fabookie | 6cbec8e331ea6136527401482a98b45e861beab8c7381eb19a135dc9a3bd9fb5

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
Size

4.1MB
MD5

61ac706f77b6da4bda821e69aef5d27a
SHA1

ee42220eb9ec46f8788215e71ffdbc136b762cb3
SHA256

6cbec8e331ea6136527401482a98b45e861beab8c7381eb19a135dc9a3bd9fb5
SHA512

3dc17b1a8ee9b4658ab0e462b49642bcdb4cbdf39b21f6da351843f2a550d5dccd953f75b0fff5b4587da189fccbdc75d1a5cd72cc238b378f7b5145029ef2cd
SSDEEP

98304:Pb0DpTItDjUlc5xRsYQCMi2hjHWVhh0zm+0Tp5rboe5jRK:P6QDiMoCMiYjChhx+2p5Poe5w

Score

10^/10

fabookie ffdroider gcleaner onlylogger privateloader redline sectoprat 05.10 ani222 build777 pub infostealer loader rat spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Extracted

Family

redline

Botnet

PUB

45.9.20.182:52236

Attributes

auth_value
a272f3a2850ec3dccdaed97234b7c40e

Extracted

Family

redline

Botnet

05.10

80.92.205.116:59599

Attributes

auth_value
9987bbbfa5d086577a66d521ae15b57e

Extracted

Family

redline

Botnet

build777

77.232.40.127:8204

Attributes

auth_value
275ce2c87153d4e8e3cc276c686a93de

Extracted

Family

redline

Botnet

ANI222

194.104.136.5:46013

Attributes

auth_value
9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

gcleaner

ppp-gl.biz

45.9.20.13

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015cf6-219.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 3 IoCs

resource	yara_rule
behavioral1/memory/2668-111-0x0000000000400000-0x0000000000991000-memory.dmp	family_ffdroider
behavioral1/memory/2668-201-0x0000000000400000-0x0000000000991000-memory.dmp	family_ffdroider
behavioral1/memory/2668-376-0x0000000000400000-0x0000000000991000-memory.dmp	family_ffdroider

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 11 IoCs

resource	yara_rule
behavioral1/memory/2476-138-0x00000000003E0000-0x0000000000404000-memory.dmp	family_redline
behavioral1/memory/1664-139-0x0000000000970000-0x0000000000994000-memory.dmp	family_redline
behavioral1/memory/2476-140-0x0000000002F10000-0x0000000002F32000-memory.dmp	family_redline
behavioral1/memory/1664-141-0x0000000000C50000-0x0000000000C72000-memory.dmp	family_redline
behavioral1/memory/2488-143-0x00000000003D0000-0x00000000003F4000-memory.dmp	family_redline
behavioral1/memory/2488-144-0x0000000003140000-0x0000000003162000-memory.dmp	family_redline
behavioral1/memory/1736-189-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1736-188-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1736-198-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1736-196-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1736-192-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 11 IoCs

resource	yara_rule
behavioral1/memory/2476-138-0x00000000003E0000-0x0000000000404000-memory.dmp	family_sectoprat
behavioral1/memory/1664-139-0x0000000000970000-0x0000000000994000-memory.dmp	family_sectoprat
behavioral1/memory/2476-140-0x0000000002F10000-0x0000000002F32000-memory.dmp	family_sectoprat
behavioral1/memory/1664-141-0x0000000000C50000-0x0000000000C72000-memory.dmp	family_sectoprat
behavioral1/memory/2488-143-0x00000000003D0000-0x00000000003F4000-memory.dmp	family_sectoprat
behavioral1/memory/2488-144-0x0000000003140000-0x0000000003162000-memory.dmp	family_sectoprat
behavioral1/memory/1736-189-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral1/memory/1736-188-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral1/memory/1736-198-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral1/memory/1736-196-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral1/memory/1736-192-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

OnlyLogger payload 2 IoCs

resource	yara_rule
behavioral1/memory/908-252-0x0000000000220000-0x0000000000250000-memory.dmp	family_onlylogger
behavioral1/memory/908-253-0x0000000000400000-0x0000000000793000-memory.dmp	family_onlylogger

Executes dropped EXE 12 IoCs

pid	Process
1428	Graphics.exe
2584	FoxSBrowser.exe
2668	md9_1sjm.exe
2476	Pubdate.exe
2964	ANIJ.exe
2488	Info.exe
1664	Process.exe
1736	ANIJ.exe
1828	Folder.exe
2024	Files.exe
908	Details.exe
872	File.exe

Loads dropped DLL 42 IoCs

pid	Process
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1428	Graphics.exe
1428	Graphics.exe
1428	Graphics.exe
1428	Graphics.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
2964	ANIJ.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
26	iplogger.org
27	iplogger.org
32	iplogger.org
39	pastebin.com
40	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 1736	2964	ANIJ.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	FoxSBrowser.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	FoxSBrowser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	FoxSBrowser.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	FoxSBrowser.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	FoxSBrowser.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	FoxSBrowser.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	FoxSBrowser.exe
Token: SeManageVolumePrivilege	2668	md9_1sjm.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1428	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	28
PID 1660 wrote to memory of 1428	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	28
PID 1660 wrote to memory of 1428	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	28
PID 1660 wrote to memory of 1428	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	28
PID 1660 wrote to memory of 2584	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	29
PID 1660 wrote to memory of 2584	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	29
PID 1660 wrote to memory of 2584	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	29
PID 1660 wrote to memory of 2584	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	29
PID 1660 wrote to memory of 2668	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2668	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2668	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2668	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	30
PID 1660 wrote to memory of 2476	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2476	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2476	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2476	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	31
PID 1428 wrote to memory of 2488	1428	Graphics.exe	32
PID 1428 wrote to memory of 2488	1428	Graphics.exe	32
PID 1428 wrote to memory of 2488	1428	Graphics.exe	32
PID 1428 wrote to memory of 2488	1428	Graphics.exe	32
PID 1660 wrote to memory of 2964	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	34
PID 1660 wrote to memory of 2964	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	34
PID 1660 wrote to memory of 2964	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	34
PID 1660 wrote to memory of 2964	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	34
PID 1660 wrote to memory of 1664	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	35
PID 1660 wrote to memory of 1664	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	35
PID 1660 wrote to memory of 1664	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	35
PID 1660 wrote to memory of 1664	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	35
PID 2964 wrote to memory of 1736	2964	ANIJ.exe	39
PID 2964 wrote to memory of 1736	2964	ANIJ.exe	39
PID 2964 wrote to memory of 1736	2964	ANIJ.exe	39
PID 2964 wrote to memory of 1736	2964	ANIJ.exe	39
PID 2964 wrote to memory of 1736	2964	ANIJ.exe	39
PID 2964 wrote to memory of 1736	2964	ANIJ.exe	39
PID 2964 wrote to memory of 1736	2964	ANIJ.exe	39
PID 2964 wrote to memory of 1736	2964	ANIJ.exe	39
PID 2964 wrote to memory of 1736	2964	ANIJ.exe	39
PID 1660 wrote to memory of 1828	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	40
PID 1660 wrote to memory of 1828	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	40
PID 1660 wrote to memory of 1828	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	40
PID 1660 wrote to memory of 1828	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	40
PID 1660 wrote to memory of 1828	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	40
PID 1660 wrote to memory of 1828	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	40
PID 1660 wrote to memory of 1828	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	40
PID 1660 wrote to memory of 2024	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	41
PID 1660 wrote to memory of 2024	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	41
PID 1660 wrote to memory of 2024	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	41
PID 1660 wrote to memory of 2024	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	41
PID 1660 wrote to memory of 908	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	43
PID 1660 wrote to memory of 908	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	43
PID 1660 wrote to memory of 908	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	43
PID 1660 wrote to memory of 908	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	43
PID 1660 wrote to memory of 872	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	44
PID 1660 wrote to memory of 872	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	44
PID 1660 wrote to memory of 872	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	44
PID 1660 wrote to memory of 872	1660	61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe	44

C:\Users\Admin\AppData\Local\Temp\61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61ac706f77b6da4bda821e69aef5d27a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\Graphics.exe
  "C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"
    3⤵
    - Executes dropped EXE
    PID:2488
- C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
  "C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
  "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\Pubdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\ANIJ.exe
  "C:\Users\Admin\AppData\Local\Temp\ANIJ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\ANIJ.exe
    C:\Users\Admin\AppData\Local\Temp\ANIJ.exe
    3⤵
    - Executes dropped EXE
    PID:1736
- C:\Users\Admin\AppData\Local\Temp\Process.exe
  "C:\Users\Admin\AppData\Local\Temp\Process.exe"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Users\Admin\AppData\Local\Temp\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\Details.exe
  "C:\Users\Admin\AppData\Local\Temp\Details.exe"
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39f7311f5ca9985c5364836bef392f8e

SHA1
25f546a8f31636f1eba46472948050ec9c7ea47f

SHA256
f9cbaace890cf5a6d76910091df6586215146a27297b3daeb8d0a3b1c95e3fd5

SHA512
e6744e2ad7affc4f3eff03a70f626788d319c281a97201a9c2fd60a3afa7af36142ea34cc5052cac4b4deae29e8b87d20495cc20b2045ca58f491602b5c02eec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
caa62c1dbb857b86e2b8563d3d6b1750

SHA1
4e841fd11d5592590991ba1f0564709c644c9213

SHA256
b20a504ff5111e3f76a66cd8e4f60e1396e139ee9b2e29efbac651657cef1004

SHA512
aab0d744836dbffe6fea346b1bffa97001d83e09319925928b1873e2ee08b574189a3041e81fa26b3b096f3684f988ab3cd4e1895250000a0455602a1a20c05f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
741fc39a5e7e4783e419684c67ba4825

SHA1
a4e88178c19cf77b88fe6858f64c70bb1d3452e2

SHA256
eb0fc37f7a89fb0f40246e14845612688d9585892278051b147394bd987c8d54

SHA512
303c54a24c0b0215dec41bd07222e3ae71ac470823cffb9879279eaada1d1075d4c6905a08c29c723bb9a374c6a151ea4b1b6454a7077c26ea7ff3c6030a606a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1057b8fadc115cba99a6b6663da05071

SHA1
91cf10b62a9f320791049ac4ee43bdf8492aeb50

SHA256
563536d99d93710d5b588cfafd9a6c4853e51c5823edba6a4889a8a1410fa7fc

SHA512
31cb90b056aeada3c102935af1fc771dd62f10409d37743fa55bb81883b700a5b2ebcb4818c766a87e365b283a3a1d2bcb494f49892a8a724148b70accc344f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANIJ.exe

Filesize
433KB

MD5
0e3f38281f8f93256e5d3cc806839058

SHA1
89bf0f884fd7b30b71991ff53dd88d2fe4a63eda

SHA256
e778d5338c35cda30826a9901ebd4d2b953f1772620f38acfd683178ce39e3bd

SHA512
1361a0ec6339e8ea878c254fc6f6fa9cd75e1c754905cb183f30f4f186e8b9b458ebe4c4c518a14df13b1263f7cb5d963d9f33aa18fdd6741f001787221de804

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6558.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Process.exe

Filesize
364KB

MD5
51a82bca2658860a06022e040e54ee62

SHA1
702ad13db447126952cb8ae096801a89363f2ddd

SHA256
7bd421c6b9bd6c3433d1f2931e3a2353544e4e529d37cdaf61e8666c11b1eea4

SHA512
c9c4da46850b0e120188ff1b661ab6ec40514b9d7f5e360f039e9a68eca2d0ddd93b78929493e707cb1670836d96282218ecf99916f71985d00dcf29898de642

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pubdate.exe

Filesize
391KB

MD5
cc2185e19da184c0353ce0d0d01fa9ef

SHA1
e92106fa29d197bc6e653a75ecfbab51d8d30f8e

SHA256
c2dbd86ea2f01310100bbd5076a7a0d25a2b3d48f3e3af8b9a0ceaea4a28883a

SHA512
4966f668c561567e6d66640c435ea041413b6aef55b3e3452399a2cb018e44a43955263922afecd93b03ce1f40d7134b589c0fca42f1dd2570265f8a8d66f561

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe

Filesize
366KB

MD5
92d82660cf92570d51336a9af7f5a006

SHA1
af4f83fd67a5855160fa31f301e688843bd89eb0

SHA256
019b1daa5d3d53e4dfe0741dd5d07e1904a8564b56a2e990e9036efb098f7a81

SHA512
1f4c417bbc869100a1f4baf38ae86c0c7ee5fa657bbce43104d3faa42f85ae8c18eb27df0d26d88bbb3519f25bf5967d60767fe7e323e7274e63e9e5b9cb97f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar656A.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe

Filesize
2.1MB

MD5
138610cf962ab62eb32d222a4a35b93a

SHA1
7348ff4e3894610a51e7d87a10500455f535c7e3

SHA256
b1209191392de48946828e01f2c44c1fb38c09c89425327b29fdcfb1c4dfa566

SHA512
c17f4235964de9de8333e21f10c47d7b36df15ea980b39b7e659d762b18a083fb62964a53cb9ed92cec3c2da71b09a66a2d4a2d11a77b93e15278f569fa1ee69

Download Submit
\Users\Admin\AppData\Local\Temp\Details.exe

Filesize
390KB

MD5
ef5c5afd28d85a2f163f3282b891e9a1

SHA1
a958fb9221ef68506016b2226d05d5a2a03af2a8

SHA256
4bd4dbb6236644a59bcf43db74921fa1968deca633a9def36d0ff9cf9e0d38f6

SHA512
727e2bb5f737fefabca5827168cf267a2e28e0b3225290d3acda82048f729b6ea58c9d90ea439fa21fe9d29048dd4cbccc883f772beeb8c4488edc32e0248577

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
402KB

MD5
ea7cd7abb93408398f377a7ec6dc363c

SHA1
273cc8def8f95b95215ae6b81f56b12b471612f6

SHA256
f96a27074cbdbd67c2659d70dfce920ad229fc235b27ae3a0667d4cc4d3ab73f

SHA512
3aea38eb0125295bca1a3e2858cd17a4a903eac60677bcf1ee81e714fc750507edab254210ced94f53b3d792195d9703131ca6d0444e27dd8096d441814dc233

Download Submit
\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
1.4MB

MD5
e4b3ef78de2cf58b383d5f0f8fe1ccd5

SHA1
88b80206726179ef66e237eb7977b25a717ee108

SHA256
ed8481454e981d4c6bf730d2510b54310c28679b4e11050ee34a7a6d27967e85

SHA512
f9671cec526382f3acd7b5299aa079553f2c1525afb507d3e12df125141f9e9fb3011714076621e1bd95bfdc99e6e7a1ba38d85311da9558572bbd2a7c516476

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
96KB

MD5
cf0f23d389f54a5aba9d0a558dce4f3e

SHA1
a389540c9efb500f7ffe7bd6a0b522245cb14b67

SHA256
47ae0fd0c9d85cea922873bc2488a733fbacbd936984314a0a00146ff8874463

SHA512
723501e68e5188991b792c953738bc88d2f987be4a467487e57b7ed31d4b89f227f8725ce369047257ec67bee681c5056a6c10739db6d68adf83599e8b5ddc84

Download Submit
\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe

Filesize
69KB

MD5
10acb0ef75f0619300fa15925a3cda9f

SHA1
ae537bbd455c35621b478788bbeda13bc5b4d99f

SHA256
f826848a16493b5a9c59898629d5438c11f9b9d96462ea431b73c92626244c87

SHA512
f06dfa962817d34188d36c065eba041c149fa838055f15ffd11677a5ad600cd54d368180a40c52c1c981767526ffea5f3c0598141519bc542a9484f04580611e

Download Submit
\Users\Admin\AppData\Local\Temp\Graphics.exe

Filesize
476KB

MD5
1720aa0c895d1d21aa8fddaf559bf94b

SHA1
7bf5d984f3a212e63193eedb57fbbe79f216dc6c

SHA256
bfbdf9607987c9086a42f1951d0b32fbd7c9666b64fd4d336175c3ec16d285fd

SHA512
bc00cabddaee450728a18b109c616faade1950aa161449e70e21a16729c8e68c42b697796444f305400c6a98821fe40e211cdac13d8a705c9129e598ea75672d

Download Submit
memory/908-252-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/908-251-0x0000000000930000-0x0000000000A30000-memory.dmp

Filesize
1024KB

Download
memory/908-253-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1660-184-0x0000000003E00000-0x0000000004391000-memory.dmp

Filesize
5.6MB

Download
memory/1660-147-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1660-108-0x0000000003E00000-0x0000000004391000-memory.dmp

Filesize
5.6MB

Download
memory/1660-109-0x0000000003E00000-0x0000000004391000-memory.dmp

Filesize
5.6MB

Download
memory/1660-93-0x0000000003E00000-0x0000000004391000-memory.dmp

Filesize
5.6MB

Download
memory/1664-153-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1664-149-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/1664-139-0x0000000000970000-0x0000000000994000-memory.dmp

Filesize
144KB

Download
memory/1664-164-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1664-261-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1664-170-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1664-259-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/1664-141-0x0000000000C50000-0x0000000000C72000-memory.dmp

Filesize
136KB

Download
memory/1664-148-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/1664-183-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1664-167-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1736-200-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/1736-190-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1736-354-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/1736-353-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1736-199-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1736-186-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1736-192-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1736-196-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1736-198-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1736-187-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1736-188-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1736-189-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2476-264-0x0000000007360000-0x00000000073A0000-memory.dmp

Filesize
256KB

Download
memory/2476-263-0x0000000007360000-0x00000000073A0000-memory.dmp

Filesize
256KB

Download
memory/2476-140-0x0000000002F10000-0x0000000002F32000-memory.dmp

Filesize
136KB

Download
memory/2476-262-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-163-0x0000000000400000-0x0000000002DB9000-memory.dmp

Filesize
41.7MB

Download
memory/2476-138-0x00000000003E0000-0x0000000000404000-memory.dmp

Filesize
144KB

Download
memory/2476-168-0x0000000007360000-0x00000000073A0000-memory.dmp

Filesize
256KB

Download
memory/2476-260-0x0000000002F30000-0x0000000003030000-memory.dmp

Filesize
1024KB

Download
memory/2476-166-0x0000000007360000-0x00000000073A0000-memory.dmp

Filesize
256KB

Download
memory/2476-182-0x0000000007360000-0x00000000073A0000-memory.dmp

Filesize
256KB

Download
memory/2476-169-0x0000000007360000-0x00000000073A0000-memory.dmp

Filesize
256KB

Download
memory/2476-165-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-161-0x0000000002F30000-0x0000000003030000-memory.dmp

Filesize
1024KB

Download
memory/2476-162-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2488-143-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/2488-179-0x0000000003380000-0x00000000033C0000-memory.dmp

Filesize
256KB

Download
memory/2488-175-0x0000000000400000-0x00000000016CE000-memory.dmp

Filesize
18.8MB

Download
memory/2488-178-0x0000000003380000-0x00000000033C0000-memory.dmp

Filesize
256KB

Download
memory/2488-171-0x00000000017D0000-0x00000000018D0000-memory.dmp

Filesize
1024KB

Download
memory/2488-180-0x0000000003380000-0x00000000033C0000-memory.dmp

Filesize
256KB

Download
memory/2488-172-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2488-144-0x0000000003140000-0x0000000003162000-memory.dmp

Filesize
136KB

Download
memory/2488-266-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2488-267-0x0000000003380000-0x00000000033C0000-memory.dmp

Filesize
256KB

Download
memory/2488-265-0x00000000017D0000-0x00000000018D0000-memory.dmp

Filesize
1024KB

Download
memory/2488-177-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-145-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-110-0x00000000011F0000-0x000000000120A000-memory.dmp

Filesize
104KB

Download
memory/2584-142-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2584-254-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-351-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-181-0x0000000004710000-0x0000000004750000-memory.dmp

Filesize
256KB

Download
memory/2668-115-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2668-201-0x0000000000400000-0x0000000000991000-memory.dmp

Filesize
5.6MB

Download
memory/2668-360-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/2668-366-0x0000000003D40000-0x0000000003D50000-memory.dmp

Filesize
64KB

Download
memory/2668-376-0x0000000000400000-0x0000000000991000-memory.dmp

Filesize
5.6MB

Download
memory/2668-111-0x0000000000400000-0x0000000000991000-memory.dmp

Filesize
5.6MB

Download
memory/2964-195-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-133-0x0000000000C70000-0x0000000000CE2000-memory.dmp

Filesize
456KB

Download
memory/2964-185-0x0000000073700000-0x0000000073DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-176-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads