bumblebee | b3c2ffb8ec35de151722defc6fcf092a7a379b266a7f8dde446a521d40327610

Analysis

max time kernel
1199s
max time network
1113s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
13-03-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xjyn487lg15.zip
Size

3.2MB
MD5

03559a8c6820b6981a18afbc3fa23fb8
SHA1

9ed15225d4ca99391418de34c00cff095c2f39fe
SHA256

b3c2ffb8ec35de151722defc6fcf092a7a379b266a7f8dde446a521d40327610
SHA512

45dc211f0ee19efd0f1e2fd48dc520ab140fba7ad9d05a9c862ca06fbccc0d26b724108cfcb028c3ecb089b1bcb1909d6cb48622fcf275fe598c81dbea20f6ba
SSDEEP

98304:V3vgFt0a39CLgMBznNQIXKmN1OwamtCz6QkX8ETCAV:V3vgFt0qijlaIXfy88ET3V

Score

10^/10

bumblebee asd1234 loader

Malware Config

Extracted

Family

bumblebee

Botnet

asd1234

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exeregsvr32.exeregsvr32.exerundll32.exe

pid process

1996 rundll32.exe
772 rundll32.exe
2712 regsvr32.exe
4536 regsvr32.exe
980 rundll32.exe
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

772 rundll32.exe
980 rundll32.exe

pid	process
1996	rundll32.exe
772	rundll32.exe
2712	regsvr32.exe
4536	regsvr32.exe
980	rundll32.exe

pid	process
772	rundll32.exe
980	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133548477427050887"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4756 chrome.exe
4756 chrome.exe
3708 chrome.exe
3708 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4756 chrome.exe
4756 chrome.exe
4756 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeRestorePrivilege	4516	7zG.exe
Token: 35	4516	7zG.exe
Token: SeSecurityPrivilege	4516	7zG.exe
Token: SeSecurityPrivilege	4516	7zG.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe7zG.exe7zG.exe

pid	process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4516	7zG.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
2404	7zG.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4756 wrote to memory of 3944	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 3944	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 1424	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2832	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 2832	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe
PID 4756 wrote to memory of 4340	4756	chrome.exe	chrome.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\xjyn487lg15.zip
1⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbf8d29758,0x7ffbf8d29768,0x7ffbf8d29778
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:2
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:8
2⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:8
2⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:1
2⤵
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:1
2⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4044 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:1
2⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:8
2⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:8
2⤵
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:8
2⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:8
2⤵
PID:376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 --field-trial-handle=1796,i,1534583445297969843,2607120183238708431,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3708

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:316

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap29337:102:7zEvent2748
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4516

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3912

C:\Windows\system32\rundll32.exe
rundll32 xjyn487lg15.dll,#1
2⤵
PID:980

C:\Windows\system32\rundll32.exe
rundll32 xjyn487lg15.dll,#2
2⤵
PID:2924

C:\Windows\system32\xcopy.exe
xcopy xjyn487lg15.dll x.dll
2⤵
PID:3804

C:\Windows\system32\rundll32.exe
rundll32 x.dll,#2
2⤵
PID:1528

C:\Windows\system32\rundll32.exe
rundll32 xjyn487lg15.dll,#2
2⤵
- Loads dropped DLL
PID:1996

C:\Windows\system32\rundll32.exe
rundll32 xjyn487lg15.dll,#1
2⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:772

C:\Windows\system32\regsvr32.exe
regsvr32 xjyn487lg15.dll
2⤵
- Loads dropped DLL
PID:2712

C:\Windows\system32\regsvr32.exe
regsvr32 /s xjyn487lg15.dll
2⤵
- Loads dropped DLL
PID:4536

C:\Windows\system32\rundll32.exe
rundll32 xjyn487lg15.dll,#1
2⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:980

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\xjyn487lg15\" -spe -an -ai#7zMap19871:102:7zEvent32097
1⤵
- Suspicious use of FindShellTrayWindow
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6496cfff68a660e02616c20d98756aa4

SHA1
acdd59547bc371df84e7436db6dec6143ec387ae

SHA256
b0ee4799be6bebe56e4e8c60292fe3908367c5e6321034eebcc70f7e61c93241

SHA512
e9e857055b8cd3f16d3d5f5d3d6335fb4dd2c92297ae07e01ee291e0617d16419d89292e6ac3cf82e15ffb04f72da66a787d17cb57d66a51ca2d0e100b970706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
2d8d076659e1bfd01d29bcd2c1ec1bb2

SHA1
17fc25a3c2416ca0d13108b816092cefd9a44cb2

SHA256
56196a0840f66580ab93bbaef0a0b917e38969cd80de672b038a08c03dc1b3a9

SHA512
c536be29bd77c74db133b28a252dc27f578f7852b33838df111f663b18fbfcd2fac92e6f1e3b0770b901feb9b12daf13dd79a5976f1cc5668992bf317451d4f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
fb4734b579a4a47c9f757f2d36d3dbb2

SHA1
abd79b07d08abb2757fb357748d8f4a71856d424

SHA256
72dd62a0e7d6b8665631d1efa628f4859b9d259180a2fd3d453a39fcc758a8c8

SHA512
d7b206483a887fd0d1e2a23bad8cd02c84213f0fcc8cc7ae0ca88d75e157f1449682f485167372fdd1eb6bf92b37f0af0344ff669af7f547651a67994f60677e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3a73c8d8457573a90e9d77a01dc81cd9

SHA1
3d7df983835e67d529cebe9ed2147754a3e3f236

SHA256
77d77e072ea77cabc833fe8511843d4d88b35adf65725ab9ab366ef610d74ce8

SHA512
11ab42ab622a264ad75e4a8826904c3aa881a54f7df9743a5c0dd3a07a0ffe60d61994acb5b8cc7754e78bafb9fd38a2a5eff67b55cc028130e3106c5d31959e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b5d165d6babf4e170bf502d90f5cd3e5

SHA1
de329812a8be9b8f0f70e55c451af0efa5381548

SHA256
bdcf8c4e51dac2a87af60ff138853cd3e5bccd4b1b634a448715ae083b15c509

SHA512
f466001482de3969bf704e11f7fe88ca9dd449ebb0c377868192ab4e7fc2354452669738f11bddf54b57566850d1e655b269c0a89416551cd062dba4b94e0933

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
206c2bec641818d4b115e5699ab75c1b

SHA1
d93c6659e94ad0f6181be044a2d8a67f07dcafcd

SHA256
00e17f7aadaf971e01c5ae0ada77e1b04f2269b77f5313441397001f197d0858

SHA512
44a8c7f5af936322cb7764359dacddd9299367fb761ce6ce9515d5f65a6123cb6a37e41b7941e4c34f583b764245cd0277e5344645d676deb43b5be8626597f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
ec70204f259033b972b81de0d7284fd7

SHA1
198685f1c300bcaa9a4bb76d3aa8024b17b12344

SHA256
7561341090bb922ff0ecdf430a338abb05e75f8235bfca80e1ee19df088c24bd

SHA512
7d2011f155a96e45b04d6eb479a6a1de5c0824a1dacb6816319ea1bed41257d2c13d5ace108c2053e78c9bc5df156b223e4c01d05b1fd0279b51fada783362c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
67a9c9e6a8fa515d38ac72ba51aeb190

SHA1
79fb3a8363b12ad5ba0582983e94ac4c666f01ec

SHA256
10ce4f1bb8cab4b55695c69112dfdfa63a75323d971753ae4b59670c125a80fb

SHA512
f93c009eade5463343e0cab754c57a1a6d1b23dd1c5d88cde100b2c8ff6408ea937878f67983e36c820a22b0e04e4a68065a748e3073c5e1a9faa213fa3d2120

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.dll

Filesize
3.6MB

MD5
f5fdaef255cb4c1cc746e7c155e2d417

SHA1
c50f18552c09be9f8c387c7083af8a3629d03bde

SHA256
b8f199bbced2e02ef42c8ec539c4be62ad86aa54915d5f5aeb3f3d659d49f08c

SHA512
7abed4dd3a73997023e868e17464c7eacf4927ea294f99cd0dacf8520c03e3333a5be55d33f378f008386648c1fedad77fac912f9d21452fc509297226b59c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjyn487lg15.dll

Filesize
3.6MB

MD5
5d848f21c7484389aafe09db9aa89765

SHA1
26d49b1b5c9d2263e45e16f51c509ed81f431d4f

SHA256
120ffa5829a96ec136fa0a240593b24c062e4901193fd4c43a18f0e16a94b0a9

SHA512
3a242201150c141809f0b8d41a509de180d5c167904816d36e6b907a798d57fba512c7ab319d632c840820916c658a2a380d93db41ac1d8c2b977825f4e88a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjyn487lg15\xjyn487lg15.dll

Filesize
3.5MB

MD5
cc4662de834bb35ab261e04cd1acc148

SHA1
243805e05b836436ff99a12168f844a4ce00a019

SHA256
4ab1cd5c0219bbac5a821f7cae49488b60c62b7e8ce4ad25b43f844e481b3119

SHA512
d8be5130c8fa8431087a1b6c569b3b9146b07d3748654ffe56c38c91e8a26909a89f124dd85680358100c5c56c7e6bede452c1873be134d06accabc8da1ea54f

Download Submit
\??\pipe\crashpad_4756_DMLJDCXHWJSDZJLR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\xjyn487lg15\xjyn487lg15.dll

Filesize
3.3MB

MD5
ee60775a541e81971e27f8b294b417b2

SHA1
b502770b1e3ec020750b2c4f0e64c875b9cadc77

SHA256
433c3e979f3a2486ad8295c5a9b28d4de7cbc7b02934d572274f98e060c79662

SHA512
15d7383ad808b4f58fc926ba52968561a019f54b99d20bf30452ad983be1499c43ffb80b95dc65556e98b2a5cf267804d40670666b1f20be3dee8aeba1291b49

Download Submit
memory/772-110-0x0000015428D80000-0x0000015428F98000-memory.dmp

Filesize
2.1MB

Download
memory/772-113-0x00007FFC04770000-0x00007FFC0494B000-memory.dmp

Filesize
1.9MB

Download
memory/772-112-0x00007FFC04770000-0x00007FFC0494B000-memory.dmp

Filesize
1.9MB

Download
memory/772-111-0x0000015428B40000-0x0000015428D77000-memory.dmp

Filesize
2.2MB

Download
memory/980-121-0x00000201EDF60000-0x00000201EE197000-memory.dmp

Filesize
2.2MB

Download
memory/980-120-0x00000201EE1A0000-0x00000201EE3B8000-memory.dmp

Filesize
2.1MB

Download
memory/980-122-0x00007FFC04770000-0x00007FFC0494B000-memory.dmp

Filesize
1.9MB

Download
memory/980-123-0x00007FFC04770000-0x00007FFC0494B000-memory.dmp

Filesize
1.9MB

Download