\Admin\AppData\Local\Temp\3087_1647879063_1352.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C476.exeC:\Users\Admin\AppData\Local\Temp\C476.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wanvnfdv\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nhpnmaw.exe" C:\Windows\SysWOW64\wanvnfdv\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create wanvnfdv binPath= "C:\Windows\SysWOW64\wanvnfdv\nhpnmaw.exe /d\"C:\Users\Admin\AppData\Local\Temp\C476.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description wanvnfdv "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start wanvnfdv2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 7722⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\D80F.exeC:\Users\Admin\AppData\Local\Temp\D80F.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im D80F.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\D80F.exe" & del C:\ProgramData\*.dll & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im D80F.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\wanvnfdv\nhpnmaw.exeC:\Windows\SysWOW64\wanvnfdv\nhpnmaw.exe /d"C:\Users\Admin\AppData\Local\Temp\C476.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 5722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2984 -ip 29841⤵
-
C:\Users\Admin\AppData\Local\Temp\E8AA.exeC:\Users\Admin\AppData\Local\Temp\E8AA.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E8AA.exeC:\Users\Admin\AppData\Local\Temp\E8AA.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 5363⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\FA7D.exeC:\Users\Admin\AppData\Local\Temp\FA7D.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2592 -ip 25921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 624 -ip 6241⤵
-
C:\Users\Admin\AppData\Local\Temp\1048.exeC:\Users\Admin\AppData\Local\Temp\1048.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 8762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 372 -ip 3721⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\61A6.exeC:\Users\Admin\AppData\Local\Temp\61A6.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\freebl3.dllFilesize
326KB
MD5ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\msvcp140.dllFilesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\softokn3.dllFilesize
141KB
MD5a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
C:\ProgramData\vcruntime140.dllFilesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\1048.exeFilesize
1.0MB
MD558d4a4a40084d0797e21275558f8bd97
SHA15477465eedb7c94725efd1ab5133ad2129340c9c
SHA256ac67d9e0b617faab29d762961dc8564eade4b3f9383b1b8327de7b117bc286ec
SHA512208627f05140db12c856d9eef2a0df67aa32bb79cfba6bf982a84c56d7f128b43f9602a229013c4a782da51ef0dd02f644df77189fb7635bbefac1516091dcce
-
C:\Users\Admin\AppData\Local\Temp\1048.exeFilesize
1.0MB
MD558d4a4a40084d0797e21275558f8bd97
SHA15477465eedb7c94725efd1ab5133ad2129340c9c
SHA256ac67d9e0b617faab29d762961dc8564eade4b3f9383b1b8327de7b117bc286ec
SHA512208627f05140db12c856d9eef2a0df67aa32bb79cfba6bf982a84c56d7f128b43f9602a229013c4a782da51ef0dd02f644df77189fb7635bbefac1516091dcce
-
C:\Users\Admin\AppData\Local\Temp\61A6.exeFilesize
1.0MB
MD5273ad70f68326de22a515cd14ef45508
SHA18905394e3172f56b5feebd265a915c4f106fd3fc
SHA25686a0cfbbd6356a1de69f1adf4a25791ce375eb5f0f3ea66be24b230b0b46245b
SHA5125b3f3d0ee1d73ce67174f7ee5c459de58321bc0ebd84bb840e6fadcb01f78b0b10c3b2a7ae4c22ea55c5b57cab99a95fae883d6bd1fc453a419a07db6f10f350
-
C:\Users\Admin\AppData\Local\Temp\61A6.exeFilesize
1.0MB
MD5273ad70f68326de22a515cd14ef45508
SHA18905394e3172f56b5feebd265a915c4f106fd3fc
SHA25686a0cfbbd6356a1de69f1adf4a25791ce375eb5f0f3ea66be24b230b0b46245b
SHA5125b3f3d0ee1d73ce67174f7ee5c459de58321bc0ebd84bb840e6fadcb01f78b0b10c3b2a7ae4c22ea55c5b57cab99a95fae883d6bd1fc453a419a07db6f10f350
-
C:\Users\Admin\AppData\Local\Temp\C476.exeFilesize
262KB
MD503a3858edda11d9addf980e84fe669f2
SHA117d806fdbf304fb0243d50e761a0b40eb9642490
SHA2565baf83e3ec3ade7fc1760e65bf958f3ddc8217bfb5307b78ccfd690c828c1fae
SHA5124f763efe25b7e4b97ca7093a497f54583e40fd9af4d822fe5257d8c7f8a1594adfc099db7d14c755fd6b61ca9861cf2676cd7f6efd3923b7af4eaa286b4c9f83
-
C:\Users\Admin\AppData\Local\Temp\C476.exeFilesize
262KB
MD503a3858edda11d9addf980e84fe669f2
SHA117d806fdbf304fb0243d50e761a0b40eb9642490
SHA2565baf83e3ec3ade7fc1760e65bf958f3ddc8217bfb5307b78ccfd690c828c1fae
SHA5124f763efe25b7e4b97ca7093a497f54583e40fd9af4d822fe5257d8c7f8a1594adfc099db7d14c755fd6b61ca9861cf2676cd7f6efd3923b7af4eaa286b4c9f83
-
C:\Users\Admin\AppData\Local\Temp\D80F.exeFilesize
696KB
MD51c73b198d8bb81f87904aa5da4df8228
SHA15068682c838adff96c7f8cfd713dca9eeafb1c58
SHA256dba8b60ad720aba879052340f32cc3843f6430d7d65355604ca7e80787a82bd4
SHA512c9ffcd206cffa786cb55d95dddc5b3ab2778fe2b01bba0240ab49bb9c1ba44ad2a17867817ad5321384bf437fb744d7ef3f3b1e8108e621346fc4a8247a86216
-
C:\Users\Admin\AppData\Local\Temp\D80F.exeFilesize
696KB
MD51c73b198d8bb81f87904aa5da4df8228
SHA15068682c838adff96c7f8cfd713dca9eeafb1c58
SHA256dba8b60ad720aba879052340f32cc3843f6430d7d65355604ca7e80787a82bd4
SHA512c9ffcd206cffa786cb55d95dddc5b3ab2778fe2b01bba0240ab49bb9c1ba44ad2a17867817ad5321384bf437fb744d7ef3f3b1e8108e621346fc4a8247a86216
-
C:\Users\Admin\AppData\Local\Temp\E8AA.exeFilesize
841KB
MD5efed57771cb41fdde63781d1e195912c
SHA1a71b0545951c99eb6ad4a50c22d02c958003d920
SHA25672cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d
SHA5126fd84f80ba5f3c53f48a6a0135cedc7b489cca419742e043116468bcda0898398dd7ddff4ac7d0d8b283312d4c411790b8ff74276f14016021597498b306a080
-
C:\Users\Admin\AppData\Local\Temp\E8AA.exeFilesize
841KB
MD5efed57771cb41fdde63781d1e195912c
SHA1a71b0545951c99eb6ad4a50c22d02c958003d920
SHA25672cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d
SHA5126fd84f80ba5f3c53f48a6a0135cedc7b489cca419742e043116468bcda0898398dd7ddff4ac7d0d8b283312d4c411790b8ff74276f14016021597498b306a080
-
C:\Users\Admin\AppData\Local\Temp\E8AA.exeFilesize
841KB
MD5efed57771cb41fdde63781d1e195912c
SHA1a71b0545951c99eb6ad4a50c22d02c958003d920
SHA25672cd1426f13a698c7d63a288f4920147812303e8f10a4e66e414cc7c2206381d
SHA5126fd84f80ba5f3c53f48a6a0135cedc7b489cca419742e043116468bcda0898398dd7ddff4ac7d0d8b283312d4c411790b8ff74276f14016021597498b306a080
-
C:\Users\Admin\AppData\Local\Temp\FA7D.exeFilesize
2.4MB
MD54740291ec0e127d24cee534329bc1625
SHA13b0cc4e8f779f7268716e7a116ed4443ba30383b
SHA256edf108a4b5049c7ccf26d401c9ae48b9444744e71322e41b6a8a89873c63147b
SHA5121e88a2b9ae851967f915387f669e9debe044eb5cbb8d922598834a5c226546451614ef501615d1d0d43dfb0e41992075ba38f6bbde89d337b09e6342ba10d38e
-
C:\Users\Admin\AppData\Local\Temp\FA7D.exeFilesize
2.4MB
MD54740291ec0e127d24cee534329bc1625
SHA13b0cc4e8f779f7268716e7a116ed4443ba30383b
SHA256edf108a4b5049c7ccf26d401c9ae48b9444744e71322e41b6a8a89873c63147b
SHA5121e88a2b9ae851967f915387f669e9debe044eb5cbb8d922598834a5c226546451614ef501615d1d0d43dfb0e41992075ba38f6bbde89d337b09e6342ba10d38e
-
C:\Users\Admin\AppData\Local\Temp\nhpnmaw.exeFilesize
13.0MB
MD51763445c80f58b9816d82b99cc37075b
SHA157cb33fa5f808a2d2341f2bd1b79fce120f21370
SHA256a4450fb81c8e3c0890759bf1e1184aebd761bb77cbe84738dbacfe7e831f3c1c
SHA5126fd164399fa6c2f34261d90e6b679f0cd5c2d47d1a5aa04dc2257ab8ec19af13e0225ce29792f2dc2904d5f2abfeae8f05d69a2fdfe4ff2eda2a3775961dfd03
-
C:\Windows\SysWOW64\wanvnfdv\nhpnmaw.exeFilesize
13.0MB
MD51763445c80f58b9816d82b99cc37075b
SHA157cb33fa5f808a2d2341f2bd1b79fce120f21370
SHA256a4450fb81c8e3c0890759bf1e1184aebd761bb77cbe84738dbacfe7e831f3c1c
SHA5126fd164399fa6c2f34261d90e6b679f0cd5c2d47d1a5aa04dc2257ab8ec19af13e0225ce29792f2dc2904d5f2abfeae8f05d69a2fdfe4ff2eda2a3775961dfd03
-
memory/212-134-0x00000000004D8000-0x00000000004E9000-memory.dmpFilesize
68KB
-
memory/212-135-0x0000000002070000-0x0000000002079000-memory.dmpFilesize
36KB
-
memory/212-136-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/212-133-0x00000000004D8000-0x00000000004E9000-memory.dmpFilesize
68KB
-
memory/372-203-0x0000000000000000-mapping.dmp
-
memory/624-186-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/624-188-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/624-185-0x0000000000000000-mapping.dmp
-
memory/624-191-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/804-142-0x0000000000000000-mapping.dmp
-
memory/840-153-0x0000000000000000-mapping.dmp
-
memory/896-137-0x00000000013F0000-0x0000000001406000-memory.dmpFilesize
88KB
-
memory/896-200-0x0000000007730000-0x0000000007746000-memory.dmpFilesize
88KB
-
memory/1140-235-0x0000000000000000-mapping.dmp
-
memory/1240-222-0x0000000000000000-mapping.dmp
-
memory/1428-156-0x0000000000000000-mapping.dmp
-
memory/1428-190-0x0000000002240000-0x000000000235B000-memory.dmpFilesize
1.1MB
-
memory/1428-189-0x0000000002068000-0x00000000020F9000-memory.dmpFilesize
580KB
-
memory/1736-204-0x0000000000000000-mapping.dmp
-
memory/1888-155-0x0000000000000000-mapping.dmp
-
memory/1980-218-0x0000000000000000-mapping.dmp
-
memory/2168-236-0x0000000000000000-mapping.dmp
-
memory/2216-151-0x0000000000000000-mapping.dmp
-
memory/2236-197-0x0000000000060000-0x0000000000170000-memory.dmpFilesize
1.1MB
-
memory/2236-194-0x0000000000000000-mapping.dmp
-
memory/2236-206-0x0000000004970000-0x0000000004F14000-memory.dmpFilesize
5.6MB
-
memory/2236-201-0x00000000049E0000-0x00000000049EA000-memory.dmpFilesize
40KB
-
memory/2236-199-0x0000000004A10000-0x0000000004AA2000-memory.dmpFilesize
584KB
-
memory/2236-198-0x0000000004F20000-0x00000000054C4000-memory.dmpFilesize
5.6MB
-
memory/2292-229-0x0000000000000000-mapping.dmp
-
memory/2508-230-0x0000000000000000-mapping.dmp
-
memory/2592-166-0x000000000054A000-0x0000000000557000-memory.dmpFilesize
52KB
-
memory/2592-175-0x000000000054A000-0x0000000000557000-memory.dmpFilesize
52KB
-
memory/2592-176-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/2940-170-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/2940-183-0x0000000000400000-0x00000000008CA000-memory.dmpFilesize
4.8MB
-
memory/2940-172-0x0000000000400000-0x00000000008CA000-memory.dmpFilesize
4.8MB
-
memory/2940-171-0x0000000000400000-0x00000000008CA000-memory.dmpFilesize
4.8MB
-
memory/2940-181-0x0000000000400000-0x00000000008CA000-memory.dmpFilesize
4.8MB
-
memory/2940-169-0x00000000001B0000-0x00000000001F3000-memory.dmpFilesize
268KB
-
memory/2940-173-0x0000000000400000-0x00000000008CA000-memory.dmpFilesize
4.8MB
-
memory/2940-174-0x0000000000400000-0x00000000008CA000-memory.dmpFilesize
4.8MB
-
memory/2940-167-0x0000000000400000-0x00000000008CA000-memory.dmpFilesize
4.8MB
-
memory/2940-178-0x0000000076FE0000-0x0000000077183000-memory.dmpFilesize
1.6MB
-
memory/2940-168-0x0000000000400000-0x00000000008CA000-memory.dmpFilesize
4.8MB
-
memory/2940-163-0x0000000000000000-mapping.dmp
-
memory/2940-184-0x0000000000400000-0x00000000008CA000-memory.dmpFilesize
4.8MB
-
memory/2984-144-0x0000000002090000-0x00000000020A3000-memory.dmpFilesize
76KB
-
memory/2984-141-0x000000000080F000-0x000000000081D000-memory.dmpFilesize
56KB
-
memory/2984-138-0x0000000000000000-mapping.dmp
-
memory/2984-143-0x000000000080F000-0x000000000081D000-memory.dmpFilesize
56KB
-
memory/2984-145-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/3004-221-0x0000000000000000-mapping.dmp
-
memory/3020-207-0x0000000000000000-mapping.dmp
-
memory/3260-205-0x0000000000000000-mapping.dmp
-
memory/3372-149-0x0000000000000000-mapping.dmp
-
memory/3448-152-0x0000000000000000-mapping.dmp
-
memory/3448-234-0x0000000000000000-mapping.dmp
-
memory/3468-177-0x0000000000000000-mapping.dmp
-
memory/3468-179-0x0000000000440000-0x0000000000455000-memory.dmpFilesize
84KB
-
memory/3676-225-0x0000000005710000-0x0000000005D28000-memory.dmpFilesize
6.1MB
-
memory/3676-231-0x0000000005510000-0x0000000005576000-memory.dmpFilesize
408KB
-
memory/3676-239-0x0000000007DB0000-0x00000000082DC000-memory.dmpFilesize
5.2MB
-
memory/3676-238-0x00000000070A0000-0x0000000007262000-memory.dmpFilesize
1.8MB
-
memory/3676-237-0x0000000006780000-0x00000000067D0000-memory.dmpFilesize
320KB
-
memory/3676-223-0x0000000000000000-mapping.dmp
-
memory/3676-224-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3676-233-0x00000000064B0000-0x00000000064CE000-memory.dmpFilesize
120KB
-
memory/3676-226-0x0000000005170000-0x0000000005182000-memory.dmpFilesize
72KB
-
memory/3676-227-0x00000000052A0000-0x00000000053AA000-memory.dmpFilesize
1.0MB
-
memory/3676-228-0x00000000051D0000-0x000000000520C000-memory.dmpFilesize
240KB
-
memory/3676-232-0x00000000060B0000-0x0000000006126000-memory.dmpFilesize
472KB
-
memory/3736-217-0x00000000004D0000-0x00000000005E0000-memory.dmpFilesize
1.1MB
-
memory/3736-219-0x0000000004DF0000-0x0000000005394000-memory.dmpFilesize
5.6MB
-
memory/3736-214-0x0000000000000000-mapping.dmp
-
memory/3824-220-0x0000000000000000-mapping.dmp
-
memory/3904-202-0x0000000000000000-mapping.dmp
-
memory/4080-146-0x0000000000000000-mapping.dmp
-
memory/4080-160-0x000000000066F000-0x00000000006DB000-memory.dmpFilesize
432KB
-
memory/4080-161-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/4080-159-0x000000000066F000-0x00000000006DB000-memory.dmpFilesize
432KB
-
memory/4080-162-0x0000000002070000-0x000000000211C000-memory.dmpFilesize
688KB