Malware Analysis Report

2024-11-30 21:51

Sample ID 230206-h2nwrace46
Target d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
SHA256 d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36
Tags
smokeloader backdoor trojan purecrypter collection downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36

Threat Level: Known bad

The file d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan purecrypter collection downloader loader

SmokeLoader

PureCrypter

Detects Smokeloader packer

Checks computer location settings

Executes dropped EXE

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-06 07:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-06 07:14

Reported

2023-02-06 07:16

Platform

win7-20221111-en

Max time kernel

150s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1216 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 1216 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 1216 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 1216 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 1216 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 1216 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 1216 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe

"C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe

C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 dtmoulding.com udp
CA 172.96.177.73:80 dtmoulding.com tcp

Files

memory/1216-54-0x00000000013C0000-0x00000000013E0000-memory.dmp

memory/1216-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

memory/1216-56-0x0000000005A40000-0x0000000005AE6000-memory.dmp

memory/1216-57-0x00000000004E0000-0x00000000004EC000-memory.dmp

memory/924-58-0x0000000000000000-mapping.dmp

memory/924-60-0x000000006EE40000-0x000000006F3EB000-memory.dmp

memory/924-61-0x000000006EE40000-0x000000006F3EB000-memory.dmp

memory/924-62-0x000000006EE40000-0x000000006F3EB000-memory.dmp

memory/316-63-0x0000000000400000-0x0000000000409000-memory.dmp

memory/316-64-0x0000000000400000-0x0000000000409000-memory.dmp

memory/316-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/316-67-0x0000000000402EF0-mapping.dmp

memory/316-69-0x0000000000400000-0x0000000000409000-memory.dmp

memory/316-70-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-06 07:14

Reported

2023-02-06 07:16

Platform

win10v2004-20221111-en

Max time kernel

151s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9FAB.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9FAB.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9FAB.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 2160 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 2160 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 2160 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 2160 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 2160 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe
PID 2680 wrote to memory of 4992 N/A N/A C:\Users\Admin\AppData\Local\Temp\9FAB.exe
PID 2680 wrote to memory of 4992 N/A N/A C:\Users\Admin\AppData\Local\Temp\9FAB.exe
PID 2680 wrote to memory of 4992 N/A N/A C:\Users\Admin\AppData\Local\Temp\9FAB.exe
PID 2680 wrote to memory of 1772 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 1772 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 1772 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 1772 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 3596 N/A N/A C:\Windows\explorer.exe
PID 2680 wrote to memory of 3596 N/A N/A C:\Windows\explorer.exe
PID 2680 wrote to memory of 3596 N/A N/A C:\Windows\explorer.exe
PID 2680 wrote to memory of 1864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 1864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 1864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 1864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 4312 N/A N/A C:\Windows\explorer.exe
PID 2680 wrote to memory of 4312 N/A N/A C:\Windows\explorer.exe
PID 2680 wrote to memory of 4312 N/A N/A C:\Windows\explorer.exe
PID 2680 wrote to memory of 1788 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 1788 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 1788 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 1788 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2680 wrote to memory of 2836 N/A N/A C:\Windows\explorer.exe
PID 2680 wrote to memory of 2836 N/A N/A C:\Windows\explorer.exe
PID 2680 wrote to memory of 2836 N/A N/A C:\Windows\explorer.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe

"C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe

C:\Users\Admin\AppData\Local\Temp\d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36.exe

C:\Users\Admin\AppData\Local\Temp\9FAB.exe

C:\Users\Admin\AppData\Local\Temp\9FAB.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4992 -ip 4992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1688

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 dtmoulding.com udp
CA 172.96.177.73:80 dtmoulding.com tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 cletonmy.com udp
CA 172.105.103.207:80 cletonmy.com tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 alpatrik.com udp
NL 45.81.39.147:80 alpatrik.com tcp
NL 45.81.39.147:80 alpatrik.com tcp
NL 45.81.39.147:80 alpatrik.com tcp
US 8.8.8.8:53 modeloartesanatos.com.br udp
BR 186.202.153.7:80 modeloartesanatos.com.br tcp
BR 186.202.153.7:80 modeloartesanatos.com.br tcp
BR 186.202.153.7:80 modeloartesanatos.com.br tcp
NL 45.81.39.147:80 alpatrik.com tcp
BR 186.202.153.7:80 modeloartesanatos.com.br tcp
BR 186.202.153.7:80 modeloartesanatos.com.br tcp

Files

memory/2160-132-0x0000000000C50000-0x0000000000C70000-memory.dmp

memory/2160-133-0x0000000006990000-0x00000000069B2000-memory.dmp

memory/3064-134-0x0000000000000000-mapping.dmp

memory/3064-135-0x0000000002B60000-0x0000000002B96000-memory.dmp

memory/3064-136-0x00000000052F0000-0x0000000005918000-memory.dmp

memory/3064-137-0x0000000005A40000-0x0000000005AA6000-memory.dmp

memory/3064-138-0x0000000005AB0000-0x0000000005B16000-memory.dmp

memory/3064-139-0x0000000006110000-0x000000000612E000-memory.dmp

memory/3064-140-0x0000000007960000-0x0000000007FDA000-memory.dmp

memory/3064-141-0x0000000006610000-0x000000000662A000-memory.dmp

memory/2260-142-0x0000000000000000-mapping.dmp

memory/2260-143-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2260-144-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2260-145-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4992-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9FAB.exe

MD5 7d046ce10b24412f4506c433cfe0747d
SHA1 5a96afd11e493c5eddd1f335e7228868d666c787
SHA256 abccee4556d532981bd1a3a36b92e9563c880eb93517ba677417741dbafe302a
SHA512 03e78a3113526b6fd29e8379390c01b0fd6407aa55b96ffce331b2da780305bc43710a92649b3db617d2a26186db663f2816f8e47bb3955257625971d751d4f9

C:\Users\Admin\AppData\Local\Temp\9FAB.exe

MD5 7d046ce10b24412f4506c433cfe0747d
SHA1 5a96afd11e493c5eddd1f335e7228868d666c787
SHA256 abccee4556d532981bd1a3a36b92e9563c880eb93517ba677417741dbafe302a
SHA512 03e78a3113526b6fd29e8379390c01b0fd6407aa55b96ffce331b2da780305bc43710a92649b3db617d2a26186db663f2816f8e47bb3955257625971d751d4f9

memory/4992-149-0x00000000007D0000-0x00000000007DC000-memory.dmp

memory/1772-150-0x0000000000000000-mapping.dmp

memory/1772-151-0x0000000000500000-0x0000000000575000-memory.dmp

memory/1772-152-0x0000000000490000-0x00000000004FB000-memory.dmp

memory/3596-153-0x0000000000000000-mapping.dmp

memory/3596-154-0x00000000006E0000-0x00000000006EC000-memory.dmp

memory/1772-155-0x0000000000490000-0x00000000004FB000-memory.dmp

memory/1864-156-0x0000000000000000-mapping.dmp

memory/1864-157-0x00000000006C0000-0x00000000006C7000-memory.dmp

memory/1864-158-0x00000000006B0000-0x00000000006BB000-memory.dmp

memory/4312-159-0x0000000000000000-mapping.dmp

memory/4312-160-0x0000000000A40000-0x0000000000A49000-memory.dmp

memory/4312-161-0x0000000000A30000-0x0000000000A3F000-memory.dmp

memory/1788-162-0x0000000000000000-mapping.dmp

memory/1788-163-0x0000000000820000-0x0000000000825000-memory.dmp

memory/1788-164-0x0000000000810000-0x0000000000819000-memory.dmp

memory/2836-165-0x0000000000000000-mapping.dmp

memory/2836-166-0x0000000000DD0000-0x0000000000DD6000-memory.dmp

memory/2836-167-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

memory/1864-168-0x00000000006C0000-0x00000000006C7000-memory.dmp

memory/4312-169-0x0000000000A40000-0x0000000000A49000-memory.dmp

memory/1788-170-0x0000000000820000-0x0000000000825000-memory.dmp

memory/2836-171-0x0000000000DD0000-0x0000000000DD6000-memory.dmp