Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
09/09/2022, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
c33b9969e0cf57aaa83702d9b5a1af0b8d51f939e64aa8cafd0cc1807ddc1748.exe
Resource
win10-20220812-en
General
-
Target
c33b9969e0cf57aaa83702d9b5a1af0b8d51f939e64aa8cafd0cc1807ddc1748.exe
-
Size
205KB
-
MD5
fb6e79d6b847f7fe32c884a0d0291d86
-
SHA1
d02f5a00dcd6bab54854481f8f55afd808a002a5
-
SHA256
c33b9969e0cf57aaa83702d9b5a1af0b8d51f939e64aa8cafd0cc1807ddc1748
-
SHA512
534bd9a88d13f3acf6805e5e0031990274171f5ef34655772e5e47f84e190dd28771b0d4df139ec7c402bed9cccb2dae43143e79d265cbd9aeac21bf3baaf2b6
-
SSDEEP
3072:SndNhmnPJn+vsKU650rHfSQcid02oGrHDs6:ImJ+vsKor/Sdid3oUDs
Malware Config
Extracted
socelars
https://dfgrthres.s3.eu-west-3.amazonaws.com/asdhs909/
Extracted
redline
mario_new
176.122.23.55:11768
-
auth_value
eeee8d5fcc3ba3a42094ef260c5bdcb4
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/4196-238-0x0000000002BD0000-0x0000000002BD9000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/101284-449-0x000000000475B03E-mapping.dmp family_redline behavioral1/memory/101284-516-0x0000000004700000-0x0000000004760000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars payload 3 IoCs
resource yara_rule behavioral1/memory/27104-434-0x0000000000400000-0x000000000058E000-memory.dmp family_socelars behavioral1/memory/27104-770-0x0000000000400000-0x000000000058E000-memory.dmp family_socelars behavioral1/memory/101920-758-0x0000000000400000-0x000000000058E000-memory.dmp family_socelars -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
pid Process 2828 6AD0.exe 4780 7B1C.exe 4196 8251.exe 4348 8CA3.exe 3760 B981.exe 7196 C819.exe 27104 D3E1.exe 44624 E2B7.exe 101340 E2B7.exe 74648 3E17.exe -
resource yara_rule behavioral1/files/0x000700000001ac30-336.dat upx behavioral1/files/0x000700000001ac30-344.dat upx behavioral1/memory/27104-352-0x0000000000400000-0x000000000058E000-memory.dmp upx behavioral1/memory/27104-434-0x0000000000400000-0x000000000058E000-memory.dmp upx behavioral1/files/0x000300000001ac4c-648.dat upx behavioral1/memory/101920-652-0x0000000000400000-0x000000000058E000-memory.dmp upx behavioral1/files/0x000300000001ac4c-663.dat upx behavioral1/memory/27104-770-0x0000000000400000-0x000000000058E000-memory.dmp upx behavioral1/memory/101920-758-0x0000000000400000-0x000000000058E000-memory.dmp upx -
resource yara_rule behavioral1/files/0x000700000001ac2f-330.dat vmprotect behavioral1/files/0x000700000001ac2f-329.dat vmprotect behavioral1/files/0x000500000001ab59-853.dat vmprotect behavioral1/files/0x000500000001ab59-854.dat vmprotect -
Deletes itself 1 IoCs
pid Process 3012 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 4288 regsvr32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3760 set thread context of 101284 3760 B981.exe 81 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
pid pid_target Process procid_target 4864 4348 WerFault.exe 69 29508 7196 WerFault.exe 76 101296 3760 WerFault.exe 74 101672 102080 WerFault.exe 109 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c33b9969e0cf57aaa83702d9b5a1af0b8d51f939e64aa8cafd0cc1807ddc1748.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c33b9969e0cf57aaa83702d9b5a1af0b8d51f939e64aa8cafd0cc1807ddc1748.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c33b9969e0cf57aaa83702d9b5a1af0b8d51f939e64aa8cafd0cc1807ddc1748.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8251.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8251.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8251.exe -
Kills process with taskkill 1 IoCs
pid Process 102364 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1680 c33b9969e0cf57aaa83702d9b5a1af0b8d51f939e64aa8cafd0cc1807ddc1748.exe 1680 c33b9969e0cf57aaa83702d9b5a1af0b8d51f939e64aa8cafd0cc1807ddc1748.exe 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3012 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1680 c33b9969e0cf57aaa83702d9b5a1af0b8d51f939e64aa8cafd0cc1807ddc1748.exe 4196 8251.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeCreateTokenPrivilege 27104 D3E1.exe Token: SeAssignPrimaryTokenPrivilege 27104 D3E1.exe Token: SeLockMemoryPrivilege 27104 D3E1.exe Token: SeIncreaseQuotaPrivilege 27104 D3E1.exe Token: SeMachineAccountPrivilege 27104 D3E1.exe Token: SeTcbPrivilege 27104 D3E1.exe Token: SeSecurityPrivilege 27104 D3E1.exe Token: SeTakeOwnershipPrivilege 27104 D3E1.exe Token: SeLoadDriverPrivilege 27104 D3E1.exe Token: SeSystemProfilePrivilege 27104 D3E1.exe Token: SeSystemtimePrivilege 27104 D3E1.exe Token: SeProfSingleProcessPrivilege 27104 D3E1.exe Token: SeIncBasePriorityPrivilege 27104 D3E1.exe Token: SeCreatePagefilePrivilege 27104 D3E1.exe Token: SeCreatePermanentPrivilege 27104 D3E1.exe Token: SeBackupPrivilege 27104 D3E1.exe Token: SeRestorePrivilege 27104 D3E1.exe Token: SeShutdownPrivilege 27104 D3E1.exe Token: SeDebugPrivilege 27104 D3E1.exe Token: SeAuditPrivilege 27104 D3E1.exe Token: SeSystemEnvironmentPrivilege 27104 D3E1.exe Token: SeChangeNotifyPrivilege 27104 D3E1.exe Token: SeRemoteShutdownPrivilege 27104 D3E1.exe Token: SeUndockPrivilege 27104 D3E1.exe Token: SeSyncAgentPrivilege 27104 D3E1.exe Token: SeEnableDelegationPrivilege 27104 D3E1.exe Token: SeManageVolumePrivilege 27104 D3E1.exe Token: SeImpersonatePrivilege 27104 D3E1.exe Token: SeCreateGlobalPrivilege 27104 D3E1.exe Token: 31 27104 D3E1.exe Token: 32 27104 D3E1.exe Token: 33 27104 D3E1.exe Token: 34 27104 D3E1.exe Token: 35 27104 D3E1.exe Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found Token: SeShutdownPrivilege 3012 Process not Found Token: SeCreatePagefilePrivilege 3012 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3012 Process not Found -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found 3012 Process not Found -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2828 3012 Process not Found 66 PID 3012 wrote to memory of 2828 3012 Process not Found 66 PID 3012 wrote to memory of 2828 3012 Process not Found 66 PID 3012 wrote to memory of 4780 3012 Process not Found 67 PID 3012 wrote to memory of 4780 3012 Process not Found 67 PID 3012 wrote to memory of 4780 3012 Process not Found 67 PID 3012 wrote to memory of 4196 3012 Process not Found 68 PID 3012 wrote to memory of 4196 3012 Process not Found 68 PID 3012 wrote to memory of 4196 3012 Process not Found 68 PID 3012 wrote to memory of 4348 3012 Process not Found 69 PID 3012 wrote to memory of 4348 3012 Process not Found 69 PID 3012 wrote to memory of 4348 3012 Process not Found 69 PID 3012 wrote to memory of 3472 3012 Process not Found 71 PID 3012 wrote to memory of 3472 3012 Process not Found 71 PID 3472 wrote to memory of 4288 3472 regsvr32.exe 73 PID 3472 wrote to memory of 4288 3472 regsvr32.exe 73 PID 3472 wrote to memory of 4288 3472 regsvr32.exe 73 PID 3012 wrote to memory of 3760 3012 Process not Found 74 PID 3012 wrote to memory of 3760 3012 Process not Found 74 PID 3012 wrote to memory of 3760 3012 Process not Found 74 PID 3012 wrote to memory of 7196 3012 Process not Found 76 PID 3012 wrote to memory of 7196 3012 Process not Found 76 PID 3012 wrote to memory of 27104 3012 Process not Found 77 PID 3012 wrote to memory of 27104 3012 Process not Found 77 PID 3012 wrote to memory of 27104 3012 Process not Found 77 PID 3012 wrote to memory of 44624 3012 Process not Found 79 PID 3012 wrote to memory of 44624 3012 Process