gcleaner | 618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8

Analysis

max time kernel
0s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8.exe
Size

2.9MB
MD5

478c7cd1d366a77444568d45f252abeb
SHA1

0e717c6fc62ece11a17919ce1f1cc5cdc1bc711e
SHA256

618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8
SHA512

541d2430bb2bedffd8d489bcbe77d2cdc2207b8faa88affb7312469e1fcf6de8d8b810b66906f61dd0b8ba95a04309184478bbb69cac6161e9b0b2625b2f45de
SSDEEP

49152:9gIxFNiOIkvx2ldpBGld+BvTljVvDq88tnuiRLAKDw8rE6xjHgCF8jv4IGKctXug:ycnIkElbBGld+fFqNcKRxlASSvLGKMXd

Score

10^/10

gcleaner nullmixer onlylogger redline sectoprat smokeloader vidar 706 lyla backdoor dropper infostealer loader rat stealer trojan

Malware Config

Extracted

Family

gcleaner

194.145.227.161

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

Lyla

95.181.172.207:56915

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3304-200-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3304-200-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/4944-161-0x0000000002DE0000-0x0000000002E28000-memory.dmp	family_onlylogger
behavioral2/memory/4944-164-0x0000000000400000-0x0000000002B61000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/3204-147-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar
behavioral2/memory/3204-124-0x0000000004810000-0x00000000048E1000-memory.dmp	family_vidar
behavioral2/memory/3204-248-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Program crash 31 IoCs

pid	pid_target	Process	procid_target
1248	3852	WerFault.exe	26
5252	4944	WerFault.exe	32
1424	4944	WerFault.exe	32
4024	4944	WerFault.exe	32
3920	3976	WerFault.exe	44
4496	4944	WerFault.exe	32
5204	4944	WerFault.exe	32
3256	4944	WerFault.exe	32
3176	4944	WerFault.exe	32
5944	4944	WerFault.exe	32
4456	4944	WerFault.exe	32
6580	5168	WerFault.exe	43
6564	1740	WerFault.exe	172
6956	4944	WerFault.exe	32
3588	4944	WerFault.exe	32
7068	4944	WerFault.exe	32
7160	4944	WerFault.exe	32
6252	4944	WerFault.exe	32
6348	4764	WerFault.exe	184
2456	3820	WerFault.exe	67
6964	2668	WerFault.exe	68
6360	6584	WerFault.exe	207
4068	3204	WerFault.exe	51
208	6348	WerFault.exe	222
6940	5432	WerFault.exe	235
5376	432	WerFault.exe	247
1792	316	WerFault.exe	255
6748	4944	WerFault.exe	32
532	4944	WerFault.exe	32
5484	4944	WerFault.exe	32
4292	1408	WerFault.exe	263

Kills process with taskkill 1 IoCs

evasion

pid	Process
3076	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8.exe
"C:\Users\Admin\AppData\Local\Temp\618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8.exe"
1⤵
PID:5636
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\setup_install.exe"
    3⤵
    PID:3852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 588
      4⤵
      Program crash
      PID:1248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon23fdeac222bf0c6d.exe
      4⤵
      PID:5716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon2347c35b4c69dbf76.exe
      4⤵
      PID:3820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 368
        5⤵
        Program crash
        
        PID:2456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon23a436abd6542c.exe /mixone
      4⤵
      PID:2668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 388
        5⤵
        Program crash
        
        PID:6964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon2310124f65.exe
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon23f7a44a23bc7.exe
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon23125dbbd055c928.exe
      4⤵
      PID:5740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon2313143945.exe
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon237c3c6d262ea.exe
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon2339edf58bddc71d.exe
      4⤵
      PID:5700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1144

C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon2339edf58bddc71d.exe
Mon2339edf58bddc71d.exe
1⤵
PID:936
- C:\Users\Admin\AppData\Local\Temp\is-VL6T1.tmp\Mon2339edf58bddc71d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VL6T1.tmp\Mon2339edf58bddc71d.tmp" /SL5="$C0068,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon2339edf58bddc71d.exe"
  2⤵
  PID:1712

C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon23f7a44a23bc7.exe
Mon23f7a44a23bc7.exe
1⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon23a436abd6542c.exe
Mon23a436abd6542c.exe /mixone
1⤵
PID:4944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 620
  2⤵
  - Program crash
  PID:5252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 656
  2⤵
  - Program crash
  PID:1424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 748
  2⤵
  - Program crash
  PID:4024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 768
  2⤵
  - Program crash
  PID:4496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 648
  2⤵
  - Program crash
  PID:5204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 844
  2⤵
  - Program crash
  PID:3256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1048
  2⤵
  - Program crash
  PID:3176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1056
  2⤵
  - Program crash
  PID:5944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1272
  2⤵
  - Program crash
  PID:4456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1364
  2⤵
  - Program crash
  PID:6956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1488
  2⤵
  - Program crash
  PID:3588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1564
  2⤵
  - Program crash
  PID:7068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1584
  2⤵
  - Program crash
  PID:7160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1556
  2⤵
  - Program crash
  PID:6252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1216
  2⤵
  - Program crash
  PID:6748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 772
  2⤵
  - Program crash
  PID:532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1104
  2⤵
  - Program crash
  PID:5484

C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
1⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
1⤵
PID:4484

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
1⤵
- Kills process with taskkill
PID:3076

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
1⤵
PID:5608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3852 -ip 3852
1⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon23125dbbd055c928.exe
Mon23125dbbd055c928.exe
1⤵
PID:5168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 55268
  2⤵
  - Program crash
  PID:6580

C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon2310124f65.exe
Mon2310124f65.exe
1⤵
PID:3976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 372
  2⤵
  - Program crash
  PID:3920

C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
Mon237c3c6d262ea.exe
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:3476
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:5012
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:5452
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:5300
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6412
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6204
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6808
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6308
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6564
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6896
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6576
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6592
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:368
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:3656
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6352
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6944
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:7112
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6520
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:880
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:4256
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:1868
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6188
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6572
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:4000
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6292
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6836
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:3788
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:4544
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6536
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 12
    3⤵
    - Program crash
    PID:1792
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6096
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6952
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6704
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:4992
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:4260
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:5840
- C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon237c3c6d262ea.exe
  2⤵
  PID:6616

C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon23fdeac222bf0c6d.exe
Mon23fdeac222bf0c6d.exe
1⤵
PID:3392
- C:\Windows\SysWOW64\xcopy.exe
  xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
  2⤵
  PID:6072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1888,i,2799431723598247523,7810107394932188612,131072 /prefetch:1
    3⤵
    PID:3032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3520 --field-trial-handle=1888,i,2799431723598247523,7810107394932188612,131072 /prefetch:1
    3⤵
    PID:4880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3452 --field-trial-handle=1888,i,2799431723598247523,7810107394932188612,131072 /prefetch:1
    3⤵
    PID:4084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1888,i,2799431723598247523,7810107394932188612,131072 /prefetch:1
    3⤵
    PID:2448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1260 --field-trial-handle=1888,i,2799431723598247523,7810107394932188612,131072 /prefetch:8
    3⤵
    PID:4752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2132 --field-trial-handle=1888,i,2799431723598247523,7810107394932188612,131072 /prefetch:8
    3⤵
    PID:5104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1888,i,2799431723598247523,7810107394932188612,131072 /prefetch:2
    3⤵
    PID:4940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4284 --field-trial-handle=1888,i,2799431723598247523,7810107394932188612,131072 /prefetch:1
    3⤵
    PID:4076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1076 --field-trial-handle=1888,i,2799431723598247523,7810107394932188612,131072 /prefetch:2
    3⤵
    PID:5372

C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon2347c35b4c69dbf76.exe
Mon2347c35b4c69dbf76.exe
1⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\7zSCB34D817\Mon2313143945.exe
Mon2313143945.exe
1⤵
PID:3204
- C:\ProgramData\Java Updater\5uy59559.exe
  /prstb
  2⤵
  PID:6640
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:4764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1140
      4⤵
      Program crash
      PID:6348
- C:\ProgramData\Java Updater\5uy59559.exe
  /prstb
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:6584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 1048
      4⤵
      Program crash
      PID:6360
- C:\ProgramData\Java Updater\5uy59559.exe
  /prstb
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:6348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6348 -s 1076
      4⤵
      Program crash
      PID:208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 2020
  2⤵
  - Program crash
  PID:4068
- C:\ProgramData\Java Updater\5uy59559.exe
  /prstb
  2⤵
  PID:6584
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:5432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 1080
      4⤵
      Program crash
      PID:6940
- C:\ProgramData\Java Updater\5uy59559.exe
  /prstb
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1136
      4⤵
      Program crash
      PID:5376
- C:\ProgramData\Java Updater\5uy59559.exe
  /prstb
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:1408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1156
      4⤵
      Program crash
      PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3976 -ip 3976
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4944 -ip 4944
1⤵
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4944 -ip 4944
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4944 -ip 4944
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4944 -ip 4944
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4944 -ip 4944
1⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa0ac49758,0x7ffa0ac49768,0x7ffa0ac49778
1⤵
PID:1568

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4944 -ip 4944
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4944 -ip 4944
1⤵
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4944 -ip 4944
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4944 -ip 4944
1⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\BC89.exe
C:\Users\Admin\AppData\Local\Temp\BC89.exe
1⤵
PID:1136
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1144
    3⤵
    - Program crash
    PID:6564

C:\Users\Admin\AppData\Local\Temp\C5F1.exe
C:\Users\Admin\AppData\Local\Temp\C5F1.exe
1⤵
PID:6188
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
  2⤵
  PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5168 -ip 5168
1⤵
PID:6548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1740 -ip 1740
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4944 -ip 4944
1⤵
PID:6944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4944 -ip 4944
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4944 -ip 4944
1⤵
PID:7048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4944 -ip 4944
1⤵
PID:7120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4944 -ip 4944
1⤵
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4764 -ip 4764
1⤵
PID:6216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3820 -ip 3820
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2668 -ip 2668
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6584 -ip 6584
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3204 -ip 3204
1⤵
PID:6464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6348 -ip 6348
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5432 -ip 5432
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 432 -ip 432
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 316 -ip 316
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4944 -ip 4944
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4944 -ip 4944
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4944 -ip 4944
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1408 -ip 1408
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\softokn3.dll

Filesize
119KB

MD5
25a3f965b2b75ef3c06ef63ebca85bad

SHA1
9f710e12483af4f7e6a20fe000b2a671a1a05cd3

SHA256
de3988a0d61404cf3e74b6cc72d2eec979952360ff6ae703f3f51ba5c6d9d925

SHA512
70ae1147ab8b8c7cbeffa1cbf8a8a9ddf39f766791c4ef5ea4454efe53b7d40eaed80320d6959209b26ad214eaca38d5727fa56516b40e63ac24ab20fc41d430

Download Submit
memory/936-90-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/936-96-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/936-139-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/940-92-0x00007FFA0E800000-0x00007FFA0F2C1000-memory.dmp

Filesize
10.8MB

Download
memory/940-94-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/940-89-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/940-213-0x00007FFA0E800000-0x00007FFA0F2C1000-memory.dmp

Filesize
10.8MB

Download
memory/1136-1387-0x0000000000010000-0x000000000006D000-memory.dmp

Filesize
372KB

Download
memory/1136-1391-0x00000000021D0000-0x0000000002236000-memory.dmp

Filesize
408KB

Download
memory/1372-119-0x0000000073320000-0x0000000073AD0000-memory.dmp

Filesize
7.7MB

Download
memory/1372-122-0x0000000005070000-0x00000000050E6000-memory.dmp

Filesize
472KB

Download
memory/1372-108-0x00000000007D0000-0x0000000000874000-memory.dmp

Filesize
656KB

Download
memory/1372-1443-0x00000000051A0000-0x0000000005264000-memory.dmp

Filesize
784KB

Download
memory/1372-154-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/1372-126-0x0000000005010000-0x000000000502E000-memory.dmp

Filesize
120KB

Download
memory/1712-121-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1712-132-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1716-123-0x0000000002C40000-0x0000000002C50000-memory.dmp

Filesize
64KB

Download
memory/1716-100-0x00007FFA0E800000-0x00007FFA0F2C1000-memory.dmp

Filesize
10.8MB

Download
memory/1716-223-0x00007FFA0E800000-0x00007FFA0F2C1000-memory.dmp

Filesize
10.8MB

Download
memory/1716-109-0x0000000001380000-0x000000000139A000-memory.dmp

Filesize
104KB

Download
memory/1716-105-0x0000000000BC0000-0x0000000000BDE000-memory.dmp

Filesize
120KB

Download
memory/1740-1405-0x0000000000AD0000-0x0000000000B94000-memory.dmp

Filesize
784KB

Download
memory/1740-1399-0x0000000000E10000-0x0000000001244000-memory.dmp

Filesize
4.2MB

Download
memory/1740-1401-0x0000000000E10000-0x0000000001244000-memory.dmp

Filesize
4.2MB

Download
memory/2668-1440-0x0000000000F70000-0x0000000001034000-memory.dmp

Filesize
784KB

Download
memory/2696-1437-0x0000000000650000-0x0000000000714000-memory.dmp

Filesize
784KB

Download
memory/2828-1438-0x0000000000C70000-0x0000000000D34000-memory.dmp

Filesize
784KB

Download
memory/2872-1451-0x0000000005680000-0x0000000005744000-memory.dmp

Filesize
784KB

Download
memory/3204-124-0x0000000004810000-0x00000000048E1000-memory.dmp

Filesize
836KB

Download
memory/3204-1444-0x0000000005F90000-0x0000000006054000-memory.dmp

Filesize
784KB

Download
memory/3204-248-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/3204-128-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/3204-1442-0x0000000005F90000-0x0000000006054000-memory.dmp

Filesize
784KB

Download
memory/3204-147-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/3204-1358-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/3204-1462-0x0000000005F90000-0x0000000006054000-memory.dmp

Filesize
784KB

Download
memory/3304-1449-0x00000000058E0000-0x00000000059A4000-memory.dmp

Filesize
784KB

Download
memory/3304-210-0x0000000073320000-0x0000000073AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3304-209-0x00000000054D0000-0x00000000054E2000-memory.dmp

Filesize
72KB

Download
memory/3304-214-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3304-215-0x0000000005570000-0x00000000055BC000-memory.dmp

Filesize
304KB

Download
memory/3304-212-0x0000000005530000-0x000000000556C000-memory.dmp

Filesize
240KB

Download
memory/3304-211-0x0000000005600000-0x000000000570A000-memory.dmp

Filesize
1.0MB

Download
memory/3304-208-0x0000000005A40000-0x0000000006058000-memory.dmp

Filesize
6.1MB

Download
memory/3304-200-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3428-219-0x0000000003570000-0x0000000003585000-memory.dmp

Filesize
84KB

Download
memory/3820-1441-0x0000000000BB0000-0x0000000000C74000-memory.dmp

Filesize
784KB

Download
memory/3852-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3852-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3852-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3852-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3852-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3852-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3852-150-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3852-148-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3852-158-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3852-156-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3852-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3852-153-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3852-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3852-151-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3852-66-0x00000000007B0000-0x000000000083F000-memory.dmp

Filesize
572KB

Download
memory/3852-68-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3852-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3852-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3852-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3852-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3976-166-0x0000000000400000-0x0000000002B48000-memory.dmp

Filesize
39.3MB

Download
memory/3976-165-0x0000000002D30000-0x0000000002E30000-memory.dmp

Filesize
1024KB

Download
memory/3976-155-0x0000000002CB0000-0x0000000002CB9000-memory.dmp

Filesize
36KB

Download
memory/3976-224-0x0000000000400000-0x0000000002B48000-memory.dmp

Filesize
39.3MB

Download
memory/4484-1450-0x00000000052D0000-0x0000000005394000-memory.dmp

Filesize
784KB

Download
memory/4944-1447-0x0000000005840000-0x0000000005904000-memory.dmp

Filesize
784KB

Download
memory/4944-249-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/4944-161-0x0000000002DE0000-0x0000000002E28000-memory.dmp

Filesize
288KB

Download
memory/4944-164-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/4944-157-0x0000000002E80000-0x0000000002F80000-memory.dmp

Filesize
1024KB

Download
memory/4944-1359-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/5012-1452-0x00000000054D0000-0x0000000005594000-memory.dmp

Filesize
784KB

Download
memory/5036-163-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

Filesize
304KB

Download
memory/5036-190-0x0000000007090000-0x000000000709E000-memory.dmp

Filesize
56KB

Download
memory/5036-185-0x00000000074A0000-0x0000000007B1A000-memory.dmp

Filesize
6.5MB

Download
memory/5036-187-0x0000000006EE0000-0x0000000006EEA000-memory.dmp

Filesize
40KB

Download
memory/5036-152-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/5036-182-0x00000000060D0000-0x00000000060EE000-memory.dmp

Filesize
120KB

Download
memory/5036-169-0x0000000074E20000-0x0000000074E6C000-memory.dmp

Filesize
304KB

Download
memory/5036-188-0x00000000070D0000-0x0000000007166000-memory.dmp

Filesize
600KB

Download
memory/5036-184-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/5036-110-0x0000000000D50000-0x0000000000D86000-memory.dmp

Filesize
216KB

Download
memory/5036-183-0x0000000006AF0000-0x0000000006B93000-memory.dmp

Filesize
652KB

Download
memory/5036-168-0x000000007F660000-0x000000007F670000-memory.dmp

Filesize
64KB

Download
memory/5036-149-0x0000000005700000-0x0000000005A54000-memory.dmp

Filesize
3.3MB

Download
memory/5036-162-0x0000000005B30000-0x0000000005B4E000-memory.dmp

Filesize
120KB

Download
memory/5036-189-0x0000000007060000-0x0000000007071000-memory.dmp

Filesize
68KB

Download
memory/5036-144-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/5036-191-0x00000000070A0000-0x00000000070B4000-memory.dmp

Filesize
80KB

Download
memory/5036-186-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/5036-120-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/5036-167-0x00000000060F0000-0x0000000006122000-memory.dmp

Filesize
200KB

Download
memory/5036-192-0x0000000007190000-0x00000000071AA000-memory.dmp

Filesize
104KB

Download
memory/5036-193-0x0000000007180000-0x0000000007188000-memory.dmp

Filesize
32KB

Download
memory/5036-196-0x0000000073320000-0x0000000073AD0000-memory.dmp

Filesize
7.7MB

Download
memory/5036-146-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/5036-145-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/5036-127-0x0000000073320000-0x0000000073AD0000-memory.dmp

Filesize
7.7MB

Download
memory/5036-125-0x0000000004D40000-0x0000000005368000-memory.dmp

Filesize
6.2MB

Download
memory/5048-1456-0x0000000005160000-0x0000000005224000-memory.dmp

Filesize
784KB

Download
memory/5168-1448-0x0000000003F70000-0x0000000004034000-memory.dmp

Filesize
784KB

Download
memory/5168-1445-0x0000000003F70000-0x0000000004034000-memory.dmp

Filesize
784KB

Download
memory/5300-1457-0x0000000005DF0000-0x0000000005EB4000-memory.dmp

Filesize
784KB

Download
memory/5452-1454-0x0000000005920000-0x00000000059E4000-memory.dmp

Filesize
784KB

Download
memory/5740-1439-0x0000000001230000-0x00000000012F4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads