nymaim | a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4

Analysis

max time kernel
170s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe
Size

285KB
MD5

9cdf5081c48c1c51aaf527e4f1ea705e
SHA1

20be01a1e99f950b7cfdef116fc736887e20bd6b
SHA256

a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4
SHA512

c02f81e1747a330f3f0f575b0e7d36300d8dae56c32de3a6392b6e3f351b1de1bdbb768fa50489f38ab66e332c1e8959a92edcf2421bb1ac2066f694aa3f99b7
SSDEEP

3072:nZZ5QJTUCvHurL2VfzCEe1a5gAj9EotMsU31Z2zDqxgWWjDhuiFDw5225EM/h3:mUCvOrL2VfzCEBi3v8Dw5XE

Score

10^/10

nymaim smokeloader vidar 937 backdoor bootkit discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Extracted

Family

vidar

Version

55.3

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4476-133-0x0000000002E90000-0x0000000002E99000-memory.dmp	family_smokeloader
behavioral1/memory/4476-136-0x0000000002E90000-0x0000000002E99000-memory.dmp	family_smokeloader

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

E399.exe442.exe12BA.exe1839.exe2625.exeAdventure.exe.pif

pid process

3976 E399.exe
4820 442.exe
4120 12BA.exe
3564 1839.exe
412 2625.exe
1768 Adventure.exe.pif

pid	process
3976	E399.exe
4820	442.exe
4120	12BA.exe
3564	1839.exe
412	2625.exe
1768	Adventure.exe.pif

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E399.exe12BA.exe1839.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	E399.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	12BA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	1839.exe

Loads dropped DLL 3 IoCs

Processes:

1839.exe

pid process

3564 1839.exe
3564 1839.exe
3564 1839.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3564	1839.exe
3564	1839.exe
3564	1839.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2625.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2625.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

442.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 442.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	442.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4164	4120	WerFault.exe	12BA.exe
4144	3976	WerFault.exe	E399.exe
2428	4120	WerFault.exe	12BA.exe
2268	3976	WerFault.exe	E399.exe
2784	4120	WerFault.exe	12BA.exe
5096	4120	WerFault.exe	12BA.exe
4696	3976	WerFault.exe	E399.exe
3492	4120	WerFault.exe	12BA.exe
2088	3976	WerFault.exe	E399.exe
4956	3976	WerFault.exe	E399.exe
4968	4120	WerFault.exe	12BA.exe
4792	3976	WerFault.exe	E399.exe
2080	4120	WerFault.exe	12BA.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1839.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1839.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1839.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1592 tasklist.exe
3580 tasklist.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3888 PING.EXE
560 PING.EXE

pid	process
1592	tasklist.exe
3580	tasklist.exe

pid	process
3888	PING.EXE
560	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe

pid	process
4476	a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe
4476	a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2792
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe

pid process

4476 a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe

pid	process
2792

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

tasklist.exetasklist.exe

description	pid	process
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeDebugPrivilege	1592	tasklist.exe
Token: SeDebugPrivilege	3580	tasklist.exe
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792
Token: SeShutdownPrivilege	2792
Token: SeCreatePagefilePrivilege	2792

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Adventure.exe.pif

pid process

1768 Adventure.exe.pif
2792
2792
1768 Adventure.exe.pif
1768 Adventure.exe.pif
2792
2792
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Adventure.exe.pif

pid process

1768 Adventure.exe.pif
1768 Adventure.exe.pif
1768 Adventure.exe.pif

pid	process
1768	Adventure.exe.pif
2792
2792
1768	Adventure.exe.pif
1768	Adventure.exe.pif
2792
2792

pid	process
1768	Adventure.exe.pif
1768	Adventure.exe.pif
1768	Adventure.exe.pif

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

2625.execmd.execmd.exe

description	pid	process	target process
PID 2792 wrote to memory of 3976	2792		E399.exe
PID 2792 wrote to memory of 3976	2792		E399.exe
PID 2792 wrote to memory of 3976	2792		E399.exe
PID 2792 wrote to memory of 4820	2792		442.exe
PID 2792 wrote to memory of 4820	2792		442.exe
PID 2792 wrote to memory of 4820	2792		442.exe
PID 2792 wrote to memory of 4120	2792		12BA.exe
PID 2792 wrote to memory of 4120	2792		12BA.exe
PID 2792 wrote to memory of 4120	2792		12BA.exe
PID 2792 wrote to memory of 3564	2792		1839.exe
PID 2792 wrote to memory of 3564	2792		1839.exe
PID 2792 wrote to memory of 3564	2792		1839.exe
PID 2792 wrote to memory of 412	2792		2625.exe
PID 2792 wrote to memory of 412	2792		2625.exe
PID 2792 wrote to memory of 412	2792		2625.exe
PID 412 wrote to memory of 2620	412	2625.exe	dllhost.exe
PID 412 wrote to memory of 2620	412	2625.exe	dllhost.exe
PID 412 wrote to memory of 2620	412	2625.exe	dllhost.exe
PID 412 wrote to memory of 1472	412	2625.exe	cmd.exe
PID 412 wrote to memory of 1472	412	2625.exe	cmd.exe
PID 412 wrote to memory of 1472	412	2625.exe	cmd.exe
PID 1472 wrote to memory of 4212	1472	cmd.exe	cmd.exe
PID 1472 wrote to memory of 4212	1472	cmd.exe	cmd.exe
PID 1472 wrote to memory of 4212	1472	cmd.exe	cmd.exe
PID 4212 wrote to memory of 1592	4212	cmd.exe	tasklist.exe
PID 4212 wrote to memory of 1592	4212	cmd.exe	tasklist.exe
PID 4212 wrote to memory of 1592	4212	cmd.exe	tasklist.exe
PID 4212 wrote to memory of 3592	4212	cmd.exe	find.exe
PID 4212 wrote to memory of 3592	4212	cmd.exe	find.exe
PID 4212 wrote to memory of 3592	4212	cmd.exe	find.exe
PID 4212 wrote to memory of 3580	4212	cmd.exe	tasklist.exe
PID 4212 wrote to memory of 3580	4212	cmd.exe	tasklist.exe
PID 4212 wrote to memory of 3580	4212	cmd.exe	tasklist.exe
PID 4212 wrote to memory of 3656	4212	cmd.exe	find.exe
PID 4212 wrote to memory of 3656	4212	cmd.exe	find.exe
PID 4212 wrote to memory of 3656	4212	cmd.exe	find.exe
PID 4212 wrote to memory of 3116	4212	cmd.exe	findstr.exe
PID 4212 wrote to memory of 3116	4212	cmd.exe	findstr.exe
PID 4212 wrote to memory of 3116	4212	cmd.exe	findstr.exe
PID 4212 wrote to memory of 1768	4212	cmd.exe	Adventure.exe.pif
PID 4212 wrote to memory of 1768	4212	cmd.exe	Adventure.exe.pif
PID 4212 wrote to memory of 1768	4212	cmd.exe	Adventure.exe.pif
PID 4212 wrote to memory of 560	4212	cmd.exe	PING.EXE
PID 4212 wrote to memory of 560	4212	cmd.exe	PING.EXE
PID 4212 wrote to memory of 560	4212	cmd.exe	PING.EXE
PID 1472 wrote to memory of 3888	1472	cmd.exe	PING.EXE
PID 1472 wrote to memory of 3888	1472	cmd.exe	PING.EXE
PID 1472 wrote to memory of 3888	1472	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe
"C:\Users\Admin\AppData\Local\Temp\a90b17c5255aae7b4eed7e1d0532ba7ce6b64a10902c91fb7a279c2a1e9445e4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4476

C:\Users\Admin\AppData\Local\Temp\E399.exe
C:\Users\Admin\AppData\Local\Temp\E399.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 888
2⤵
- Program crash
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1060
2⤵
- Program crash
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1068
2⤵
- Program crash
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 996
2⤵
- Program crash
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 996
2⤵
- Program crash
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1068
2⤵
- Program crash
PID:4792

C:\Users\Admin\AppData\Local\Temp\442.exe
C:\Users\Admin\AppData\Local\Temp\442.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4820

C:\Users\Admin\AppData\Local\Temp\12BA.exe
C:\Users\Admin\AppData\Local\Temp\12BA.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 784
2⤵
- Program crash
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 824
2⤵
- Program crash
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 840
2⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 812
2⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 948
2⤵
- Program crash
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1064
2⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1340
2⤵
- Program crash
PID:2080

C:\Users\Admin\AppData\Local\Temp\1839.exe
C:\Users\Admin\AppData\Local\Temp\1839.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:3564

C:\Users\Admin\AppData\Local\Temp\2625.exe
C:\Users\Admin\AppData\Local\Temp\2625.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\dllhost.exe
dllhost vfrfgh ningggfdee
2⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Chrome.pdf & ping -n 5 localhost
2⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
4⤵
PID:3592

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
4⤵
PID:3656

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^kuSBdsbDhZNHQD$" Chicago.pdf
4⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pif
Adventure.exe.pif I
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1768

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
4⤵
- Runs ping.exe
PID:560

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3976 -ip 3976
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4120 -ip 4120
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4120 -ip 4120
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3976 -ip 3976
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3976 -ip 3976
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4120 -ip 4120
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3976 -ip 3976
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4120 -ip 4120
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3976 -ip 3976
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3976 -ip 3976
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3976 -ip 3976
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4120 -ip 4120
1⤵
PID:3572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\12BA.exe
Filesize
354KB

MD5
fd9907223ad8e3da8826e5f554af5f0f

SHA1
60f9e2969a8d45c4bbc8b0648af04b827294be32

SHA256
35673e9d2db61688d6e077c5cce7b46ad3c3489c661fd68ba1e1398b9a989451

SHA512
cb2744b5972825b751778e30e44962cd5118426ffd6f84b1c69efe8bcba903ab4cad26cbb6643d13b9c36a48c4a81a1ebea367b58fe292ecc1cdb75d17bb64c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\12BA.exe
Filesize
354KB

MD5
fd9907223ad8e3da8826e5f554af5f0f

SHA1
60f9e2969a8d45c4bbc8b0648af04b827294be32

SHA256
35673e9d2db61688d6e077c5cce7b46ad3c3489c661fd68ba1e1398b9a989451

SHA512
cb2744b5972825b751778e30e44962cd5118426ffd6f84b1c69efe8bcba903ab4cad26cbb6643d13b9c36a48c4a81a1ebea367b58fe292ecc1cdb75d17bb64c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1839.exe
Filesize
349KB

MD5
322e56c0800806f7b0c22a29b9621cc3

SHA1
09a9a0eaec8facaed1d2d8f82990fa154e80a470

SHA256
9ef5e9112b6f46e3aa83394ab5cb5d7a160b80cbe31c1b179d11c6d1b17d782d

SHA512
e882375c48ee3305f0afcebee7933a76c8017e670e6e76b1b8286b7357d17d39ae0dce1020c8358fae5de71591294a44e2457034181bdd860f30579615db204f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1839.exe
Filesize
349KB

MD5
322e56c0800806f7b0c22a29b9621cc3

SHA1
09a9a0eaec8facaed1d2d8f82990fa154e80a470

SHA256
9ef5e9112b6f46e3aa83394ab5cb5d7a160b80cbe31c1b179d11c6d1b17d782d

SHA512
e882375c48ee3305f0afcebee7933a76c8017e670e6e76b1b8286b7357d17d39ae0dce1020c8358fae5de71591294a44e2457034181bdd860f30579615db204f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2625.exe
Filesize
737KB

MD5
8d013b4129e9f90f841a494190847b31

SHA1
53cefb2945a37889b5442cc45aea28dea8a5ac22

SHA256
5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3

SHA512
c9152eb756d1d7ecf988c275365bb4bc4e7de7286a00893b9814d65bd6693e25be9509e1f3829db93bec629c6a9cec9252f645858bef0f6ee221b913da20dfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\442.exe
Filesize
587KB

MD5
59236960e43c6f49efe76618491fc1fb

SHA1
54c4554122c5a0e91debc39d3bedc66c2ca8d9e3

SHA256
217dc5ba87c7b73452f40ace8535f05a7967918a0c152eb49aec7c702fdc34f2

SHA512
07b978df7d10c94f50ae1705af4c0971efb228cca4bb1188c61f9931515b3427787a1d3324400bf33472539e8b14170af7c9caf92e36d1727514e352872428bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\442.exe
Filesize
587KB

MD5
59236960e43c6f49efe76618491fc1fb

SHA1
54c4554122c5a0e91debc39d3bedc66c2ca8d9e3

SHA256
217dc5ba87c7b73452f40ace8535f05a7967918a0c152eb49aec7c702fdc34f2

SHA512
07b978df7d10c94f50ae1705af4c0971efb228cca4bb1188c61f9931515b3427787a1d3324400bf33472539e8b14170af7c9caf92e36d1727514e352872428bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E399.exe
Filesize
6.1MB

MD5
20ebfefb4f0b655f17854e9a4020ee3e

SHA1
9ae76aa7f92fed080bafb86479511b2a1e935ab1

SHA256
e15daee296d7aef3afbb4874ec2f8587f5d36beb1cf16870c87c626035a55477

SHA512
48d5ab551e398042e6fd22348cbbd3ae962df69dbe776e09847a1812e348aef68c3747997f14201011ae28b4f1c998072a70186c157a1d71047062880511b90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E399.exe
Filesize
6.1MB

MD5
20ebfefb4f0b655f17854e9a4020ee3e

SHA1
9ae76aa7f92fed080bafb86479511b2a1e935ab1

SHA256
e15daee296d7aef3afbb4874ec2f8587f5d36beb1cf16870c87c626035a55477

SHA512
48d5ab551e398042e6fd22348cbbd3ae962df69dbe776e09847a1812e348aef68c3747997f14201011ae28b4f1c998072a70186c157a1d71047062880511b90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chicago.pdf
Filesize
924KB

MD5
aabe6813697af03369aa450bb4436f55

SHA1
6e2ab9fdebe157325f1e83318bfa502b83b164ad

SHA256
969066f1533d7f8295294934cae842d6e04bf995347a926f59eab567554699a1

SHA512
bc169c94564c22e40a446dd6c64de09f98bf09f6b0ec238ef252c29e1e2e9c10a0bef8cf8fca1192f5a7d4cd7afe4c4fa4597a3307b7c71916dda73d3fb2f188

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chrome.pdf
Filesize
11KB

MD5
615333778325ed2e1d9deff0a5039a15

SHA1
40ab327c890707a9c9a5c2a10a6cdea8649a3341

SHA256
dc5bc0a06f4879eb547f8be95543452755fc4bd84725e6637b37fd541ca21c1e

SHA512
4359da53340dd931d38d268a7180f56c5ac1f88fe4e120dac7c13966a151f2d5d7331d9eeb5ee6d24bb4f3aa53f573bc3f7fe71e9eb148d8f808e0b2bb400b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Softball.pdf
Filesize
598KB

MD5
06fd6f511cf200e7732d6e39caaab63f

SHA1
b6215c6e20e9135743041559ef8d90f28ebbea5b

SHA256
62aa5a27b09fc6b8573fc9ab0f0d6a8aacb1f8b2323525a5592a773b008fcdb5

SHA512
57ecfbcd488136ab2adaca45cb7d2122275bdd7fc9b19bedaef5a06d45019b7a9a6b98e5f5f4df26e1cdd206552b38306bf4dd045bfdb7ab12224244f8a80d49

Download Submit
memory/412-159-0x0000000000000000-mapping.dmp

Download
memory/560-190-0x0000000000000000-mapping.dmp

Download
memory/1472-175-0x0000000000000000-mapping.dmp

Download
memory/1592-178-0x0000000000000000-mapping.dmp

Download
memory/1768-188-0x0000000000000000-mapping.dmp

Download
memory/2620-174-0x0000000000000000-mapping.dmp

Download
memory/3116-184-0x0000000000000000-mapping.dmp

Download
memory/3564-162-0x0000000002DF0000-0x0000000002E39000-memory.dmp

Filesize
292KB

Download
memory/3564-163-0x0000000000400000-0x0000000002C45000-memory.dmp

Filesize
40.3MB

Download
memory/3564-171-0x0000000002EB6000-0x0000000002EE2000-memory.dmp

Filesize
176KB

Download
memory/3564-152-0x0000000000000000-mapping.dmp

Download
memory/3564-160-0x0000000002EB6000-0x0000000002EE2000-memory.dmp

Filesize
176KB

Download
memory/3564-172-0x0000000000400000-0x0000000002C45000-memory.dmp

Filesize
40.3MB

Download
memory/3580-181-0x0000000000000000-mapping.dmp

Download
memory/3592-179-0x0000000000000000-mapping.dmp

Download
memory/3656-182-0x0000000000000000-mapping.dmp

Download
memory/3888-192-0x0000000000000000-mapping.dmp

Download
memory/3976-142-0x0000000005630000-0x0000000005C50000-memory.dmp

Filesize
6.1MB

Download
memory/3976-155-0x0000000005630000-0x0000000005C50000-memory.dmp

Filesize
6.1MB

Download
memory/3976-138-0x0000000000000000-mapping.dmp

Download
memory/3976-165-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/3976-146-0x0000000000400000-0x000000000320A000-memory.dmp

Filesize
46.0MB

Download
memory/3976-141-0x00000000038A2000-0x0000000003E8C000-memory.dmp

Filesize
5.9MB

Download
memory/4120-164-0x0000000000400000-0x0000000002C46000-memory.dmp

Filesize
40.3MB

Download
memory/4120-157-0x0000000002DA0000-0x0000000002DE0000-memory.dmp

Filesize
256KB

Download
memory/4120-170-0x0000000002FA6000-0x0000000002FCD000-memory.dmp

Filesize
156KB

Download
memory/4120-158-0x0000000002FA6000-0x0000000002FCD000-memory.dmp

Filesize
156KB

Download
memory/4120-173-0x0000000000400000-0x0000000002C46000-memory.dmp

Filesize
40.3MB

Download
memory/4120-169-0x0000000002DA0000-0x0000000002DE0000-memory.dmp

Filesize
256KB

Download
memory/4120-147-0x0000000000000000-mapping.dmp

Download
memory/4212-177-0x0000000000000000-mapping.dmp

Download
memory/4476-134-0x0000000000400000-0x0000000002C35000-memory.dmp

Filesize
40.2MB

Download
memory/4476-133-0x0000000002E90000-0x0000000002E99000-memory.dmp

Filesize
36KB

Download
memory/4476-136-0x0000000002E90000-0x0000000002E99000-memory.dmp

Filesize
36KB

Download
memory/4476-137-0x0000000000400000-0x0000000002C35000-memory.dmp

Filesize
40.2MB

Download
memory/4476-132-0x0000000002ED7000-0x0000000002EEC000-memory.dmp

Filesize
84KB

Download
memory/4476-135-0x0000000002ED7000-0x0000000002EEC000-memory.dmp

Filesize
84KB

Download
memory/4820-166-0x0000000002E16000-0x0000000002E77000-memory.dmp

Filesize
388KB

Download
memory/4820-143-0x0000000000000000-mapping.dmp

Download
memory/4820-150-0x0000000002E16000-0x0000000002E77000-memory.dmp

Filesize
388KB

Download
memory/4820-151-0x0000000003100000-0x000000000316B000-memory.dmp

Filesize
428KB

Download
memory/4820-168-0x0000000000400000-0x0000000002C81000-memory.dmp

Filesize
40.5MB

Download
memory/4820-167-0x0000000003100000-0x000000000316B000-memory.dmp

Filesize
428KB

Download
memory/4820-156-0x0000000000400000-0x0000000002C81000-memory.dmp

Filesize
40.5MB

Download