not Found 79 PID 3012 wrote to memory of 44624 3012 Process not Found 79 PID 3760 wrote to memory of 101284 3760 B981.exe 81 PID 3760 wrote to memory of 101284 3760 B981.exe 81 PID 3760 wrote to memory of 101284 3760 B981.exe 81 PID 3760 wrote to memory of 101284 3760 B981.exe 81 PID 3760 wrote to memory of 101284 3760 B981.exe 81 PID 44624 wrote to memory of 101340 44624 E2B7.exe 82 PID 44624 wrote to memory of 101340 44624 E2B7.exe 82 PID 44624 wrote to memory of 101340 44624 E2B7.exe 82 PID 3012 wrote to memory of 74648 3012 Process not Found 85 PID 3012 wrote to memory of 74648 3012 Process not Found 85 PID 3012 wrote to memory of 74648 3012 Process not Found 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\c33b9969e0cf57aaa83702d9b5a1af0b8d51f939e64aa8cafd0cc1807ddc1748.exe"C:\Users\Admin\AppData\Local\Temp\c33b9969e0cf57aaa83702d9b5a1af0b8d51f939e64aa8cafd0cc1807ddc1748.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1680
-
C:\Users\Admin\AppData\Local\Temp\6AD0.exeC:\Users\Admin\AppData\Local\Temp\6AD0.exe1⤵
- Executes dropped EXE
PID:2828
-
C:\Users\Admin\AppData\Local\Temp\7B1C.exeC:\Users\Admin\AppData\Local\Temp\7B1C.exe1⤵
- Executes dropped EXE
PID:4780
-
C:\Users\Admin\AppData\Local\Temp\8251.exeC:\Users\Admin\AppData\Local\Temp\8251.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4196
-
C:\Users\Admin\AppData\Local\Temp\8CA3.exeC:\Users\Admin\AppData\Local\Temp\8CA3.exe1⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 4802⤵
- Program crash
PID:4864
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\AA2E.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\AA2E.dll2⤵
- Loads dropped DLL
PID:4288
-
-
C:\Users\Admin\AppData\Local\Temp\B981.exeC:\Users\Admin\AppData\Local\Temp\B981.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:101284
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 1956082⤵
- Program crash
PID:101296
-
-
C:\Users\Admin\AppData\Local\Temp\C819.exeC:\Users\Admin\AppData\Local\Temp\C819.exe1⤵
- Executes dropped EXE
PID:7196 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7196 -s 1402⤵
- Program crash
PID:29508
-
-
C:\Users\Admin\AppData\Local\Temp\D3E1.exeC:\Users\Admin\AppData\Local\Temp\D3E1.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:27104 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵PID:101800
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
PID:102364
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵PID:102204
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff0c1b4f50,0x7fff0c1b4f60,0x7fff0c1b4f703⤵PID:102256
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,17472708424713278587,6482624063189089259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 /prefetch:83⤵PID:101756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,17472708424713278587,6482624063189089259,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:13⤵PID:102020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,17472708424713278587,6482624063189089259,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:13⤵PID:101992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,17472708424713278587,6482624063189089259,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1688 /prefetch:83⤵PID:101748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,17472708424713278587,6482624063189089259,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:23⤵PID:101716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,17472708424713278587,6482624063189089259,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:13⤵PID:52072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,17472708424713278587,6482624063189089259,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:13⤵PID:101328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,17472708424713278587,6482624063189089259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:83⤵PID:27108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,17472708424713278587,6482624063189089259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:83⤵PID:102056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,17472708424713278587,6482624063189089259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:83⤵PID:101480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,17472708424713278587,6482624063189089259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:83⤵PID:4960
-
-
-
C:\Users\Admin\AppData\Local\Temp\E2B7.exeC:\Users\Admin\AppData\Local\Temp\E2B7.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:44624 -
C:\Users\Admin\AppData\Local\Temp\E2B7.exe"C:\Users\Admin\AppData\Local\Temp\E2B7.exe" -h2⤵
- Executes dropped EXE
PID:101340
-
-
C:\Users\Admin\AppData\Local\Temp\3E17.exeC:\Users\Admin\AppData\Local\Temp\3E17.exe1⤵
- Executes dropped EXE
PID:74648
-
C:\Users\Admin\AppData\Local\Temp\5A1C.exeC:\Users\Admin\AppData\Local\Temp\5A1C.exe1⤵PID:101664
-
C:\Users\Admin\AppData\Local\Temp\5A1C.exe"C:\Users\Admin\AppData\Local\Temp\5A1C.exe" -h2⤵PID:101456
-
-
C:\Users\Admin\AppData\Local\Temp\70C1.exeC:\Users\Admin\AppData\Local\Temp\70C1.exe1⤵PID:101920
-
C:\Users\Admin\AppData\Local\Temp\C153.exeC:\Users\Admin\AppData\Local\Temp\C153.exe1⤵PID:102080
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 102080 -s 4322⤵
- Program crash
PID:101672
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:27104
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:102356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
786B
MD59ffe618d587a0685d80e9f8bb7d89d39
SHA18e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12
-
Filesize
6KB
MD5c8d8c174df68910527edabe6b5278f06
SHA18ac53b3605fea693b59027b9b471202d150f266f
SHA2569434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5
SHA512d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c
-
Filesize
13KB
MD54ff108e4584780dce15d610c142c3e62
SHA177e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2
-
Filesize
20KB
MD58e78c8ee10a5ee7eecec2a4e6ecf7a91
SHA13d8576c552fab5fc2263ca214a9f4de68d821e21
SHA256ffacfa21e34256c59a07cb5199ee708b071d5b4c936ee47f5022d1bc771953de
SHA5121f1f3cdbd318fc65748fb9aee5179cd0d9e0e9ddeafaf1e852cc7a4101782e99556de4af9aa030d0d6039a3043a14d1146e7f3c15f014425fa9f7cad86fe7450
-
Filesize
3KB
MD5f79618c53614380c5fdc545699afe890
SHA17804a4621cd9405b6def471f3ebedb07fb17e90a
SHA256f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c
SHA512c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c
-
Filesize
84KB
MD5a09e13ee94d51c524b7e2a728c7d4039
SHA10dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a
-
Filesize
604B
MD523231681d1c6f85fa32e725d6d63b19b
SHA1f69315530b49ac743b0e012652a3a5efaed94f17
SHA25603164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA51236860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2
-
Filesize
268B
MD50f26002ee3b4b4440e5949a969ea7503
SHA131fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA5124290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11
-
Filesize
1KB
MD56da6b303170ccfdca9d9e75abbfb59f3
SHA11a8070080f50a303f73eba253ba49c1e6d400df6
SHA25666f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333
SHA512872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a
-
Filesize
16KB
MD5dad63c26fdb73e207619ad193fc2cfd0
SHA186476573f2c65951b4b9b87fb97686af588858a1
SHA2566528190f32c35b819016fb1b45a2e0442a3a1a4248e04a43ab4dfe56b8f1e881
SHA512adfd2729b4d7054c6888a25065d85d24c51419213a1404dde6d09acf636e985ff108f6264c3e555b628596092b9a154da8ccab7072e4778208d7a01a25974a8e
-
Filesize
181KB
MD5bf31ab9e7532a6dff488c1d0e0bcf397
SHA1ad8c5223b453fce45aa128cd8f2b3721bb01f633
SHA256bd5e11dc76157027ef4583aedaf8974485f907af2ace1bbb2a984f4f310ddaa9
SHA5123087055fb7f2bbafb532bc2d3980099947dc5a3b13e0408e521ac8d758cb6ad344fa7289e500f400d4576d49ed8ca373f0115a4355f91241695abd3d6e8604ee
-
Filesize
4.0MB
MD5f99d573625e45fc9d02bd27d30aa5839
SHA1e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA25614d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA51284b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d
-
Filesize
4.0MB
MD5f99d573625e45fc9d02bd27d30aa5839
SHA1e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA25614d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA51284b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d
-
Filesize
84KB
MD52f60ef19334491b0800f818fe87c42f9
SHA1a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA2562b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA51297459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4
-
Filesize
84KB
MD52f60ef19334491b0800f818fe87c42f9
SHA1a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA2562b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA51297459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4
-
Filesize
84KB
MD52f60ef19334491b0800f818fe87c42f9
SHA1a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA2562b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA51297459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4
-
Filesize
419KB
MD57ee26071eccd624c58596bb7e356c8c3
SHA12c61201ce36e236c30c350bfae82fa74d21c89cb
SHA25669fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA5127cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562
-
Filesize
419KB
MD57ee26071eccd624c58596bb7e356c8c3
SHA12c61201ce36e236c30c350bfae82fa74d21c89cb
SHA25669fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b
SHA5127cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562
-
Filesize
675KB
MD59e9e7ad2a575a1ee322b618cb9cfdf05
SHA142dba5e712f382a684deb20ededef154c74b24bc
SHA2561a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA5120c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e
-
Filesize
675KB
MD59e9e7ad2a575a1ee322b618cb9cfdf05
SHA142dba5e712f382a684deb20ededef154c74b24bc
SHA2561a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA5120c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e
-
Filesize
807KB
MD5e6bd24d15533146f6a4acce8ae7b87d4
SHA13e3b43c700f553551c736de79dbb0fa58c8d67cc
SHA2560b4b89442846ef32de3a23eed2f2fc236786f34a3af8dc6bc3674d9a738626fc
SHA5124f659f38342925827ea6859c9a8b68d6d36f1245ed171d46bf45ce3d87e3723e8c320aadbbce7a06d43773b31431a7aea35c32457b78e1fad9687a33999d3e03
-
Filesize
807KB
MD5e6bd24d15533146f6a4acce8ae7b87d4
SHA13e3b43c700f553551c736de79dbb0fa58c8d67cc
SHA2560b4b89442846ef32de3a23eed2f2fc236786f34a3af8dc6bc3674d9a738626fc
SHA5124f659f38342925827ea6859c9a8b68d6d36f1245ed171d46bf45ce3d87e3723e8c320aadbbce7a06d43773b31431a7aea35c32457b78e1fad9687a33999d3e03
-
Filesize
206KB
MD503cab7018b904c2405b89b73964ee6fe
SHA1a7c76d40947bc4b0923f7955b7acd64a821d7d98
SHA256ef9a8483e39bdff611252fe8675bd019c6a96bf3cec9b2d244ca59cc19194dba
SHA512040fa34449c79003eda22b6d7594305503f109262fcaeacb930873722271d38f896d15e85887d8e511be8da3606ca861e830fed3665dc01157d9a11282addd7b
-
Filesize
206KB
MD503cab7018b904c2405b89b73964ee6fe
SHA1a7c76d40947bc4b0923f7955b7acd64a821d7d98
SHA256ef9a8483e39bdff611252fe8675bd019c6a96bf3cec9b2d244ca59cc19194dba
SHA512040fa34449c79003eda22b6d7594305503f109262fcaeacb930873722271d38f896d15e85887d8e511be8da3606ca861e830fed3665dc01157d9a11282addd7b
-
Filesize
205KB
MD507a8bc35ca1632555dd46a6867f22dd7
SHA11feb0c4429e48bb877e9110c05a0a6022a3abacd
SHA256496e0e9f8c0f4239f5ef32035a628fba3179722ae147e016ae72ae3a6d067433
SHA512195fc4cb02c51bb0c4095c1657ab927e9efe5299067132c331fd183beae07a7cb4acf8824efa344ecba139bb20869894924701944241cc004a414092b8ef479b
-
Filesize
205KB
MD507a8bc35ca1632555dd46a6867f22dd7
SHA11feb0c4429e48bb877e9110c05a0a6022a3abacd
SHA256496e0e9f8c0f4239f5ef32035a628fba3179722ae147e016ae72ae3a6d067433
SHA512195fc4cb02c51bb0c4095c1657ab927e9efe5299067132c331fd183beae07a7cb4acf8824efa344ecba139bb20869894924701944241cc004a414092b8ef479b
-
Filesize
1.2MB
MD543aa7572e12c1a6abc3693dc21263f3c
SHA103407624fb118ad0ee214a597e034e96da83dc5b
SHA2563446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c
SHA512f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071
-
Filesize
719KB
MD58cd2e049bdbb6954e7ddaed3eb63dc79
SHA1f0715504d291f42753ccb8cb340524369da00d49
SHA256f513aa13542f7444fffa8d5a826633fee3a90ff90e9d6fdc7c67211ab1d51205
SHA51245539036718e6d90581d5e007f45e4e283d0a570c60b33c18194c3e1467dfe586a89da62f358ef959ab695bc0e45e77c57f88deb1433a4763ee640fb8d1e501b
-
Filesize
719KB
MD58cd2e049bdbb6954e7ddaed3eb63dc79
SHA1f0715504d291f42753ccb8cb340524369da00d49
SHA256f513aa13542f7444fffa8d5a826633fee3a90ff90e9d6fdc7c67211ab1d51205
SHA51245539036718e6d90581d5e007f45e4e283d0a570c60b33c18194c3e1467dfe586a89da62f358ef959ab695bc0e45e77c57f88deb1433a4763ee640fb8d1e501b
-
Filesize
3.5MB
MD55a5818de3886c0ffaa7071e70d003eb6
SHA1c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA2564fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA51207ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca
-
Filesize
3.5MB
MD55a5818de3886c0ffaa7071e70d003eb6
SHA1c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA2564fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA51207ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca
-
Filesize
3.5MB
MD55a5818de3886c0ffaa7071e70d003eb6
SHA1c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA2564fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA51207ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca
-
Filesize
3.5MB
MD55a5818de3886c0ffaa7071e70d003eb6
SHA1c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e
SHA2564fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2
SHA51207ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca
-
Filesize
675KB
MD59e9e7ad2a575a1ee322b618cb9cfdf05
SHA142dba5e712f382a684deb20ededef154c74b24bc
SHA2561a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA5120c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e
-
Filesize
675KB
MD59e9e7ad2a575a1ee322b618cb9cfdf05
SHA142dba5e712f382a684deb20ededef154c74b24bc
SHA2561a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1
SHA5120c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e
-
Filesize
84KB
MD52f60ef19334491b0800f818fe87c42f9
SHA1a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA2562b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA51297459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4
-
Filesize
84KB
MD52f60ef19334491b0800f818fe87c42f9
SHA1a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA2562b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA51297459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4
-
Filesize
84KB
MD52f60ef19334491b0800f818fe87c42f9
SHA1a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA2562b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA51297459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4
-
Filesize
1.2MB
MD543aa7572e12c1a6abc3693dc21263f3c
SHA103407624fb118ad0ee214a597e034e96da83dc5b
SHA2563446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c
SHA512f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071