gcleaner | 995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b

Analysis

max time kernel
1s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b.exe
Size

5.9MB
MD5

a9d63ba83576c19bb1dbad9e85b51ecc
SHA1

f37937e9afd6c78be38c58ebf84a03f66091c03c
SHA256

995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b
SHA512

e2ae86e9ace7e96c1097c5e570644824dcc07c9fc477bde54a43f91abadca11171cf649f9612e88107cb4cdfd700ff1e8a21c54d3432eb6f3089d9e6e3b65b62
SSDEEP

98304:JaZL5WwT7cp5HNGSNhOpW8XIw0J+OfIxJ67PYpVd9kxzamMHf42P8baI2BWcjOzF:JaZoYc5geAAILMYpBiam9e8OIiFOz8q

Malware Config

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

redline

Botnet

she

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

gcleaner

ppp-gl.biz

45.9.20.13

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

redline

Botnet

ANI

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

vidar

Version

41.4

Botnet

916

https://mas.to/@sslam

Attributes

profile_id
916

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/4468-168-0x00000000037A0000-0x00000000037C4000-memory.dmp	family_redline
behavioral2/memory/4468-171-0x0000000005C70000-0x0000000005C92000-memory.dmp	family_redline
behavioral2/memory/2896-219-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4468-168-0x00000000037A0000-0x00000000037C4000-memory.dmp	family_sectoprat
behavioral2/memory/4468-170-0x0000000005DF0000-0x0000000005E00000-memory.dmp	family_sectoprat
behavioral2/memory/4468-171-0x0000000005C70000-0x0000000005C92000-memory.dmp	family_sectoprat
behavioral2/memory/2896-219-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 3 IoCs

resource	yara_rule
behavioral2/memory/4536-208-0x0000000000400000-0x00000000016D4000-memory.dmp	family_onlylogger
behavioral2/memory/4536-205-0x0000000003340000-0x0000000003389000-memory.dmp	family_onlylogger
behavioral2/memory/4536-338-0x0000000000400000-0x00000000016D4000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/2440-224-0x0000000000400000-0x0000000001727000-memory.dmp	family_vidar
behavioral2/memory/2440-211-0x00000000033F0000-0x00000000034C6000-memory.dmp	family_vidar
behavioral2/memory/2440-322-0x0000000000400000-0x0000000001727000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023219-69.dat	aspack_v212_v242
behavioral2/files/0x0008000000023214-62.dat	aspack_v212_v242
behavioral2/files/0x000a000000023143-64.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b.exe

Executes dropped EXE 1 IoCs

pid	Process
1284	setup_installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
5036	2904	WerFault.exe	91
5836	4536	WerFault.exe
5768	4536	WerFault.exe
6024	4536	WerFault.exe
4440	4536	WerFault.exe
5324	3964	WerFault.exe
5596	4536	WerFault.exe
5756	2440	WerFault.exe
5868	4536	WerFault.exe	163
5352	4536	WerFault.exe	163
5556	4536	WerFault.exe	163
3376	4536	WerFault.exe	163
3752	4536	WerFault.exe	163
4340	4536	WerFault.exe	163
5092	4536	WerFault.exe	163

Kills process with taskkill 3 IoCs

evasion

pid	Process
5908	taskkill.exe
5980	taskkill.exe
5772	taskkill.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 1284	4192	995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b.exe	90
PID 4192 wrote to memory of 1284	4192	995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b.exe	90
PID 4192 wrote to memory of 1284	4192	995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b.exe	90

C:\Users\Admin\AppData\Local\Temp\995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b.exe
"C:\Users\Admin\AppData\Local\Temp\995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\7zS405B0267\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS405B0267\setup_install.exe"
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 548
      4⤵
      Program crash
      PID:5036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat116f0e3cb0.exe
      4⤵
      PID:3620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat11b592c84aa.exe
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat115453b36686.exe
      4⤵
      PID:3500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat11e3c9238d6c.exe
      4⤵
      PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat114bd3f1cd0aec1fc.exe
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat1174aaee9df2.exe
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat119216ef3957e64.exe
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat117453ee4930fe0.exe
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat11f7ff9216f1cc.exe
      4⤵
      PID:3784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat11a033780a.exe
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat11774c8a276a66c.exe
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat1183663dbb.exe
      4⤵
      PID:4188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat11dba36c1fa155.exe /mixone
      4⤵
      PID:4476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat1172dcffed8ac.exe
      4⤵
      PID:3756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat11c6378d2d.exe
      4⤵
      PID:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11b592c84aa.exe
Sat11b592c84aa.exe
1⤵
PID:4380
- C:\Users\Admin\AppData\Local\Temp\is-P56EB.tmp\Sat11b592c84aa.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-P56EB.tmp\Sat11b592c84aa.tmp" /SL5="$501F4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11b592c84aa.exe"
  2⤵
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11b592c84aa.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11b592c84aa.exe" /SILENT
    3⤵
    PID:5124

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat117453ee4930fe0.exe
Sat117453ee4930fe0.exe
1⤵
PID:4552
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" VBsCRipt:cLosE ( creATEobjEct( "wScRiPt.sHEll" ).RUn ( "C:\Windows\system32\cmd.exe /q /r TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat117453ee4930fe0.exe"" >odkUUtX.EXE&&StARt oDKUUtx.Exe /pTRun8i34NPJhus12 &iF """" == """" for %A IN (""C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat117453ee4930fe0.exe"" ) do taskkill -IM ""%~NxA"" -f " ,0 ,tRuE) )
  2⤵
  PID:2428

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11e3c9238d6c.exe
Sat11e3c9238d6c.exe
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2904 -ip 2904
1⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11f7ff9216f1cc.exe
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11f7ff9216f1cc.exe
1⤵
PID:2896

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat1183663dbb.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat1183663dbb.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
1⤵
PID:1752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat1183663dbb.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat1183663dbb.exe") do taskkill /F -Im "%~NxU"
  2⤵
  PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4536 -ip 4536
1⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\09xU.exE
09xU.EXE -pPtzyIkqLZoCarb5ew
1⤵
PID:5788
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
    3⤵
    PID:5136
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
  2⤵
  PID:5832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
    3⤵
    PID:5492
  - - C:\Windows\SysWOW64\control.exe
      control .\R6f7sE.I
      4⤵
      PID:5776
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
        5⤵
        
        PID:5944
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
        6⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
        7⤵
        
        PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
      4⤵
      PID:1208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" eCHO "
      4⤵
      PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 656
1⤵
- Program crash
PID:5836

C:\Windows\SysWOW64\taskkill.exe
taskkill -IM "Sat117453ee4930fe0.exe" -f
1⤵
- Kills process with taskkill
PID:5908

C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Sat1183663dbb.exe"
1⤵
- Kills process with taskkill
PID:5980

C:\Users\Admin\AppData\Local\Temp\odkUUtX.EXE
oDKUUtx.Exe /pTRun8i34NPJhus12
1⤵
PID:5872
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" VBsCRipt:cLosE ( creATEobjEct( "wScRiPt.sHEll" ).RUn ( "C:\Windows\system32\cmd.exe /q /r TYPe ""C:\Users\Admin\AppData\Local\Temp\odkUUtX.EXE"" >odkUUtX.EXE&&StARt oDKUUtx.Exe /pTRun8i34NPJhus12 &iF ""/pTRun8i34NPJhus12 "" == """" for %A IN (""C:\Users\Admin\AppData\Local\Temp\odkUUtX.EXE"" ) do taskkill -IM ""%~NxA"" -f " ,0 ,tRuE) )
  2⤵
  PID:6036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /r TYPe "C:\Users\Admin\AppData\Local\Temp\odkUUtX.EXE" >odkUUtX.EXE&&StARt oDKUUtx.Exe /pTRun8i34NPJhus12 &iF "/pTRun8i34NPJhus12 " =="" for %A IN ("C:\Users\Admin\AppData\Local\Temp\odkUUtX.EXE" ) do taskkill -IM "%~NxA" -f
    3⤵
    PID:5368
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" VbSCRipT: CLose (CREateOBJeCT ("wScRiPT.ShelL" ). rUn( "cmd.Exe /R ECHo akJ%RANdom%S6> OsOp.l & ecHO | SeT /P = ""MZ"" > TG4B.3Y & CoPy /y /b TG4B.3Y + DRRsN4.HX9 +4EMMBR.CM +F2IMq.H9n +IDYdAw.b + OSoP.L Y2LM.I& sTArT msiexec /Y .\Y2LM.I " , 0 , TruE ) )
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /R ECHo akJ%RANdom%S6> OsOp.l & ecHO | SeT /P = "MZ" > TG4B.3Y & CoPy /y /b TG4B.3Y + DRRsN4.HX9+4EMMBR.CM +F2IMq.H9n +IDYdAw.b + OSoP.L Y2LM.I& sTArT msiexec /Y .\Y2LM.I
    3⤵
    PID:5444
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec /Y .\Y2LM.I
      4⤵
      PID:6124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>TG4B.3Y"
      4⤵
      PID:5296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" ecHO "
      4⤵
      PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4536 -ip 4536
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 820
1⤵
- Program crash
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4536 -ip 4536
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4536 -ip 4536
1⤵
PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 756
1⤵
- Program crash
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 772
1⤵
- Program crash
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4536 -ip 4536
1⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3964 -ip 3964
1⤵
PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 376
1⤵
- Program crash
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 276
1⤵
- Program crash
PID:5596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /r TYPe "C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat117453ee4930fe0.exe" >odkUUtX.EXE&&StARt oDKUUtx.Exe /pTRun8i34NPJhus12 &iF "" =="" for %A IN ("C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat117453ee4930fe0.exe" ) do taskkill -IM "%~NxA" -f
1⤵
PID:5400

C:\Users\Admin\AppData\Local\Temp\is-PHGF1.tmp\Sat11b592c84aa.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PHGF1.tmp\Sat11b592c84aa.tmp" /SL5="$1025E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11b592c84aa.exe" /SILENT
1⤵
PID:5304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2440 -ip 2440
1⤵
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1028
1⤵
- Program crash
PID:5756

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
1⤵
PID:5212
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im chrome.exe
  2⤵
  - Kills process with taskkill
  PID:5772

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat1174aaee9df2.exe
Sat1174aaee9df2.exe
1⤵
PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:5476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96ffb9758,0x7ff96ffb9768,0x7ff96ffb9778
    3⤵
    PID:6012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:8
    3⤵
    PID:5432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:8
    3⤵
    PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:2
    3⤵
    PID:5984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:1
    3⤵
    PID:4140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:1
    3⤵
    PID:4188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4016 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:1
    3⤵
    PID:5988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3792 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:8
    3⤵
    PID:6100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4044 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:8
    3⤵
    PID:5904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5192 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:8
    3⤵
    PID:4952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:8
    3⤵
    PID:4360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:8
    3⤵
    PID:628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2392 --field-trial-handle=1900,i,328421387457073147,5994742350766289927,131072 /prefetch:2
    3⤵
    PID:3896

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat116f0e3cb0.exe
Sat116f0e3cb0.exe
1⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat115453b36686.exe
Sat115453b36686.exe
1⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11f7ff9216f1cc.exe
Sat11f7ff9216f1cc.exe
1⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat119216ef3957e64.exe
Sat119216ef3957e64.exe
1⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat1172dcffed8ac.exe
Sat1172dcffed8ac.exe
1⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat1183663dbb.exe
Sat1183663dbb.exe
1⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11a033780a.exe
Sat11a033780a.exe
1⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11774c8a276a66c.exe
Sat11774c8a276a66c.exe
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4536 -ip 4536
1⤵
PID:5296

