Analysis
-
max time kernel
156s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 16:31
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
286KB
-
MD5
c5bb23b188f4d799d36a55c2ecb5cef9
-
SHA1
860451858cc60cd8d55337458de4fd28075df940
-
SHA256
198305a07facd04096fe3138a05d25acfe055f39ac339fd597c30d16928b88c9
-
SHA512
034024de4bdf6f3bcf629f628280c6ca676ab32ae0e82a3ffbf16bdaf977b6a899c9a8905e7f8d158dffc132e6f26b05a720a3e39e0e72ef45d865a4a0d1d238
-
SSDEEP
3072:3GzyC5JUoveLC0Ev45kaYjnFB2JlCIa9FzwJVhhs6HfbiM/h3:qTUoveLC0EvBTFB2KBmJVhK6e
Malware Config
Extracted
nymaim
45.139.105.171
85.31.46.167
Extracted
vidar
55.3
937
https://t.me/slivetalks
https://c.im/@xinibin420
-
profile_id
937
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1628-134-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
4DD.exe4B4D.exe5570.exe5B5D.exe7474.exe4DD.exeAdventure.exe.pifpid process 1300 4DD.exe 1244 4B4D.exe 4372 5570.exe 1776 5B5D.exe 4224 7474.exe 4100 4DD.exe 796 Adventure.exe.pif -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4DD.exe5B5D.exe5570.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 4DD.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 5B5D.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 5570.exe -
Loads dropped DLL 3 IoCs
Processes:
5B5D.exepid process 1776 5B5D.exe 1776 5B5D.exe 1776 5B5D.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7474.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7474.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7474.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
4B4D.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 4B4D.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 30 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1544 1300 WerFault.exe 4DD.exe 452 1300 WerFault.exe 4DD.exe 3892 1300 WerFault.exe 4DD.exe 2076 1300 WerFault.exe 4DD.exe 2084 1300 WerFault.exe 4DD.exe 412 4372 WerFault.exe 5570.exe 4948 1300 WerFault.exe 4DD.exe 3052 1300 WerFault.exe 4DD.exe 960 1300 WerFault.exe 4DD.exe 2780 4372 WerFault.exe 5570.exe 1632 4372 WerFault.exe 5570.exe 4016 4372 WerFault.exe 5570.exe 908 1300 WerFault.exe 4DD.exe 1688 4372 WerFault.exe 5570.exe 4136 4372 WerFault.exe 5570.exe 4356 1776 WerFault.exe 5B5D.exe 2304 4372 WerFault.exe 5570.exe 4264 4100 WerFault.exe 4DD.exe 512 4100 WerFault.exe 4DD.exe 2412 4372 WerFault.exe 5570.exe 636 4100 WerFault.exe 4DD.exe 3208 4372 WerFault.exe 5570.exe 4768 4100 WerFault.exe 4DD.exe 2168 4100 WerFault.exe 4DD.exe 2084 4100 WerFault.exe 4DD.exe 4516 4100 WerFault.exe 4DD.exe 1232 4100 WerFault.exe 4DD.exe 4452 1928 WerFault.exe 4DD.exe 3512 1300 WerFault.exe 4DD.exe 2628 1928 WerFault.exe 4DD.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5B5D.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5B5D.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5B5D.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5108 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4004 tasklist.exe 4260 tasklist.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 560 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid process 1628 file.exe 1628 file.exe 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 2424 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2424 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file.exepid process 1628 file.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exedescription pid process Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeShutdownPrivilege 2424 Token: SeCreatePagefilePrivilege 2424 Token: SeDebugPrivilege 560 taskkill.exe Token: SeShutdownPrivilege 2424 -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Adventure.exe.pifpid process 796 Adventure.exe.pif 2424 2424 -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Adventure.exe.pifpid process 796 Adventure.exe.pif -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
7474.execmd.exe4DD.exe5B5D.execmd.exe5570.execmd.execmd.exedescription pid process target process PID 2424 wrote to memory of 1300 2424 4DD.exe PID 2424 wrote to memory of 1300 2424 4DD.exe PID 2424 wrote to memory of 1300 2424 4DD.exe PID 2424 wrote to memory of 1244 2424 4B4D.exe PID 2424 wrote to memory of 1244 2424 4B4D.exe PID 2424 wrote to memory of 1244 2424 4B4D.exe PID 2424 wrote to memory of 4372 2424 5570.exe PID 2424 wrote to memory of 4372 2424 5570.exe PID 2424 wrote to memory of 4372 2424 5570.exe PID 2424 wrote to memory of 1776 2424 5B5D.exe PID 2424 wrote to memory of 1776 2424 5B5D.exe PID 2424 wrote to memory of 1776 2424 5B5D.exe PID 2424 wrote to memory of 4224 2424 7474.exe PID 2424 wrote to memory of 4224 2424 7474.exe PID 2424 wrote to memory of 4224 2424 7474.exe PID 4224 wrote to memory of 1336 4224 7474.exe dllhost.exe PID 4224 wrote to memory of 1336 4224 7474.exe dllhost.exe PID 4224 wrote to memory of 1336 4224 7474.exe dllhost.exe PID 4224 wrote to memory of 376 4224 7474.exe cmd.exe PID 4224 wrote to memory of 376 4224 7474.exe cmd.exe PID 4224 wrote to memory of 376 4224 7474.exe cmd.exe PID 376 wrote to memory of 2800 376 cmd.exe cmd.exe PID 376 wrote to memory of 2800 376 cmd.exe cmd.exe PID 376 wrote to memory of 2800 376 cmd.exe cmd.exe PID 1300 wrote to memory of 4100 1300 4DD.exe 4DD.exe PID 1300 wrote to memory of 4100 1300 4DD.exe 4DD.exe PID 1300 wrote to memory of 4100 1300 4DD.exe 4DD.exe PID 1776 wrote to memory of 1676 1776 5B5D.exe cmd.exe PID 1776 wrote to memory of 1676 1776 5B5D.exe cmd.exe PID 1776 wrote to memory of 1676 1776 5B5D.exe cmd.exe PID 1676 wrote to memory of 5108 1676 cmd.exe timeout.exe PID 1676 wrote to memory of 5108 1676 cmd.exe timeout.exe PID 1676 wrote to memory of 5108 1676 cmd.exe timeout.exe PID 4372 wrote to memory of 1304 4372 5570.exe cmd.exe PID 4372 wrote to memory of 1304 4372 5570.exe cmd.exe PID 4372 wrote to memory of 1304 4372 5570.exe cmd.exe PID 1304 wrote to memory of 560 1304 cmd.exe taskkill.exe PID 1304 wrote to memory of 560 1304 cmd.exe taskkill.exe PID 1304 wrote to memory of 560 1304 cmd.exe taskkill.exe PID 2800 wrote to memory of 4004 2800 cmd.exe tasklist.exe PID 2800 wrote to memory of 4004 2800 cmd.exe tasklist.exe PID 2800 wrote to memory of 4004 2800 cmd.exe tasklist.exe PID 2800 wrote to memory of 3392 2800 cmd.exe find.exe PID 2800 wrote to memory of 3392 2800 cmd.exe find.exe PID 2800 wrote to memory of 3392 2800 cmd.exe find.exe PID 2800 wrote to memory of 4260 2800 cmd.exe tasklist.exe PID 2800 wrote to memory of 4260 2800 cmd.exe tasklist.exe PID 2800 wrote to memory of 4260 2800 cmd.exe tasklist.exe PID 2800 wrote to memory of 5044 2800 cmd.exe find.exe PID 2800 wrote to memory of 5044 2800 cmd.exe find.exe PID 2800 wrote to memory of 5044 2800 cmd.exe find.exe PID 2800 wrote to memory of 536 2800 cmd.exe findstr.exe PID 2800 wrote to memory of 536 2800 cmd.exe findstr.exe PID 2800 wrote to memory of 536 2800 cmd.exe findstr.exe PID 2800 wrote to memory of 796 2800 cmd.exe Adventure.exe.pif PID 2800 wrote to memory of 796 2800 cmd.exe Adventure.exe.pif PID 2800 wrote to memory of 796 2800 cmd.exe Adventure.exe.pif PID 376 wrote to memory of 4960 376 cmd.exe PING.EXE PID 376 wrote to memory of 4960 376 cmd.exe PING.EXE PID 376 wrote to memory of 4960 376 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4DD.exeC:\Users\Admin\AppData\Local\Temp\4DD.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 6282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 9242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 9882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 10642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 11402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 11482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 9322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 11682⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\4DD.exe"C:\Users\Admin\AppData\Local\Temp\4DD.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 9963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 10643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 10723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 11043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 10803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 10043⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\4DD.exe"C:\Users\Admin\AppData\Local\Temp\4DD.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 6004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 7644⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 9883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 10482⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 10762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1300 -ip 13001⤵
-
C:\Users\Admin\AppData\Local\Temp\4B4D.exeC:\Users\Admin\AppData\Local\Temp\4B4D.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1300 -ip 13001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1300 -ip 13001⤵
-
C:\Users\Admin\AppData\Local\Temp\5570.exeC:\Users\Admin\AppData\Local\Temp\5570.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 4602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 7722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 8082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 8162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 8762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 10282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 10562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 14042⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "5570.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5570.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "5570.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 4522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1300 -ip 13001⤵
-
C:\Users\Admin\AppData\Local\Temp\5B5D.exeC:\Users\Admin\AppData\Local\Temp\5B5D.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5B5D.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 19922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1300 -ip 13001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1300 -ip 13001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1300 -ip 13001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1300 -ip 13001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4372 -ip 43721⤵
-
C:\Users\Admin\AppData\Local\Temp\7474.exeC:\Users\Admin\AppData\Local\Temp\7474.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost vfrfgh ningggfdee2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Chrome.pdf & ping -n 5 localhost2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"4⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"4⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^kuSBdsbDhZNHQD$" Chicago.pdf4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pifAdventure.exe.pif I4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1300 -ip 13001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1776 -ip 17761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4100 -ip 41001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4100 -ip 41001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4100 -ip 41001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4372 -ip 43721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4100 -ip 41001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4100 -ip 41001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4100 -ip 41001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4100 -ip 41001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4100 -ip 41001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1928 -ip 19281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1300 -ip 13001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1928 -ip 19281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\ProgramData\sqlite3.dllFilesize
1.1MB
MD51f44d4d3087c2b202cf9c90ee9d04b0f
SHA1106a3ebc9e39ab6ddb3ff987efb6527c956f192d
SHA2564841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260
SHA512b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45
-
C:\Users\Admin\AppData\Local\Temp\4B4D.exeFilesize
587KB
MD5cdb5de1b32bf729b83a3c68b6f17074d
SHA1bc50674a6df188486a19fbc87ffba6806eb105c8
SHA25634da660a7c46b2558a3e34d192786f8a7a48f4c0b73cb55769f613f60d18dc3e
SHA5123c05b77a6bc0438ef2c70fe5a1db568d43b7b277e443b134c22dd5c0ff6876b9a2b93bb3955f187ea30baabac41d656cc95638bec5f9661d31a07f134486b0fa
-
C:\Users\Admin\AppData\Local\Temp\4B4D.exeFilesize
587KB
MD5cdb5de1b32bf729b83a3c68b6f17074d
SHA1bc50674a6df188486a19fbc87ffba6806eb105c8
SHA25634da660a7c46b2558a3e34d192786f8a7a48f4c0b73cb55769f613f60d18dc3e
SHA5123c05b77a6bc0438ef2c70fe5a1db568d43b7b277e443b134c22dd5c0ff6876b9a2b93bb3955f187ea30baabac41d656cc95638bec5f9661d31a07f134486b0fa
-
C:\Users\Admin\AppData\Local\Temp\4DD.exeFilesize
6.1MB
MD5660c791a048da7a94aea15b2afd18f29
SHA1de2b82ae153902b79fb998f84c396f68fe8c3ab5
SHA256052cf058219159f00e4328a5537d2f399f110805647f2ae9d52f1b1cf9509932
SHA5121d947b6d93fd105dcf939fb2916fdf2f6105fc72dfbdde0d289c1d3ff400577a503377a8ba653b49ca977b0a04136042f5c5304372477d8e3817589298e06412
-
C:\Users\Admin\AppData\Local\Temp\4DD.exeFilesize
6.1MB
MD5660c791a048da7a94aea15b2afd18f29
SHA1de2b82ae153902b79fb998f84c396f68fe8c3ab5
SHA256052cf058219159f00e4328a5537d2f399f110805647f2ae9d52f1b1cf9509932
SHA5121d947b6d93fd105dcf939fb2916fdf2f6105fc72dfbdde0d289c1d3ff400577a503377a8ba653b49ca977b0a04136042f5c5304372477d8e3817589298e06412
-
C:\Users\Admin\AppData\Local\Temp\4DD.exeFilesize
6.1MB
MD5660c791a048da7a94aea15b2afd18f29
SHA1de2b82ae153902b79fb998f84c396f68fe8c3ab5
SHA256052cf058219159f00e4328a5537d2f399f110805647f2ae9d52f1b1cf9509932
SHA5121d947b6d93fd105dcf939fb2916fdf2f6105fc72dfbdde0d289c1d3ff400577a503377a8ba653b49ca977b0a04136042f5c5304372477d8e3817589298e06412
-
C:\Users\Admin\AppData\Local\Temp\4DD.exeFilesize
6.1MB
MD5660c791a048da7a94aea15b2afd18f29
SHA1de2b82ae153902b79fb998f84c396f68fe8c3ab5
SHA256052cf058219159f00e4328a5537d2f399f110805647f2ae9d52f1b1cf9509932
SHA5121d947b6d93fd105dcf939fb2916fdf2f6105fc72dfbdde0d289c1d3ff400577a503377a8ba653b49ca977b0a04136042f5c5304372477d8e3817589298e06412
-
C:\Users\Admin\AppData\Local\Temp\5570.exeFilesize
354KB
MD562c79cd088667d2e8a82e45df699367d
SHA1e76ae05db004e4dbce829ddebdbde4ba89c3a559
SHA2560d1062417b02871d308965c067c37162a65af5015b40eef0fae1ac9f01483fc2
SHA51239a18091f497e46b7d659d8e0c5c21b854c57f7ef80b718ad9a1b98d0225a8c5344f82522e83ee72d51cc0749a7bd117e571c5ab661baa35fb9af31918b0a538
-
C:\Users\Admin\AppData\Local\Temp\5570.exeFilesize
354KB
MD562c79cd088667d2e8a82e45df699367d
SHA1e76ae05db004e4dbce829ddebdbde4ba89c3a559
SHA2560d1062417b02871d308965c067c37162a65af5015b40eef0fae1ac9f01483fc2
SHA51239a18091f497e46b7d659d8e0c5c21b854c57f7ef80b718ad9a1b98d0225a8c5344f82522e83ee72d51cc0749a7bd117e571c5ab661baa35fb9af31918b0a538
-
C:\Users\Admin\AppData\Local\Temp\5B5D.exeFilesize
373KB
MD5c527971eeba174c1005267f4cb1f0f79
SHA1fa205ffa3464f2d2f6a4b554b6ad0f6b131a1592
SHA2561d3c1417ec5e609e591100966d291f888f6f4feb255a5ffaa9b75d1f9d2c1a26
SHA5128cd3533978e12d29fc9a8e5b461135f26d061ab2cc020f39f01ddd6fbfeae6f897a907e9bae4c85025e82bdf86fa87173e4bfde4a1c90957add0e0f8852faa08
-
C:\Users\Admin\AppData\Local\Temp\5B5D.exeFilesize
373KB
MD5c527971eeba174c1005267f4cb1f0f79
SHA1fa205ffa3464f2d2f6a4b554b6ad0f6b131a1592
SHA2561d3c1417ec5e609e591100966d291f888f6f4feb255a5ffaa9b75d1f9d2c1a26
SHA5128cd3533978e12d29fc9a8e5b461135f26d061ab2cc020f39f01ddd6fbfeae6f897a907e9bae4c85025e82bdf86fa87173e4bfde4a1c90957add0e0f8852faa08
-
C:\Users\Admin\AppData\Local\Temp\7474.exeFilesize
737KB
MD58d013b4129e9f90f841a494190847b31
SHA153cefb2945a37889b5442cc45aea28dea8a5ac22
SHA2565a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3
SHA512c9152eb756d1d7ecf988c275365bb4bc4e7de7286a00893b9814d65bd6693e25be9509e1f3829db93bec629c6a9cec9252f645858bef0f6ee221b913da20dfbb
-
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dllFilesize
3.2MB
MD51fe5c4c4ff8ff0865fb3768d9187a1bd
SHA12e7960907964aba5264169b2dced5a8dbf463b9a
SHA256f4b1aacb7f041b70a6c4b60bc9ef4a42bea84701af904b3f0ac20d776461cd2a
SHA5124263c4eaf62fdf272385c9c0c77e62f66caa602ebe1d7a7ec21f99585d223e0a4292e39927f82dc9ad0a6a8ddf38c619301b3efe076499a1091903994f6119ba
-
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dllFilesize
3.2MB
MD51fe5c4c4ff8ff0865fb3768d9187a1bd
SHA12e7960907964aba5264169b2dced5a8dbf463b9a
SHA256f4b1aacb7f041b70a6c4b60bc9ef4a42bea84701af904b3f0ac20d776461cd2a
SHA5124263c4eaf62fdf272385c9c0c77e62f66caa602ebe1d7a7ec21f99585d223e0a4292e39927f82dc9ad0a6a8ddf38c619301b3efe076499a1091903994f6119ba
-
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dllFilesize
3.2MB
MD51fe5c4c4ff8ff0865fb3768d9187a1bd
SHA12e7960907964aba5264169b2dced5a8dbf463b9a
SHA256f4b1aacb7f041b70a6c4b60bc9ef4a42bea84701af904b3f0ac20d776461cd2a
SHA5124263c4eaf62fdf272385c9c0c77e62f66caa602ebe1d7a7ec21f99585d223e0a4292e39927f82dc9ad0a6a8ddf38c619301b3efe076499a1091903994f6119ba
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chicago.pdfFilesize
924KB
MD5aabe6813697af03369aa450bb4436f55
SHA16e2ab9fdebe157325f1e83318bfa502b83b164ad
SHA256969066f1533d7f8295294934cae842d6e04bf995347a926f59eab567554699a1
SHA512bc169c94564c22e40a446dd6c64de09f98bf09f6b0ec238ef252c29e1e2e9c10a0bef8cf8fca1192f5a7d4cd7afe4c4fa4597a3307b7c71916dda73d3fb2f188
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chrome.pdfFilesize
11KB
MD5615333778325ed2e1d9deff0a5039a15
SHA140ab327c890707a9c9a5c2a10a6cdea8649a3341
SHA256dc5bc0a06f4879eb547f8be95543452755fc4bd84725e6637b37fd541ca21c1e
SHA5124359da53340dd931d38d268a7180f56c5ac1f88fe4e120dac7c13966a151f2d5d7331d9eeb5ee6d24bb4f3aa53f573bc3f7fe71e9eb148d8f808e0b2bb400b70
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Softball.pdfFilesize
598KB
MD506fd6f511cf200e7732d6e39caaab63f
SHA1b6215c6e20e9135743041559ef8d90f28ebbea5b
SHA25662aa5a27b09fc6b8573fc9ab0f0d6a8aacb1f8b2323525a5592a773b008fcdb5
SHA51257ecfbcd488136ab2adaca45cb7d2122275bdd7fc9b19bedaef5a06d45019b7a9a6b98e5f5f4df26e1cdd206552b38306bf4dd045bfdb7ab12224244f8a80d49
-
memory/376-173-0x0000000000000000-mapping.dmp
-
memory/536-193-0x0000000000000000-mapping.dmp
-
memory/560-186-0x0000000000000000-mapping.dmp
-
memory/796-196-0x0000000000000000-mapping.dmp
-
memory/1244-150-0x0000000000400000-0x0000000002C81000-memory.dmpFilesize
40.5MB
-
memory/1244-152-0x0000000002DB0000-0x0000000002E1B000-memory.dmpFilesize
428KB
-
memory/1244-167-0x0000000000400000-0x0000000002C81000-memory.dmpFilesize
40.5MB
-
memory/1244-166-0x0000000002FE3000-0x0000000003044000-memory.dmpFilesize
388KB
-
memory/1244-151-0x0000000002FE3000-0x0000000003044000-memory.dmpFilesize
388KB
-
memory/1244-144-0x0000000000000000-mapping.dmp
-
memory/1300-143-0x0000000000400000-0x000000000320A000-memory.dmpFilesize
46.0MB
-
memory/1300-156-0x00000000054F0000-0x0000000005B10000-memory.dmpFilesize
6.1MB
-
memory/1300-142-0x00000000054F0000-0x0000000005B10000-memory.dmpFilesize
6.1MB
-
memory/1300-141-0x0000000003558000-0x0000000003B42000-memory.dmpFilesize
5.9MB
-
memory/1300-138-0x0000000000000000-mapping.dmp
-
memory/1304-185-0x0000000000000000-mapping.dmp
-
memory/1336-168-0x0000000000000000-mapping.dmp
-
memory/1628-135-0x0000000000400000-0x0000000002C35000-memory.dmpFilesize
40.2MB
-
memory/1628-136-0x0000000002C73000-0x0000000002C89000-memory.dmpFilesize
88KB
-
memory/1628-137-0x0000000000400000-0x0000000002C35000-memory.dmpFilesize
40.2MB
-
memory/1628-134-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/1628-133-0x0000000002C73000-0x0000000002C89000-memory.dmpFilesize
88KB
-
memory/1676-179-0x0000000000000000-mapping.dmp
-
memory/1776-160-0x0000000002FD0000-0x0000000003019000-memory.dmpFilesize
292KB
-
memory/1776-172-0x0000000000400000-0x0000000002C4B000-memory.dmpFilesize
40.3MB
-
memory/1776-153-0x0000000000000000-mapping.dmp
-
memory/1776-161-0x0000000000400000-0x0000000002C4B000-memory.dmpFilesize
40.3MB
-
memory/1776-164-0x0000000003036000-0x0000000003062000-memory.dmpFilesize
176KB
-
memory/1776-183-0x0000000003036000-0x0000000003062000-memory.dmpFilesize
176KB
-
memory/1776-184-0x0000000000400000-0x0000000002C4B000-memory.dmpFilesize
40.3MB
-
memory/1928-204-0x0000000000400000-0x000000000320A000-memory.dmpFilesize
46.0MB
-
memory/1928-200-0x0000000000000000-mapping.dmp
-
memory/1928-203-0x0000000003528000-0x0000000003B12000-memory.dmpFilesize
5.9MB
-
memory/2800-176-0x0000000000000000-mapping.dmp
-
memory/3276-209-0x0000000002420000-0x000000000276D000-memory.dmpFilesize
3.3MB
-
memory/3276-205-0x0000000000000000-mapping.dmp
-
memory/3276-210-0x0000000002420000-0x000000000276D000-memory.dmpFilesize
3.3MB
-
memory/3392-190-0x0000000000000000-mapping.dmp
-
memory/4004-189-0x0000000000000000-mapping.dmp
-
memory/4100-182-0x0000000000400000-0x000000000320A000-memory.dmpFilesize
46.0MB
-
memory/4100-177-0x0000000000000000-mapping.dmp
-
memory/4100-202-0x0000000000400000-0x000000000320A000-memory.dmpFilesize
46.0MB
-
memory/4100-181-0x00000000034A5000-0x0000000003A8F000-memory.dmpFilesize
5.9MB
-
memory/4224-162-0x0000000000000000-mapping.dmp
-
memory/4260-191-0x0000000000000000-mapping.dmp
-
memory/4372-187-0x0000000002D63000-0x0000000002D8A000-memory.dmpFilesize
156KB
-
memory/4372-188-0x0000000000400000-0x0000000002C46000-memory.dmpFilesize
40.3MB
-
memory/4372-171-0x0000000002D63000-0x0000000002D8A000-memory.dmpFilesize
156KB
-
memory/4372-170-0x0000000000400000-0x0000000002C46000-memory.dmpFilesize
40.3MB
-
memory/4372-159-0x0000000000400000-0x0000000002C46000-memory.dmpFilesize
40.3MB
-
memory/4372-158-0x0000000002CB0000-0x0000000002CF0000-memory.dmpFilesize
256KB
-
memory/4372-157-0x0000000002D63000-0x0000000002D8A000-memory.dmpFilesize
156KB
-
memory/4372-147-0x0000000000000000-mapping.dmp
-
memory/4960-198-0x0000000000000000-mapping.dmp
-
memory/5044-192-0x0000000000000000-mapping.dmp
-
memory/5108-180-0x0000000000000000-mapping.dmp