joker | 8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2022 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe
Size

1.5MB
MD5

8dc3186fd0f4dd9101deb7568024cb72
SHA1

905c4783b13ea9c3d4770128c47b8a03c2bc4926
SHA256

8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a
SHA512

905c8f40f8cf754100b09da7056988c25aa60fb3c93f730fa53af87dabf1b46e197edf5df410d90971e15163e20553bb320c0527b16c5665244071d2cbf55377
SSDEEP

24576:NEMusNFaoFF5d8CdldCE/Y4MjUL/AhKCkTqEJWmAJ9HXZ:NnFhCEQJkAhKYb

Score

10^/10

joker infostealer persistence trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
3468	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy

Loads dropped DLL 2 IoCs

pid	Process
3468	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy
3468	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1c894e81-9002-4233-a739-4b1bd4f7b292.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221011000728.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3628	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe
3628	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe
3468	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy
3468	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy
5076	msedge.exe
5076	msedge.exe
3488	msedge.exe
3488	msedge.exe
4900	identity_helper.exe
4900	identity_helper.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3628	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe
3628	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe
3628	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe
3628	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe
3468	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy
3468	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy
3468	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy
3468	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 3468	3628	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe	81
PID 3628 wrote to memory of 3468	3628	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe	81
PID 3628 wrote to memory of 3468	3628	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe	81
PID 3468 wrote to memory of 3488	3468	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy	90
PID 3468 wrote to memory of 3488	3468	8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy	90
PID 3488 wrote to memory of 3944	3488	msedge.exe	91
PID 3488 wrote to memory of 3944	3488	msedge.exe	91
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 3356	3488	msedge.exe	92
PID 3488 wrote to memory of 5076	3488	msedge.exe	93
PID 3488 wrote to memory of 5076	3488	msedge.exe	93
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95
PID 3488 wrote to memory of 2692	3488	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe
"C:\Users\Admin\AppData\Local\Temp\8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy
  C:\Users\Admin\AppData\Local\Temp\8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.icabala.net/thread-250-1-1.html
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd4,0xfc,0x100,0xd8,0x104,0x7fff39c746f8,0x7fff39c74708,0x7fff39c74718
      4⤵
      PID:3944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
      4⤵
      PID:3356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
      4⤵
      PID:2692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
      4⤵
      PID:3640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
      4⤵
      PID:4408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5036 /prefetch:8
      4⤵
      PID:4900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
      4⤵
      PID:2464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
      4⤵
      PID:3392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4364 /prefetch:8
      4⤵
      PID:4248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:8
      4⤵
      PID:1820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:3476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x100,0xfc,0x25c,0xf4,0x7ff7d9e45460,0x7ff7d9e45470,0x7ff7d9e45480
        5⤵
        
        PID:1228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3176 /prefetch:8
      4⤵
      PID:984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6460 /prefetch:8
      4⤵
      PID:1096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1740 /prefetch:8
      4⤵
      PID:632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14098793083893689707,6725275240672771708,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2552 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy

Filesize
1.5MB

MD5
8dc3186fd0f4dd9101deb7568024cb72

SHA1
905c4783b13ea9c3d4770128c47b8a03c2bc4926

SHA256
8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a

SHA512
905c8f40f8cf754100b09da7056988c25aa60fb3c93f730fa53af87dabf1b46e197edf5df410d90971e15163e20553bb320c0527b16c5665244071d2cbf55377

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a.dmy

Filesize
1.5MB

MD5
8dc3186fd0f4dd9101deb7568024cb72

SHA1
905c4783b13ea9c3d4770128c47b8a03c2bc4926

SHA256
8f56bce9115cfad4972b404875e74885f3c6cbefe2fc061df2af4a8cf1b3932a

SHA512
905c8f40f8cf754100b09da7056988c25aa60fb3c93f730fa53af87dabf1b46e197edf5df410d90971e15163e20553bb320c0527b16c5665244071d2cbf55377

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziplib.dll

Filesize
453KB

MD5
6df0ed0afe162198116be68aba60e0c4

SHA1
bd0ca25ff4e495717be7345933aaa90755e5a6ca

SHA256
14172cccc2b24d7b490b6038c9493e64d5cab4afeee62014710dfad546eec9dc

SHA512
6696ec1e2261e44e1259609f74e95c205165048d94e581f44b09b87fc70e89b2eaeecd09b7de9cb9735dab0b9d90dd4ff7b5ac07e4b5bd8e5f502e71bbfdb757

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziplib.dll

Filesize
453KB

MD5
6df0ed0afe162198116be68aba60e0c4

SHA1
bd0ca25ff4e495717be7345933aaa90755e5a6ca

SHA256
14172cccc2b24d7b490b6038c9493e64d5cab4afeee62014710dfad546eec9dc

SHA512
6696ec1e2261e44e1259609f74e95c205165048d94e581f44b09b87fc70e89b2eaeecd09b7de9cb9735dab0b9d90dd4ff7b5ac07e4b5bd8e5f502e71bbfdb757

Download Submit
memory/3468-137-0x0000000005FC0000-0x0000000006037000-memory.dmp

Filesize
476KB

Download