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11dba36c1fa155.exe
Sat11dba36c1fa155.exe /mixone
1⤵
PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 932
  2⤵
  - Program crash
  PID:5868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1080
  2⤵
  - Program crash
  PID:5352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1088
  2⤵
  - Program crash
  PID:5556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1348
  2⤵
  - Program crash
  PID:3376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 920
  2⤵
  - Program crash
  PID:3752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1216
  2⤵
  - Program crash
  PID:4340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1204
  2⤵
  - Program crash
  PID:5092

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11c6378d2d.exe
Sat11c6378d2d.exe
1⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat114bd3f1cd0aec1fc.exe
Sat114bd3f1cd0aec1fc.exe
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4536 -ip 4536
1⤵
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4536 -ip 4536
1⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4536 -ip 4536
1⤵
PID:2932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4536 -ip 4536
1⤵
PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4536 -ip 4536
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4536 -ip 4536
1⤵
PID:6092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat1172dcffed8ac.exe

Filesize
402KB

MD5
d08cc10c7c00e13dfb01513f7f817f87

SHA1
f3adddd06b5d5b3f7d61e2b72860de09b410f571

SHA256
0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d

SHA512
0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11774c8a276a66c.exe

Filesize
89KB

MD5
37a1c118196892aa451573a142ea05d5

SHA1
4144c1a571a585fef847da516be8d89da4c8771e

SHA256
a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a

SHA512
aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11a033780a.exe

Filesize
32KB

MD5
96296a6a409d9e8f092a30d3a6e6f5f3

SHA1
bd9a30cf074b55a1aab5f207c876254c4ff6159c

SHA256
373e8b05e0dfe5ddf7b220ef49cd5c093b08edee729029bc9660958fe1fa7bf0

SHA512
a6b6a33f917c5a45ee5c90dac2fa29643b89367b1e6d3ae4ac413d7b557b63a0c294346a3e153316bc4bc31d65c61aeafd986f75ef164a2720b11729115b59be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11c6378d2d.exe

Filesize
290KB

MD5
7478c31e2cabccaebeeba566ec1b67de

SHA1
00d68a73568632ea29ff5b6213fe91394c7f3e7c

SHA256
5a806f92855d67d91e15df6525266f6666356e147f10952101e269da09ed86d2

SHA512
c09499266d92f3ecee164933fa61dbfb9d2555d186601bf534c65742e8650bb878dd0b37fed7fb9c9684fc4748c2b1fdc4ee36d123ba3997a769e436846f5537

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11dba36c1fa155.exe

Filesize
92KB

MD5
35e6a863c51fbfc9906e98d0abe06654

SHA1
01ed5f3c7a7cf0450f861732e756fa247cded4de

SHA256
63142b3245bab7ea4c7ef93d16e4bca85b7904eb082f5dce2d632977797cf9aa

SHA512
6e8ccb3785c4405b3020c75e2dfc5c00cfbc45c50efdb840d8e74b552aa8c3bd6b2aa2ac3343d03d0953282fe6f9842206c52c0238fb6300328b3acf013dc980

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\Sat11f7ff9216f1cc.exe

Filesize
92KB

MD5
6b5cede7b58af5477a509a32351efbe8

SHA1
799ca2a76429c841d4113c0425335f5d940934c3

SHA256
1ec5c22d4a500d80d3a14b630c4e205a76ab51c833c6ff15762402c690ccad3b

SHA512
57be284f736ae0a998db3a3674430bf68c7e9492ccf49b388be02f5332b66f2ea206937367c369cdc002f3fbf1a9b03a332af50171ee86310d60c26994061137

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\setup_install.exe

Filesize
381KB

MD5
37cae4df9ef15a02b2884a4a10e9469a

SHA1
57c9c2a2c7d8bc2bb4e573f89a51e61688c9a333

SHA256
5c91ce33b603eeb7740b811e460c0c25fd08376366ff42f9e652b44794c6d768

SHA512
baaea2224ee35ae82acfc6b0d1a1068bb2abb462f9bc889541ab8d538be9e7a43188ede7dc85ee8f3cd32555be0f83d628f468567a85b9d244481c52ae2d0b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS405B0267\setup_install.exe

Filesize
2.1MB

MD5
42ae5a8d09846d009f68ad78da61d856

SHA1
47557110212d14ca48d01f3b67d77176e22753c1

SHA256
8c058336e74baaf1deefa5184a856a5c62b753d7c92f6ef897b92024dd288c88

SHA512
5f444d6fe4e8b131d63a5375563b5104d74d9395783e9fe33b8794224b2187060d412a98d0a0e5d833fc4ef8663c1d17df0651efa8d9b8c8d446c4823535465f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
180KB

MD5
0b014c3d8c47a4c7894f55f91d803724

SHA1
7ce32aa15cc1e53ec446c534c7eea698f7da35ef

SHA256
3b37433eec29a63deae30cfaa6935c7f9cb2f45603f40339e0938e3c5b647eb7

SHA512
03444f82f01f84414162b6c0966efdb005fb18aec6aafffbd3bf59b171c681ced9bbf129d3d0b5304e680c3fee09987971f4c022f7412f0df85143eb49be3ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
92KB

MD5
d772d6902200f5d4599a9b27d0d8f9e6

SHA1
564eefb3fabe655b2fb51f492959b158cb20e12d

SHA256
7bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17

SHA512
6682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36

Download Submit
memory/760-101-0x0000000005290000-0x00000000052C6000-memory.dmp

Filesize
216KB

Download
memory/760-162-0x0000000006440000-0x0000000006794000-memory.dmp

Filesize
3.3MB

Download
memory/760-240-0x0000000006E00000-0x0000000006E32000-memory.dmp

Filesize
200KB

Download
memory/760-135-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/760-104-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/760-226-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/760-252-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

Filesize
120KB

Download
memory/760-103-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/760-105-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/760-242-0x000000006C650000-0x000000006C69C000-memory.dmp

Filesize
304KB

Download
memory/760-241-0x000000007F2B0000-0x000000007F2C0000-memory.dmp

Filesize
64KB

Download
memory/760-216-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/760-149-0x00000000063B0000-0x0000000006416000-memory.dmp

Filesize
408KB

Download
memory/760-225-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/760-188-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/760-151-0x0000000006300000-0x0000000006366000-memory.dmp

Filesize
408KB

Download
memory/760-102-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/904-184-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/904-163-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1684-166-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/1684-161-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/1684-138-0x0000000000FA0000-0x0000000000FA6000-memory.dmp

Filesize
24KB

Download
memory/1684-131-0x00000000006D0000-0x00000000006E8000-memory.dmp

Filesize
96KB

Download
memory/2440-211-0x00000000033F0000-0x00000000034C6000-memory.dmp

Filesize
856KB

Download
memory/2440-322-0x0000000000400000-0x0000000001727000-memory.dmp

Filesize
19.2MB

Download
memory/2440-222-0x0000000001950000-0x0000000001A50000-memory.dmp

Filesize
1024KB

Download
memory/2440-224-0x0000000000400000-0x0000000001727000-memory.dmp

Filesize
19.2MB

Download
memory/2896-227-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/2896-230-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2896-219-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2904-212-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2904-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2904-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2904-214-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2904-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2904-210-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2904-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2904-79-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2904-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2904-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2904-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2904-207-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2904-209-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2904-206-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2904-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2904-199-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2904-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2904-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2904-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2904-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3076-132-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/3076-164-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/3076-127-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3076-165-0x0000000005350000-0x00000000058F4000-memory.dmp

Filesize
5.6MB

Download
memory/3076-223-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/3076-133-0x0000000004CA0000-0x0000000004D16000-memory.dmp

Filesize
472KB

Download
memory/3076-148-0x0000000004C20000-0x0000000004C3E000-memory.dmp

Filesize
120KB

Download
memory/3448-314-0x0000000002990000-0x00000000029A6000-memory.dmp

Filesize
88KB

Download
memory/3964-217-0x0000000000400000-0x00000000016BC000-memory.dmp

Filesize
18.7MB

Download
memory/3964-321-0x0000000000400000-0x00000000016BC000-memory.dmp

Filesize
18.7MB

Download
memory/3964-215-0x0000000001920000-0x0000000001929000-memory.dmp

Filesize
36KB

Download
memory/3964-213-0x00000000019C0000-0x0000000001AC0000-memory.dmp

Filesize
1024KB

Download
memory/4048-253-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/4048-136-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/4048-150-0x00007FF9740D0000-0x00007FF974B91000-memory.dmp

Filesize
10.8MB

Download
memory/4048-129-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/4380-187-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4380-116-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4468-186-0x0000000005D50000-0x0000000005D8C000-memory.dmp

Filesize
240KB

Download
memory/4468-170-0x0000000005DF0000-0x0000000005E00000-memory.dmp

Filesize
64KB

Download
memory/4468-185-0x00000000069D0000-0x0000000006ADA000-memory.dmp

Filesize
1.0MB

Download
memory/4468-168-0x00000000037A0000-0x00000000037C4000-memory.dmp

Filesize
144KB

Download
memory/4468-172-0x0000000005DF0000-0x0000000005E00000-memory.dmp

Filesize
64KB

Download
memory/4468-171-0x0000000005C70000-0x0000000005C92000-memory.dmp

Filesize
136KB

Download
memory/4468-179-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/4468-183-0x0000000005D30000-0x0000000005D42000-memory.dmp

Filesize
72KB

Download
memory/4468-190-0x0000000005DF0000-0x0000000005E00000-memory.dmp

Filesize
64KB

Download
memory/4468-173-0x0000000001900000-0x0000000001930000-memory.dmp

Filesize
192KB

Download
memory/4468-191-0x0000000006AE0000-0x0000000006B2C000-memory.dmp

Filesize
304KB

Download
memory/4468-180-0x00000000063B0000-0x00000000069C8000-memory.dmp

Filesize
6.1MB

Download
memory/4468-169-0x0000000000400000-0x00000000016E0000-memory.dmp

Filesize
18.9MB

Download
memory/4468-167-0x00000000019D0000-0x0000000001AD0000-memory.dmp

Filesize
1024KB

Download
memory/4536-208-0x0000000000400000-0x00000000016D4000-memory.dmp

Filesize
18.8MB

Download
memory/4536-205-0x0000000003340000-0x0000000003389000-memory.dmp

Filesize
292KB

Download
memory/4536-338-0x0000000000400000-0x00000000016D4000-memory.dmp

Filesize
18.8MB

Download
memory/4536-218-0x0000000001980000-0x0000000001A80000-memory.dmp

Filesize
1024KB

Download
memory/5124-340-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5124-178-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5304-341-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5304-204-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/5944-323-0x00000000034C0000-0x0000000003565000-memory.dmp

Filesize
660KB

Download
memory/5944-370-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/5944-327-0x0000000003580000-0x0000000003612000-memory.dmp

Filesize
584KB

Download
memory/5944-324-0x0000000003580000-0x0000000003612000-memory.dmp

Filesize
584KB

Download
memory/6124-353-0x00000000035E0000-0x0000000003686000-memory.dmp

Filesize
664KB

Download
memory/6124-354-0x0000000003690000-0x0000000003723000-memory.dmp

Filesize
588KB

Download
memory/6124-355-0x0000000003690000-0x0000000003723000-memory.dmp

Filesize
588KB

Download
memory/6124-357-0x0000000003690000-0x0000000003723000-memory.dmp

Filesize
588KB

Download
memory/6124-369-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads