echelon | c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90

General

Target

c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
Size

581KB
MD5

50ed9303ba7994498c77254088f9596b
SHA1

7a845ef4bd8a42df6f50c14686c82ab1ecd3bb46
SHA256

c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90
SHA512

e57c796d95f691a4b364b7904d335bf3a4d63a3e53610577b24588e8aa97d4cfac9a6e39543fc5d401d930d233675b05ea89f43218ac4895e8a9f30849836433
SSDEEP

12288:Hrs21BscZLJLUf9snBS4csPYae6qfz8AA:p16chhUF54clNf78B

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2024-0-0x0000000000B00000-0x0000000000B98000-memory.dmp	family_echelon
behavioral1/memory/2024-2-0x000000001B0E0000-0x000000001B160000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Looks up external IP address via web service 53 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
67	api.ipify.org
85	api.ipify.org
99	api.ipify.org
9	api.ipify.org
57	api.ipify.org
81	api.ipify.org
103	api.ipify.org
91	api.ipify.org
101	api.ipify.org
33	api.ipify.org
87	api.ipify.org
89	api.ipify.org
65	api.ipify.org
107	api.ipify.org
63	api.ipify.org
27	api.ipify.org
37	api.ipify.org
95	api.ipify.org
7	api.ipify.org
17	api.ipify.org
21	api.ipify.org
93	api.ipify.org
13	api.ipify.org
31	api.ipify.org
51	api.ipify.org
53	api.ipify.org
105	api.ipify.org
11	api.ipify.org
29	api.ipify.org
35	api.ipify.org
19	api.ipify.org
61	api.ipify.org
71	api.ipify.org
25	api.ipify.org
75	api.ipify.org
55	api.ipify.org
83	api.ipify.org
5	api.ipify.org
45	api.ipify.org
49	api.ipify.org
23	api.ipify.org
69	api.ipify.org
59	api.ipify.org
97	api.ipify.org
4	api.ipify.org
39	api.ipify.org
47	api.ipify.org
77	api.ipify.org
79	api.ipify.org
15	api.ipify.org
41	api.ipify.org
43	api.ipify.org
73	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exec05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exec05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exec05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exec05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe

description	pid	process
Token: SeDebugPrivilege	2024	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
Token: SeDebugPrivilege	2748	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
Token: SeDebugPrivilege	2836	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
Token: SeDebugPrivilege	2484	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
Token: SeDebugPrivilege	1500	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exec05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exec05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exec05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe

description	pid	process	target process
PID 2024 wrote to memory of 2748	2024	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2024 wrote to memory of 2748	2024	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2024 wrote to memory of 2748	2024	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2024 wrote to memory of 2660	2024	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe
PID 2024 wrote to memory of 2660	2024	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe
PID 2024 wrote to memory of 2660	2024	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe
PID 2748 wrote to memory of 2836	2748	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2748 wrote to memory of 2836	2748	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2748 wrote to memory of 2836	2748	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2748 wrote to memory of 2500	2748	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe
PID 2748 wrote to memory of 2500	2748	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe
PID 2748 wrote to memory of 2500	2748	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe
PID 2836 wrote to memory of 2484	2836	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2836 wrote to memory of 2484	2836	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2836 wrote to memory of 2484	2836	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2836 wrote to memory of 2312	2836	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe
PID 2836 wrote to memory of 2312	2836	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe
PID 2836 wrote to memory of 2312	2836	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe
PID 2484 wrote to memory of 1500	2484	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2484 wrote to memory of 1500	2484	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2484 wrote to memory of 1500	2484	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
PID 2484 wrote to memory of 2812	2484	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe
PID 2484 wrote to memory of 2812	2484	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe
PID 2484 wrote to memory of 2812	2484	c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
6⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
7⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
8⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
9⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
10⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
11⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
12⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
13⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
14⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
15⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
16⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
17⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
18⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
19⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
20⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
21⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
22⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
23⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
24⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
25⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
26⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
27⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
28⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
29⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
30⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
31⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
32⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
33⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
34⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
35⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
36⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
37⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
38⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
39⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
40⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
41⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
42⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
43⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
44⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
45⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
46⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
47⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
48⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
49⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
50⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
51⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
52⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe
"C:\Users\Admin\AppData\Local\Temp\c05f5e7e1a4b7bd31fc0264e5c4a2311f8c0e90bf5744ab6f40ed586d3764c90.exe"
53⤵
PID:1444

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2484 -s 1584
5⤵
PID:2812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2836 -s 1616
4⤵
PID:2312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2748 -s 1556
3⤵
PID:2500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2024 -s 1528
2⤵
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/324-23-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/324-19-0x000000001AE40000-0x000000001AEC0000-memory.dmp

Filesize
512KB

Download
memory/324-17-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/564-33-0x000000001AE50000-0x000000001AED0000-memory.dmp

Filesize
512KB

Download
memory/564-29-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/564-21-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/908-51-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/908-62-0x000000001ADF0000-0x000000001AE70000-memory.dmp

Filesize
512KB

Download
memory/908-60-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1484-30-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1484-28-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1500-20-0x000000001AED0000-0x000000001AF50000-memory.dmp

Filesize
512KB

Download
memory/1500-8-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1500-18-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-13-0x000000001AD40000-0x000000001ADC0000-memory.dmp

Filesize
512KB

Download
memory/1688-11-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-22-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1688-24-0x000000001AD40000-0x000000001ADC0000-memory.dmp

Filesize
512KB

Download
memory/1916-54-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1916-44-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1916-56-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/1972-40-0x000000001ABF0000-0x000000001AC70000-memory.dmp

Filesize
512KB

Download
memory/1972-38-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1972-49-0x000000001ABF0000-0x000000001AC70000-memory.dmp

Filesize
512KB

Download
memory/1972-48-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2024-1-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2024-6-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2024-0-0x0000000000B00000-0x0000000000B98000-memory.dmp

Filesize
608KB

Download
memory/2024-2-0x000000001B0E0000-0x000000001B160000-memory.dmp

Filesize
512KB

Download
memory/2032-42-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2032-50-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2032-52-0x000000001B1E0000-0x000000001B260000-memory.dmp

Filesize
512KB

Download
memory/2240-58-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2240-47-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-34-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-43-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2388-35-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2388-36-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2388-27-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2388-25-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-15-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-16-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2484-5-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-7-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download
memory/2748-3-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-9-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-10-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/2784-14-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2784-26-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-12-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-4-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-37-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-46-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/2988-45-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-41-0x000000001A830000-0x000000001A8B0000-memory.dmp

Filesize
512KB

Download
memory/3064-31-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-39-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3064-32-0x000000001A830000-0x000000001A8B0000-memory.dmp

Filesize
512KB

Download
memory/3168-53-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3168-55-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/3304-59-0x000000001AFD0000-0x000000001B050000-memory.dmp

Filesize
512KB

Download
memory/3304-57-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3432-61-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3552-63-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads