gozi | aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e

Analysis

max time kernel
0s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74eexe.exe
Size

2.9MB
MD5

e69948a6953a77464e92ac44fe945242
SHA1

d0b1569b0ca632defc74a6320658c0c1481f3ee1
SHA256

aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
SHA512

f14f8a41c2e5dad21908eae3494cc1db049e223b19186379256695825b9918813e4cd34d73f43eba36fdfbfff6608d50bf2b98dbd45f17c4b3136bc6087c2952
SSDEEP

49152:xcBhEwJ84vLRaBtIl9mVJUv0E5ZpAR7px2jOT+lp4wC/+nDVHrP7gvUQI0QBJ:xbCvLUBsgI0gZpU7pcOT+rL+4JbWUQ8

Score

10^/10

gozi nullmixer smokeloader vidar backdoor banker dropper isfb stealer trojan

Malware Config

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/2000-136-0x0000000003900000-0x000000000399D000-memory.dmp	family_vidar
behavioral2/memory/2000-183-0x0000000003900000-0x000000000399D000-memory.dmp	family_vidar

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Program crash 28 IoCs

pid	pid_target	Process	procid_target
2228	388	WerFault.exe
2484	2000	WerFault.exe	36
2868	2000	WerFault.exe	36
1260	2000	WerFault.exe	36
2696	2000	WerFault.exe	36
1492	2000	WerFault.exe	36
1232	2000	WerFault.exe	36
4152	2000	WerFault.exe	36
3968	1324	WerFault.exe	41
840	2000	WerFault.exe	36
3712	2000	WerFault.exe	36
1976	2000	WerFault.exe	36
432	2000	WerFault.exe	36
720	2000	WerFault.exe	36
2664	2000	WerFault.exe	36
3012	2000	WerFault.exe	36
3856	2000	WerFault.exe	36
5064	2000	WerFault.exe	36
3712	2196	WerFault.exe	38
3736	808	WerFault.exe	158
4952	752	WerFault.exe	168
4272	4276	WerFault.exe	46
2800	452	WerFault.exe	43
1952	1080	WerFault.exe	172
348	4136	WerFault.exe	183
4980	1932	WerFault.exe	187
1136	3108	WerFault.exe	194
2292	3712	WerFault.exe	198

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000c000000023238-206.dat	nsis_installer_2
behavioral2/files/0x000c000000023238-204.dat	nsis_installer_2
behavioral2/files/0x000a00000002323a-223.dat	nsis_installer_1
behavioral2/files/0x000a00000002323a-223.dat	nsis_installer_2

C:\Users\Admin\AppData\Local\Temp\aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74eexe.exe
"C:\Users\Admin\AppData\Local\Temp\aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74eexe.exe"
1⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21ab69e87d0.exe
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\Sun21ab69e87d0.exe
  Sun21ab69e87d0.exe
  2⤵
  PID:3784

C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\Sun213b31a7e71d4cf6d.exe
Sun213b31a7e71d4cf6d.exe
1⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\Sun21dd3b887a3.exe
Sun21dd3b887a3.exe
1⤵
PID:4040
- C:\ProgramData\Java Updater\oww153c9.exe
  /prstb
  2⤵
  PID:4488
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 1128
      4⤵
      Program crash
      PID:4952
- C:\ProgramData\Java Updater\oww153c9.exe
  /prstb
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1148
      4⤵
      Program crash
      PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 388 -ip 388
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 576
1⤵
- Program crash
PID:2228

C:\Users\Admin\AppData\Local\Temp\is-52AT4.tmp\Sun218856081dd1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-52AT4.tmp\Sun218856081dd1.tmp" /SL5="$401E4,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\Sun218856081dd1.exe"
1⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\Sun21688b2b2b63.exe
Sun21688b2b2b63.exe
1⤵
PID:2000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 824
  2⤵
  - Program crash
  PID:2484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 832
  2⤵
  - Program crash
  PID:2868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 876
  2⤵
  - Program crash
  PID:1260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 884
  2⤵
  - Program crash
  PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1040
  2⤵
  - Program crash
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\setup_install.exe"
    3⤵
    PID:388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1068
  2⤵
  - Program crash
  PID:1232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1228
  2⤵
  - Program crash
  PID:4152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1508
  2⤵
  - Program crash
  PID:840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1552
  2⤵
  - Program crash
  PID:3712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1604
  2⤵
  - Program crash
  PID:1976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1556
  2⤵
  - Program crash
  PID:432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1504
  2⤵
  - Program crash
  PID:720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1628
  2⤵
  - Program crash
  PID:2664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1624
  2⤵
  - Program crash
  PID:3012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1628
  2⤵
  - Program crash
  PID:3856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1028
  2⤵
  - Program crash
  PID:5064

C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\Sun218856081dd1.exe
Sun218856081dd1.exe
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\Sun211972de1e.exe
Sun211972de1e.exe
1⤵
PID:2196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 28312
  2⤵
  - Program crash
  PID:3712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\Sun21caad43cbccfb.exe
Sun21caad43cbccfb.exe
1⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\Sun21cfc7686a.exe
Sun21cfc7686a.exe
1⤵
PID:1324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 372
  2⤵
  - Program crash
  PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun213b31a7e71d4cf6d.exe
1⤵
PID:1844
- C:\ProgramData\Java Updater\oww153c9.exe
  /prstb
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:4136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1144
      4⤵
      Program crash
      PID:348
- C:\ProgramData\Java Updater\oww153c9.exe
  /prstb
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1068
      4⤵
      Program crash
      PID:4980
- C:\ProgramData\Java Updater\oww153c9.exe
  /prstb
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:3108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1144
      4⤵
      Program crash
      PID:1136
- C:\ProgramData\Java Updater\oww153c9.exe
  /prstb
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:3712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1116
      4⤵
      Program crash
      PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21dd3b887a3.exe
1⤵
PID:452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 372
  2⤵
  - Program crash
  PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun218856081dd1.exe
1⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21688b2b2b63.exe
1⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21caad43cbccfb.exe
1⤵
PID:4276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 376
  2⤵
  - Program crash
  PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun21cfc7686a.exe
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2000 -ip 2000
1⤵
PID:3124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun211972de1e.exe
1⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2000 -ip 2000
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2000 -ip 2000
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2000 -ip 2000
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2000 -ip 2000
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2000 -ip 2000
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2000 -ip 2000
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1324 -ip 1324
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2000 -ip 2000
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2000 -ip 2000
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2000 -ip 2000
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2000 -ip 2000
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2000 -ip 2000
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2000 -ip 2000
1⤵
PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2000 -ip 2000
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2000 -ip 2000
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2000 -ip 2000
1⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\B5D3.exe
C:\Users\Admin\AppData\Local\Temp\B5D3.exe
1⤵
PID:1324
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 1144
    3⤵
    - Program crash
    PID:3736

C:\Users\Admin\AppData\Local\Temp\BC6B.exe
C:\Users\Admin\AppData\Local\Temp\BC6B.exe
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
  2⤵
  PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2196 -ip 2196
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4888 -ip 4888
1⤵
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 808 -ip 808
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 752 -ip 752
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 452 -ip 452
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4276 -ip 4276
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1080 -ip 1080
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4136 -ip 4136
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1932 -ip 1932
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3108 -ip 3108
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3712 -ip 3712
1⤵
PID:1612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4D54D647\setup_install.exe

Filesize
92KB

MD5
5677e24c9dfd2152dacbaf1892a326ff

SHA1
f79f93170717f80ec026ccb0cfa808cf4f4b5c35

SHA256
cf182bcb171645331644b74d8c63f697550ddd00825394d89f7fff097dd10fb5

SHA512
63643810123462501735c56667fa3a16ec9782556567fe4753172cf88ca99ef556ae25e89d1a4c7392978fbc4456a46653c202b7cbc659934903f304ddff4d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5D3.exe

Filesize
360KB

MD5
0c819dd27a128d9234daa3d772fb8c20

SHA1
d5d36492818872da8e70dc28cc85389b8e0f3819

SHA256
ae088798b181a2bf822fcd3bec3a11779f45a8e3b83cb6c75c5ffbffc3c3d5b2

SHA512
f502ddb79703297cf0592e68c3f1f964584725d7aa670272998f174ffa108bb7340c0d65d38d69e1b3f7f1217628dadda108fa2d5fe1eab73b7b3302b9f769b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC6B.exe

Filesize
6.8MB

MD5
6c764b44fa70a6278585d73aa9628e92

SHA1
164cb720560831360e3387b49ce30661af5e00db

SHA256
70855a2ce47a41d098654191f371425f5cbe5ef427808672c8e9adbde9b921d8

SHA512
a9ce70f566a020759e1bc37f9bf704f88443fbb0b6a552e62ca4db0fee1c80caebec98bdaf037cd8eed89fe70646040335bb6ad36d38dacbdbe62c0f4a00fead

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC6B.exe

Filesize
6.5MB

MD5
068d4e819afef4b6bd83715170822b3e

SHA1
57aaf82f405f5d572c44546b50395b926175fd86

SHA256
beebbb20fe1beb7912a1cf2367dbf24fba630508e41d802f1f7020566da0eb43

SHA512
fc793592da86d196386018ee597ca564e5a0b8e8cc03075b98a37fd23595bba57a738e39a19247d49b17059a881cddf66266013837ff5f20e8406cd286d50555

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe

Filesize
2.2MB

MD5
0badb0e573d95db49ac23c11163d9386

SHA1
d86dd20e4498ba5576272df07cd71dd9ed40bf8d

SHA256
5ebb608342d1306743d1ab56bb587b00d7e14737f5af48be3fa738a98cf29668

SHA512
a83d397fdcf2b749aac8f1db38a991b06a70c58d21c84d09cd8a732ee744287e7d7d58edeb817006b6ee245ed313993a3280aea32fd4c5a079b4f960ab35eff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lib.dll

Filesize
2.2MB

MD5
bc94fe5f3a7d234dceefa5a25c109358

SHA1
eefd19123cb554bd975d9848eff08f195c7794bb

SHA256
fdbd693e2a9eab791967e78eef8e1a3423c63b570d6fc8ccd9367be931c779c4

SHA512
650632899edc1bce009244cf228500c26df33c2036f774f60529c10bf7b277a49d3e635846097cf2d821a54e066a07f5f6ef2be055e1054e8c4a1a938fad9c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBF1B.tmp\System.dll

Filesize
12KB

MD5
dd87a973e01c5d9f8e0fcc81a0af7c7a

SHA1
c9206ced48d1e5bc648b1d0f54cccc18bf643a14

SHA256
7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

SHA512
4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

Download Submit
C:\Users\Admin\AppData\Roaming\fehvejd

Filesize
208KB

MD5
57506c6106f4c4e9b795d68f247a7bf0

SHA1
937d9694d68082c8d12fc0d31965514c881e2eab

SHA256
11577fc5b67317c24be99806ce1d5a41b5eac4dc96d1eb23983e1bbea2d003e4

SHA512
bbc0ad52ca09ecf4d4bc23ed68b1d02a6b47771ff7f6a4fa2a62e6ce4301385d0771f3fb4a9cd8330bbf712b3d41b14f1f1608aed45a12a2850239ee897b1636

Download Submit
memory/388-129-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/388-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/388-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/388-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/388-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/388-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/388-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/388-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/388-113-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/388-125-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/388-52-0x00000000007B0000-0x000000000083F000-memory.dmp

Filesize
572KB

Download
memory/388-128-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/388-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/388-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/388-126-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/388-120-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/388-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/388-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/388-55-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/452-237-0x0000000001430000-0x00000000014F4000-memory.dmp

Filesize
784KB

Download
memory/752-265-0x0000000000AF0000-0x0000000000F24000-memory.dmp

Filesize
4.2MB

Download
memory/752-277-0x0000000000AF0000-0x0000000000F23000-memory.dmp

Filesize
4.2MB

Download
memory/752-267-0x0000000000AF0000-0x0000000000F24000-memory.dmp

Filesize
4.2MB

Download
memory/752-269-0x00000000009A0000-0x0000000000A64000-memory.dmp

Filesize
784KB

Download
memory/808-213-0x0000000001230000-0x00000000012F4000-memory.dmp

Filesize
784KB

Download
memory/808-208-0x0000000000AF0000-0x0000000000F24000-memory.dmp

Filesize
4.2MB

Download
memory/808-211-0x0000000001230000-0x00000000012F4000-memory.dmp

Filesize
784KB

Download
memory/808-210-0x0000000001230000-0x00000000012F4000-memory.dmp

Filesize
784KB

Download
memory/808-202-0x0000000000AF0000-0x0000000000F24000-memory.dmp

Filesize
4.2MB

Download
memory/808-257-0x0000000000AF0000-0x0000000000F23000-memory.dmp

Filesize
4.2MB

Download
memory/808-234-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1080-285-0x0000000000AF0000-0x0000000000F24000-memory.dmp

Filesize
4.2MB

Download
memory/1260-88-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1260-112-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1260-82-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1324-132-0x0000000001EE0000-0x0000000001EE9000-memory.dmp

Filesize
36KB

Download
memory/1324-198-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1324-131-0x0000000002110000-0x0000000002210000-memory.dmp

Filesize
1024KB

Download
memory/1324-191-0x0000000000010000-0x000000000006D000-memory.dmp

Filesize
372KB

Download
memory/1324-193-0x00000000021A0000-0x0000000002206000-memory.dmp

Filesize
408KB

Download
memory/1324-194-0x00000000005E0000-0x00000000005ED000-memory.dmp

Filesize
52KB

Download
memory/1324-197-0x0000000077114000-0x0000000077115000-memory.dmp

Filesize
4KB

Download
memory/1324-135-0x0000000000400000-0x0000000001D81000-memory.dmp

Filesize
25.5MB

Download
memory/1324-199-0x00000000026F0000-0x00000000026FC000-memory.dmp

Filesize
48KB

Download
memory/1324-200-0x00000000021A0000-0x0000000002206000-memory.dmp

Filesize
408KB

Download
memory/1324-195-0x00000000021A0000-0x0000000002206000-memory.dmp

Filesize
408KB

Download
memory/1324-217-0x00000000021A0000-0x0000000002206000-memory.dmp

Filesize
408KB

Download
memory/1324-172-0x0000000000400000-0x0000000001D81000-memory.dmp

Filesize
25.5MB

Download
memory/1324-173-0x0000000001EE0000-0x0000000001EE9000-memory.dmp

Filesize
36KB

Download
memory/1844-238-0x0000000000E90000-0x0000000000F54000-memory.dmp

Filesize
784KB

Download
memory/1976-154-0x0000000006420000-0x000000000643E000-memory.dmp

Filesize
120KB

Download
memory/1976-92-0x0000000004900000-0x0000000004936000-memory.dmp

Filesize
216KB

Download
memory/1976-141-0x000000007F0C0000-0x000000007F0D0000-memory.dmp

Filesize
64KB

Download
memory/1976-104-0x0000000004FD0000-0x00000000055F8000-memory.dmp

Filesize
6.2MB

Download
memory/1976-105-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/1976-157-0x00000000078C0000-0x0000000007F3A000-memory.dmp

Filesize
6.5MB

Download
memory/1976-168-0x0000000072690000-0x0000000072E40000-memory.dmp

Filesize
7.7MB

Download
memory/1976-134-0x00000000064B0000-0x00000000064FC000-memory.dmp

Filesize
304KB

Download
memory/1976-164-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/1976-102-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/1976-165-0x0000000007550000-0x0000000007558000-memory.dmp

Filesize
32KB

Download
memory/1976-162-0x0000000007460000-0x000000000746E000-memory.dmp

Filesize
56KB

Download
memory/1976-119-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/1976-163-0x0000000007470000-0x0000000007484000-memory.dmp

Filesize
80KB

Download
memory/1976-110-0x0000000005770000-0x0000000005792000-memory.dmp

Filesize
136KB

Download
memory/1976-133-0x0000000004C40000-0x0000000004C5E000-memory.dmp

Filesize
120KB

Download
memory/1976-127-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/1976-156-0x0000000007190000-0x0000000007233000-memory.dmp

Filesize
652KB

Download
memory/1976-155-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/1976-144-0x0000000074280000-0x00000000742CC000-memory.dmp

Filesize
304KB

Download
memory/1976-161-0x0000000007430000-0x0000000007441000-memory.dmp

Filesize
68KB

Download
memory/1976-160-0x00000000074A0000-0x0000000007536000-memory.dmp

Filesize
600KB

Download
memory/1976-158-0x0000000007240000-0x000000000725A000-memory.dmp

Filesize
104KB

Download
memory/1976-159-0x00000000072B0000-0x00000000072BA000-memory.dmp

Filesize
40KB

Download
memory/1976-142-0x0000000006440000-0x0000000006472000-memory.dmp

Filesize
200KB

Download
memory/1976-101-0x0000000072690000-0x0000000072E40000-memory.dmp

Filesize
7.7MB

Download
memory/1976-130-0x0000000005A80000-0x0000000005DD4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-137-0x0000000001E40000-0x0000000001F40000-memory.dmp

Filesize
1024KB

Download
memory/2000-136-0x0000000003900000-0x000000000399D000-memory.dmp

Filesize
628KB

Download
memory/2000-138-0x0000000000400000-0x0000000001DDD000-memory.dmp

Filesize
25.9MB

Download
memory/2000-177-0x0000000000400000-0x0000000001DDD000-memory.dmp

Filesize
25.9MB

Download
memory/2000-183-0x0000000003900000-0x000000000399D000-memory.dmp

Filesize
628KB

Download
memory/2196-239-0x0000000004470000-0x0000000004534000-memory.dmp

Filesize
784KB

Download
memory/2196-242-0x0000000004470000-0x0000000004534000-memory.dmp

Filesize
784KB

Download
memory/2992-282-0x0000000002030000-0x0000000002096000-memory.dmp

Filesize
408KB

Download
memory/3432-209-0x00007FF7E77C0000-0x00007FF7E7E85000-memory.dmp

Filesize
6.8MB

Download
memory/3432-222-0x00007FF7E77C0000-0x00007FF7E7E85000-memory.dmp

Filesize
6.8MB

Download
memory/3528-169-0x0000000003120000-0x0000000003135000-memory.dmp

Filesize
84KB

Download
memory/3784-77-0x00000000010F0000-0x0000000001110000-memory.dmp

Filesize
128KB

Download
memory/3784-73-0x00007FF93C200000-0x00007FF93CCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3784-85-0x000000001B580000-0x000000001B590000-memory.dmp

Filesize
64KB

Download
memory/3784-140-0x00007FF93C200000-0x00007FF93CCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3784-72-0x0000000000910000-0x000000000093E000-memory.dmp

Filesize
184KB

Download
memory/4040-247-0x0000000003400000-0x00000000034C4000-memory.dmp

Filesize
784KB

Download
memory/4040-240-0x0000000003400000-0x00000000034C4000-memory.dmp

Filesize
784KB

Download
memory/4040-250-0x0000000003400000-0x00000000034C4000-memory.dmp

Filesize
784KB

Download
memory/4276-236-0x0000000000E10000-0x0000000000ED4000-memory.dmp

Filesize
784KB

Download
memory/4488-262-0x00000000006F0000-0x0000000000756000-memory.dmp

Filesize
408KB

Download
memory/4488-273-0x0000000000010000-0x000000000006D000-memory.dmp

Filesize
372KB

Download
memory/4784-83-0x00007FF93C200000-0x00007FF93CCC1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-143-0x00007FF93C200000-0x00007FF93CCC1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-89-0x000000001B910000-0x000000001B920000-memory.dmp

Filesize
64KB

Download
memory/4784-178-0x000000001B910000-0x000000001B920000-memory.dmp

Filesize
64KB

Download
memory/4784-76-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/4888-235-0x00000000018C0000-0x0000000001984000-memory.dmp

Filesize
784KB

Download
memory/4888-244-0x00000000018C0000-0x0000000001984000-memory.dmp

Filesize
784KB

Download
memory/4952-103-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4952-109-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads