djvu | 0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2023 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe
Size

385KB
MD5

20b102749f932980627dec42e2c11a8f
SHA1

1e9a3ec35c953de8a431c426ea7d9fe1bad11fae
SHA256

0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d
SHA512

e5ae67245630f584f549866d59fcfda9a21b6d9298d0ff1ba7949a53c8016c8607797a0103839563c69840a94f968679aa7d618947bcc38038b04f4c9a1cba16
SSDEEP

3072:BrE+784MkJ5RE7hM7NQZNPK2AvpmLTMkwtoT2+fnh9nf6NvwEh2UUH:tEQFGhM7NANNgnjJ+nnfWv1

Score

10^/10

djvu laplas raccoon smokeloader vidar 19 backdoor clipper discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://bihsy.com/lancer/get.php

Attributes

extension
.vvoo
offline_id
9c20OtJsXdFeF07b1IeFK5ERGv1zIb659YG380t1
payload_url
http://uaery.top/dl/build2.exe
http://bihsy.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-IiDRZpWuwI Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0645JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

2.4

Botnet

Attributes

profile_id
19

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4416-150-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4416-152-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4416-154-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2216-155-0x00000000024E0000-0x00000000025FB000-memory.dmp	family_djvu
behavioral1/memory/4416-159-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4416-174-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4576-184-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4576-186-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4576-187-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4576-203-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4860-133-0x0000000002200000-0x0000000002209000-memory.dmp	family_smokeloader
behavioral1/memory/2876-179-0x00000000005D0000-0x00000000005D9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/756-160-0x00000000004E0000-0x00000000005E0000-memory.dmp	family_raccoon
behavioral1/memory/756-163-0x00000000004E0000-0x00000000005E0000-memory.dmp	family_raccoon

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D49D.exeD21B.exeD21B.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	D49D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	D21B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	D21B.exe

Executes dropped EXE 14 IoCs

Processes:

D0B2.exeD21B.exeD364.exeD49D.exeD21B.exe2A6F.exeD21B.exeD21B.exebuild2.exebuild3.exebuild2.exeA156.exemstsca.exesvcupdater.exe

pid	process
1624	D0B2.exe
2216	D21B.exe
756	D364.exe
4912	D49D.exe
4416	D21B.exe
2876	2A6F.exe
4624	D21B.exe
4576	D21B.exe
3652	build2.exe
3944	build3.exe
3972	build2.exe
1460	A156.exe
1556	mstsca.exe
4656	svcupdater.exe

Loads dropped DLL 2 IoCs

Processes:

build2.exe

pid process

3972 build2.exe
3972 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3452 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3972	build2.exe
3972	build2.exe

pid	process
3452	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

D21B.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\17d26c49-8051-4ffb-9114-f64fd64fe812\\D21B.exe\" --AutoStart"	D21B.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.2ip.ua
54 api.2ip.ua

flow	ioc
18	api.2ip.ua
54	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

D21B.exeD21B.exebuild2.exe

description	pid	process	target process
PID 2216 set thread context of 4416	2216	D21B.exe	D21B.exe
PID 4624 set thread context of 4576	4624	D21B.exe	D21B.exe
PID 3652 set thread context of 3972	3652	build2.exe	build2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4984 756 WerFault.exe D364.exe
3572 4912 WerFault.exe D49D.exe

pid	pid_target	process	target process
4984	756	WerFault.exe	D364.exe
3572	4912	WerFault.exe	D49D.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe2A6F.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2A6F.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2A6F.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2A6F.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4636 schtasks.exe
2108 schtasks.exe
3020 schtasks.exe

pid	process
4636	schtasks.exe
2108	schtasks.exe
3020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe

pid	process
4860	0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe
4860	0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152
2152

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2152
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe2A6F.exe

pid process

4860 0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe
2876 2A6F.exe

pid	process
2152

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2152
Token: SeCreatePagefilePrivilege	2152
Token: SeShutdownPrivilege	2152
Token: SeCreatePagefilePrivilege	2152
Token: SeShutdownPrivilege	2152
Token: SeCreatePagefilePrivilege	2152
Token: SeShutdownPrivilege	2152
Token: SeCreatePagefilePrivilege	2152
Token: SeShutdownPrivilege	2152
Token: SeCreatePagefilePrivilege	2152
Token: SeShutdownPrivilege	2152
Token: SeCreatePagefilePrivilege	2152

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

D21B.exeD21B.exeD49D.exeD21B.exeD21B.exebuild3.exebuild2.exe

description	pid	process	target process
PID 2152 wrote to memory of 1624	2152		D0B2.exe
PID 2152 wrote to memory of 1624	2152		D0B2.exe
PID 2152 wrote to memory of 1624	2152		D0B2.exe
PID 2152 wrote to memory of 2216	2152		D21B.exe
PID 2152 wrote to memory of 2216	2152		D21B.exe
PID 2152 wrote to memory of 2216	2152		D21B.exe
PID 2152 wrote to memory of 756	2152		D364.exe
PID 2152 wrote to memory of 756	2152		D364.exe
PID 2152 wrote to memory of 756	2152		D364.exe
PID 2152 wrote to memory of 4912	2152		D49D.exe
PID 2152 wrote to memory of 4912	2152		D49D.exe
PID 2152 wrote to memory of 4912	2152		D49D.exe
PID 2216 wrote to memory of 4416	2216	D21B.exe	D21B.exe
PID 2216 wrote to memory of 4416	2216	D21B.exe	D21B.exe
PID 2216 wrote to memory of 4416	2216	D21B.exe	D21B.exe
PID 2216 wrote to memory of 4416	2216	D21B.exe	D21B.exe
PID 2216 wrote to memory of 4416	2216	D21B.exe	D21B.exe
PID 2216 wrote to memory of 4416	2216	D21B.exe	D21B.exe
PID 2216 wrote to memory of 4416	2216	D21B.exe	D21B.exe
PID 2216 wrote to memory of 4416	2216	D21B.exe	D21B.exe
PID 2216 wrote to memory of 4416	2216	D21B.exe	D21B.exe
PID 2216 wrote to memory of 4416	2216	D21B.exe	D21B.exe
PID 2152 wrote to memory of 2876	2152		2A6F.exe
PID 2152 wrote to memory of 2876	2152		2A6F.exe
PID 2152 wrote to memory of 2876	2152		2A6F.exe
PID 4416 wrote to memory of 3452	4416	D21B.exe	icacls.exe
PID 4416 wrote to memory of 3452	4416	D21B.exe	icacls.exe
PID 4416 wrote to memory of 3452	4416	D21B.exe	icacls.exe
PID 4912 wrote to memory of 4636	4912	D49D.exe	schtasks.exe
PID 4912 wrote to memory of 4636	4912	D49D.exe	schtasks.exe
PID 4912 wrote to memory of 4636	4912	D49D.exe	schtasks.exe
PID 4416 wrote to memory of 4624	4416	D21B.exe	D21B.exe
PID 4416 wrote to memory of 4624	4416	D21B.exe	D21B.exe
PID 4416 wrote to memory of 4624	4416	D21B.exe	D21B.exe
PID 4624 wrote to memory of 4576	4624	D21B.exe	D21B.exe
PID 4624 wrote to memory of 4576	4624	D21B.exe	D21B.exe
PID 4624 wrote to memory of 4576	4624	D21B.exe	D21B.exe
PID 4624 wrote to memory of 4576	4624	D21B.exe	D21B.exe
PID 4624 wrote to memory of 4576	4624	D21B.exe	D21B.exe
PID 4624 wrote to memory of 4576	4624	D21B.exe	D21B.exe
PID 4624 wrote to memory of 4576	4624	D21B.exe	D21B.exe
PID 4624 wrote to memory of 4576	4624	D21B.exe	D21B.exe
PID 4624 wrote to memory of 4576	4624	D21B.exe	D21B.exe
PID 4624 wrote to memory of 4576	4624	D21B.exe	D21B.exe
PID 4576 wrote to memory of 3652	4576	D21B.exe	build2.exe
PID 4576 wrote to memory of 3652	4576	D21B.exe	build2.exe
PID 4576 wrote to memory of 3652	4576	D21B.exe	build2.exe
PID 4576 wrote to memory of 3944	4576	D21B.exe	build3.exe
PID 4576 wrote to memory of 3944	4576	D21B.exe	build3.exe
PID 4576 wrote to memory of 3944	4576	D21B.exe	build3.exe
PID 3944 wrote to memory of 2108	3944	build3.exe	schtasks.exe
PID 3944 wrote to memory of 2108	3944	build3.exe	schtasks.exe
PID 3944 wrote to memory of 2108	3944	build3.exe	schtasks.exe
PID 3652 wrote to memory of 3972	3652	build2.exe	build2.exe
PID 3652 wrote to memory of 3972	3652	build2.exe	build2.exe
PID 3652 wrote to memory of 3972	3652	build2.exe	build2.exe
PID 3652 wrote to memory of 3972	3652	build2.exe	build2.exe
PID 3652 wrote to memory of 3972	3652	build2.exe	build2.exe
PID 3652 wrote to memory of 3972	3652	build2.exe	build2.exe
PID 3652 wrote to memory of 3972	3652	build2.exe	build2.exe
PID 3652 wrote to memory of 3972	3652	build2.exe	build2.exe
PID 3652 wrote to memory of 3972	3652	build2.exe	build2.exe
PID 2152 wrote to memory of 1460	2152		A156.exe
PID 2152 wrote to memory of 1460	2152		A156.exe

C:\Users\Admin\AppData\Local\Temp\0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe
"C:\Users\Admin\AppData\Local\Temp\0152fb6b67e7f441dde88ce1d6e1f4f5915fff1ccbb1aa04883d2c2da9398a1d.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4860

C:\Users\Admin\AppData\Local\Temp\D0B2.exe
C:\Users\Admin\AppData\Local\Temp\D0B2.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\Temp\D21B.exe
C:\Users\Admin\AppData\Local\Temp\D21B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\D21B.exe
C:\Users\Admin\AppData\Local\Temp\D21B.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\17d26c49-8051-4ffb-9114-f64fd64fe812" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3452

C:\Users\Admin\AppData\Local\Temp\D21B.exe
"C:\Users\Admin\AppData\Local\Temp\D21B.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\D21B.exe
"C:\Users\Admin\AppData\Local\Temp\D21B.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\95da34a3-0881-4dd6-bad2-7d5c7a9f29cb\build2.exe
"C:\Users\Admin\AppData\Local\95da34a3-0881-4dd6-bad2-7d5c7a9f29cb\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3652

C:\Users\Admin\AppData\Local\95da34a3-0881-4dd6-bad2-7d5c7a9f29cb\build2.exe
"C:\Users\Admin\AppData\Local\95da34a3-0881-4dd6-bad2-7d5c7a9f29cb\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3972

C:\Users\Admin\AppData\Local\95da34a3-0881-4dd6-bad2-7d5c7a9f29cb\build3.exe
"C:\Users\Admin\AppData\Local\95da34a3-0881-4dd6-bad2-7d5c7a9f29cb\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:2108

C:\Users\Admin\AppData\Local\Temp\D364.exe
C:\Users\Admin\AppData\Local\Temp\D364.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 764
2⤵
- Program crash
PID:4984

C:\Users\Admin\AppData\Local\Temp\D49D.exe
C:\Users\Admin\AppData\Local\Temp\D49D.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
2⤵
- Creates scheduled task(s)
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 700
2⤵
- Program crash
PID:3572

C:\Users\Admin\AppData\Local\Temp\2A6F.exe
C:\Users\Admin\AppData\Local\Temp\2A6F.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 756 -ip 756
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4912 -ip 4912
1⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\A156.exe
C:\Users\Admin\AppData\Local\Temp\A156.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:3020

C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
1⤵
- Executes dropped EXE
PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\17d26c49-8051-4ffb-9114-f64fd64fe812\D21B.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\95da34a3-0881-4dd6-bad2-7d5c7a9f29cb\build2.exe
Filesize
422KB

MD5
0b622eb410bfb32c5fa7b45eb3c116d2

SHA1
606d111174079e4d784e95f285805f14116e6d63

SHA256
9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

SHA512
ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

Download Submit
C:\Users\Admin\AppData\Local\95da34a3-0881-4dd6-bad2-7d5c7a9f29cb\build2.exe
Filesize
422KB

MD5
0b622eb410bfb32c5fa7b45eb3c116d2

SHA1
606d111174079e4d784e95f285805f14116e6d63

SHA256
9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

SHA512
ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

Download Submit
C:\Users\Admin\AppData\Local\95da34a3-0881-4dd6-bad2-7d5c7a9f29cb\build2.exe
Filesize
422KB

MD5
0b622eb410bfb32c5fa7b45eb3c116d2

SHA1
606d111174079e4d784e95f285805f14116e6d63

SHA256
9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

SHA512
ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

Download Submit
C:\Users\Admin\AppData\Local\95da34a3-0881-4dd6-bad2-7d5c7a9f29cb\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\95da34a3-0881-4dd6-bad2-7d5c7a9f29cb\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A6F.exe
Filesize
385KB

MD5
b99e61248ba9202cebadda804b195a55

SHA1
ae22f0669d31994259d4a966143832c11c8d8afa

SHA256
eec952196acdcc290e57fe5c6e764267547151b7f2f9c8ee3764145cdb36758d

SHA512
d28c1b1041c051469b7f02f0d6118a265eaf5405426f81d0104b04452efe6d3a9adbfc6dbd51fb86d11f09822a3820b6fdac23dbd512d948e84076b69bc84a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A6F.exe
Filesize
385KB

MD5
b99e61248ba9202cebadda804b195a55

SHA1
ae22f0669d31994259d4a966143832c11c8d8afa

SHA256
eec952196acdcc290e57fe5c6e764267547151b7f2f9c8ee3764145cdb36758d

SHA512
d28c1b1041c051469b7f02f0d6118a265eaf5405426f81d0104b04452efe6d3a9adbfc6dbd51fb86d11f09822a3820b6fdac23dbd512d948e84076b69bc84a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\A156.exe
Filesize
7.4MB

MD5
2850ccb10aa6f6700d555ca67f89f1e0

SHA1
c55b593e654f822ed59d86bab7f8e081b331f132

SHA256
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab

SHA512
8ee232798200eb6b25116ef75c3a07f61812ee3865b95272e92010ccc021d3fb261982a309c69a592cab5e397de945733133bb2cfd77faaa0be9acf3038df0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A156.exe
Filesize
7.4MB

MD5
2850ccb10aa6f6700d555ca67f89f1e0

SHA1
c55b593e654f822ed59d86bab7f8e081b331f132

SHA256
4589f71870479cdddc1439394eb7c27da1c95d1f7a89016168f32f6791f541ab

SHA512
8ee232798200eb6b25116ef75c3a07f61812ee3865b95272e92010ccc021d3fb261982a309c69a592cab5e397de945733133bb2cfd77faaa0be9acf3038df0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0B2.exe
Filesize
1.6MB

MD5
dc4d8acbc96e90cd6d6af29fe5d45127

SHA1
84015889aaf56a01d8304fad09adfb7be70abe29

SHA256
758a7414cdf99699a3caf38783bd4a45391b8f56734b6a5c7b5502ac142f1563

SHA512
cb2befef94883dab2aa5f121206ca928065c810e3b3d34b3c9c03918f22d7086f6e1de6fb75a4dc245debb0d4a88062acd07f051f2015509d1a30b5166490cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0B2.exe
Filesize
1.6MB

MD5
dc4d8acbc96e90cd6d6af29fe5d45127

SHA1
84015889aaf56a01d8304fad09adfb7be70abe29

SHA256
758a7414cdf99699a3caf38783bd4a45391b8f56734b6a5c7b5502ac142f1563

SHA512
cb2befef94883dab2aa5f121206ca928065c810e3b3d34b3c9c03918f22d7086f6e1de6fb75a4dc245debb0d4a88062acd07f051f2015509d1a30b5166490cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D21B.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D21B.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D21B.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D21B.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D21B.exe
Filesize
847KB

MD5
9f5338b4b61243e58465cb849059be56

SHA1
5ca8fbb0356f1c5e2d75de93e6e1271e942a199f

SHA256
91e6c80af515519f99e767a78845e29e09370f989461b44536fff1a0f54f21a2

SHA512
38b2a734c46a06c9946596593b3e0a1650c800d85212ab1258c645799d53e8a7ae29bf4649c972bd48f40c64c151da502336cdcace09ad3b352376cd865fad6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D364.exe
Filesize
351KB

MD5
692de8c91f98d23a083b03a42dc8ebbb

SHA1
dd4239e40ea1c7c39ce51d6fe32d44406e3a5bae

SHA256
3b5b370eaee8757dbe870a4d784ff79867d3a35df5bfe14dd7649e6c155d4c4a

SHA512
a33f008492557b7ccd3201fd6d8d9f68b518a42f62f87bb9c07cd1c6537ca148a243e10a01d0b89631ca1645603b44fd130a72dd84e60f2407251ae2e912cb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\D364.exe
Filesize
351KB

MD5
692de8c91f98d23a083b03a42dc8ebbb

SHA1
dd4239e40ea1c7c39ce51d6fe32d44406e3a5bae

SHA256
3b5b370eaee8757dbe870a4d784ff79867d3a35df5bfe14dd7649e6c155d4c4a

SHA512
a33f008492557b7ccd3201fd6d8d9f68b518a42f62f87bb9c07cd1c6537ca148a243e10a01d0b89631ca1645603b44fd130a72dd84e60f2407251ae2e912cb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\D49D.exe
Filesize
438KB

MD5
934af63c5835ca83808b957fe9fa9220

SHA1
da102774d53520c4238c494a6970ced9d8732964

SHA256
be6e64c85d2d4fdebd81bf199e0fca6991cf30a2397a454e263bdf66d8c94718

SHA512
c82edfc308d3a25cfcc47f9ae3f09f5ae2d00b7a332faf5a98dcadab4c1a4a2e6c99b88ec331a9b6e88813e7a3f813cddb7e6cbe802b8135ccd6942ffb1afb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\D49D.exe
Filesize
438KB

MD5
934af63c5835ca83808b957fe9fa9220

SHA1
da102774d53520c4238c494a6970ced9d8732964

SHA256
be6e64c85d2d4fdebd81bf199e0fca6991cf30a2397a454e263bdf66d8c94718

SHA512
c82edfc308d3a25cfcc47f9ae3f09f5ae2d00b7a332faf5a98dcadab4c1a4a2e6c99b88ec331a9b6e88813e7a3f813cddb7e6cbe802b8135ccd6942ffb1afb27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
282.4MB

MD5
6e8f8ee44be64e862227fee79aab0423

SHA1
f4f73b450834e18f9b5125a5086c51327a8512bf

SHA256
8427257f161fba5911657418f25cd0663687da28cd399756ec5726a33d2b02e8

SHA512
bf59c385892016cfc8528ba865d1b5d7a1fd5bc20c1b8d384b4172d0b2d1044c9dd00bfdfd77a3075e9d74bae4316979c512f4e49045273ca0ecc9b0187b034e

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
273.2MB

MD5
24c15bc4c17c3648b04db08deac781e7

SHA1
29467ed0588f92f1532a2e971dffca638790e880

SHA256
1b53ac22bd79215dcc0cfc5b9022947414faac0f4cb69238ebaf849cfc78779a

SHA512
01468c958406d61f54d6c9d7338b4b13a2efb78eb7c919d7c0586d1daae87688122a2f5b3b5327883e2f053fcba79f78695f1a32bab9ff35f397dfc68a7638a6

Download Submit
memory/756-161-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/756-160-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/756-162-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/756-163-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/756-177-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/756-142-0x0000000000000000-mapping.dmp

Download
memory/1460-206-0x0000000000000000-mapping.dmp

Download
memory/1460-236-0x0000000000B10000-0x0000000001274000-memory.dmp

Filesize
7.4MB

Download
memory/1624-171-0x0000000000B71000-0x0000000000CE2000-memory.dmp

Filesize
1.4MB

Download
memory/1624-136-0x0000000000000000-mapping.dmp

Download
memory/1624-164-0x0000000000B71000-0x0000000000CE2000-memory.dmp

Filesize
1.4MB

Download
memory/2108-195-0x0000000000000000-mapping.dmp

Download
memory/2216-155-0x00000000024E0000-0x00000000025FB000-memory.dmp

Filesize
1.1MB

Download
memory/2216-139-0x0000000000000000-mapping.dmp

Download
memory/2216-153-0x00000000007CA000-0x000000000085B000-memory.dmp

Filesize
580KB

Download
memory/2876-165-0x0000000000000000-mapping.dmp

Download
memory/2876-178-0x000000000068D000-0x00000000006A3000-memory.dmp

Filesize
88KB

Download
memory/2876-180-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2876-179-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/2876-188-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3020-228-0x0000000000000000-mapping.dmp

Download
memory/3452-168-0x0000000000000000-mapping.dmp

Download
memory/3652-199-0x00000000005DE000-0x0000000000612000-memory.dmp

Filesize
208KB

Download
memory/3652-189-0x0000000000000000-mapping.dmp

Download
memory/3652-202-0x0000000002130000-0x000000000218E000-memory.dmp

Filesize
376KB

Download
memory/3944-192-0x0000000000000000-mapping.dmp

Download
memory/3972-196-0x0000000000000000-mapping.dmp

Download
memory/3972-208-0x0000000050AD0000-0x0000000050BC3000-memory.dmp

Filesize
972KB

Download
memory/3972-205-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3972-204-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3972-197-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3972-201-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3972-200-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4416-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4416-152-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4416-149-0x0000000000000000-mapping.dmp

Download
memory/4416-159-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4416-154-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4416-150-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4576-187-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4576-181-0x0000000000000000-mapping.dmp

Download
memory/4576-203-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4576-186-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4576-184-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4624-185-0x00000000006D1000-0x0000000000762000-memory.dmp

Filesize
580KB

Download
memory/4624-172-0x0000000000000000-mapping.dmp

Download
memory/4636-170-0x0000000000000000-mapping.dmp

Download
memory/4656-238-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4656-234-0x000000000059C000-0x00000000005C6000-memory.dmp

Filesize
168KB

Download
memory/4656-235-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4656-237-0x000000000059C000-0x00000000005C6000-memory.dmp

Filesize
168KB

Download
memory/4860-132-0x000000000077E000-0x0000000000794000-memory.dmp

Filesize
88KB

Download
memory/4860-135-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4860-134-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4860-133-0x0000000002200000-0x0000000002209000-memory.dmp

Filesize
36KB

Download
memory/4912-156-0x000000000066D000-0x0000000000697000-memory.dmp

Filesize
168KB

Download
memory/4912-146-0x0000000000000000-mapping.dmp

Download
memory/4912-157-0x00000000005F0000-0x0000000000637000-memory.dmp

Filesize
284KB

Download
memory/4912-158-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4912-176-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4912-175-0x000000000066D000-0x0000000000697000-memory.dmp

Filesize
168KB

Download