toxiceye | 8f6da90ca708d4002e479df3298857f2014cac9678269de715d58b048724256b

Analysis

max time kernel
112s
max time network
123s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
23-10-2024 17:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Primordial
Size

278KB
MD5

2a9b4a529201c22df2f07f1a487f779a
SHA1

71f8186cd8c89d6a0547bbaa9abe882b53382eb8
SHA256

8f6da90ca708d4002e479df3298857f2014cac9678269de715d58b048724256b
SHA512

b4798629e8388899fac10ddb04e37e66e8b5964a6d4569e32aa12a2f0a23974ac0647d0568bab06c9611ce32f1bc90f803abbbbbbe0294f513c863613e62a25e
SSDEEP

6144:sFouqpOL/saqkPV9FemLtcsDSsmw/9lvZJT3CqbMrhryf65NRPaCieMjAkvCJv10:MouqpOL/saqkPV9FemLtcsDSsmw/9lvd

Score

10^/10

toxiceye defense_evasion discovery evasion rat themida trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot7461409177:AAHMv-EtRWu0uEGj_eiICpHa8RT1JBvjytE/sendMessage?chat_id=7179640777

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1212-622-0x0000000000400000-0x0000000000F48000-memory.dmp	disable_win_def
behavioral1/memory/1212-623-0x0000000000400000-0x0000000000F48000-memory.dmp	disable_win_def
behavioral1/memory/1212-641-0x0000000000400000-0x0000000000F48000-memory.dmp	disable_win_def
behavioral1/memory/2932-654-0x0000000000400000-0x0000000000F48000-memory.dmp	disable_win_def
behavioral1/memory/2932-655-0x0000000000400000-0x0000000000F48000-memory.dmp	disable_win_def

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

winload64.exeFemordial.exegay.exeFemordial.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	winload64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Femordial.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Femordial.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Femordial.exewinload64.exeFemordial.exegay.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Femordial.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Femordial.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	winload64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	winload64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Femordial.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Femordial.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gay.exe

Executes dropped EXE 5 IoCs

Processes:

Femordial.exegay.exeFemordial.exePrimordial.exewinload64.exe

pid process

1524 Femordial.exe
1300 gay.exe
1212 Femordial.exe
2756 Primordial.exe
2932 winload64.exe

pid	process
1524	Femordial.exe
1300	gay.exe
1212	Femordial.exe
2756	Primordial.exe
2932	winload64.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Femordial.exe	themida
behavioral1/memory/1524-580-0x0000000000400000-0x0000000002BEB000-memory.dmp	themida
behavioral1/memory/1524-586-0x0000000000400000-0x0000000002BEB000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\gay.exe	themida
C:\Users\Admin\AppData\Local\Temp\Femordial.exe	themida
behavioral1/memory/1300-607-0x0000000140000000-0x000000014107A000-memory.dmp	themida
behavioral1/memory/1300-613-0x0000000140000000-0x000000014107A000-memory.dmp	themida
behavioral1/memory/1524-621-0x0000000000400000-0x0000000002BEB000-memory.dmp	themida
behavioral1/memory/1212-622-0x0000000000400000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/1212-623-0x0000000000400000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/1212-641-0x0000000000400000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/2932-654-0x0000000000400000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/2932-655-0x0000000000400000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/1300-656-0x0000000140000000-0x000000014107A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Femordial.exegay.exeFemordial.exewinload64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Femordial.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gay.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Femordial.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winload64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

3 camo.githubusercontent.com
Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4808 tasklist.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Femordial.exegay.exePrimordial.exeFemordial.exewinload64.exe

pid process

1524 Femordial.exe
1300 gay.exe
2756 Primordial.exe
1212 Femordial.exe
2756 Primordial.exe
2932 winload64.exe
Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Femordial.exe:Zone.Identifier chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4192 2932 WerFault.exe winload64.exe

flow	ioc
3	camo.githubusercontent.com

pid	process
4808	tasklist.exe

pid	process
1524	Femordial.exe
1300	gay.exe
2756	Primordial.exe
1212	Femordial.exe
2756	Primordial.exe
2932	winload64.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

pid	pid_target	process	target process
4192	2932	WerFault.exe	winload64.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Femordial.exeFemordial.exePrimordial.exeschtasks.execmd.exetasklist.exefind.exetimeout.exewinload64.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Femordial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Femordial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Primordial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winload64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1436 timeout.exe

pid	process
1436	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133741785853603825"	chrome.exe

NTFS ADS 2 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Femordial.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Femordial.rar:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

704 schtasks.exe
4624 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

winload64.exe

pid process

2932 winload64.exe

pid	process
704	schtasks.exe
4624	schtasks.exe

pid	process
2932	winload64.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exeFemordial.exeFemordial.exePrimordial.exewinload64.exe

pid	process
1784	chrome.exe
1784	chrome.exe
1524	Femordial.exe
1524	Femordial.exe
1212	Femordial.exe
1212	Femordial.exe
2756	Primordial.exe
2756	Primordial.exe
2932	winload64.exe
2932	winload64.exe
2932	winload64.exe
2932	winload64.exe
2932	winload64.exe
2932	winload64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

1784 chrome.exe
1784 chrome.exe
1784 chrome.exe
1784 chrome.exe
1784 chrome.exe
1784 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: 33	1776	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1776	AUDIODG.EXE
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

chrome.exe

pid	process
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Femordial.exePrimordial.exewinload64.exe

pid process

1524 Femordial.exe
2756 Primordial.exe
2932 winload64.exe

pid	process
1524	Femordial.exe
2756	Primordial.exe
2932	winload64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1784 wrote to memory of 4728	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 4728	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 2424	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 4520	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 4520	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1388	1784	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Primordial
1⤵
PID:3928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb3e95cc40,0x7ffb3e95cc4c,0x7ffb3e95cc58
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:72
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4392,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4736,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3400,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3444,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3468,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5576,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5572,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5264,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=868 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5272,i,6565268724349886288,75259564582895098,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4640
- C:\Users\Admin\Downloads\Femordial.exe
  "C:\Users\Admin\Downloads\Femordial.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\gay.exe
    "C:\Users\Admin\AppData\Local\Temp\gay.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1300
- - C:\Users\Admin\AppData\Local\Temp\Femordial.exe
    "C:\Users\Admin\AppData\Local\Temp\Femordial.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1212
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "TCP Service" /tr "C:\Windwos\System32\Boot\winload64.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp32BE.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp32BE.tmp.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:4936
    - - C:\Windows\SysWOW64\tasklist.exe
        
        Tasklist /fi "PID eq 1212"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:4808
    - - C:\Windows\SysWOW64\find.exe
        
        find ":"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
    - - C:\Windows\SysWOW64\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1436
    - - C:\Windwos\System32\Boot\winload64.exe
        
        "winload64.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2932
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "TCP Service" /tr "C:\Windwos\System32\Boot\winload64.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4624
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 2504
        6⤵
        Program crash
        
        PID:4192
- - C:\Users\Admin\AppData\Local\Temp\Primordial.exe
    "C:\Users\Admin\AppData\Local\Temp\Primordial.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2756

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1948

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2932 -ip 2932
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\28176ef5-018f-47ad-bec5-b0bee7cef3ad.tmp

Filesize
230KB

MD5
a49470832f543d90ebc0f4cd3773b94a

SHA1
981b7225aca21e08229d7ea0d77d3048e6dfa557

SHA256
9af76b444aa8a31fb5582b8846639b90babae9c359de14cb8e2a68c710b5f8ff

SHA512
afcf467f0ba744370e150e17765bac56a2a07f80c30a37311f420cf9aa1d41d6d9595020f629501efa9047758717c8886e2032dba12981be036255047a84310f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d59ad2bb2f561af94a3b10770e6a967b

SHA1
a2fc233b406b10f993e793652c3c5a7da45cd3bf

SHA256
8ff25ffc1f5544dd1c9cfa3f213dfb3d048d6ff26704a3317c56c5807dd4c73e

SHA512
26e85c4b4792eecffb0eb9faec34287ef35ee15c7c9e5ee4ca75c9f31722a4bd337f0b4a96af85db69e8da2f084e5b0337ea9feaa205168cd5379b2c91c1f05a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0c28ed50b166c752c31403dd90b948e4

SHA1
c59b2e4c2c11951611d00f8622b55d5170f7dc7b

SHA256
f29b69c74cdc458dc232e08f9a51f805901c723c831b4134c366eb6551254109

SHA512
c02cbfca3c0249e5b4c7c8b2231e1f8c5389bae0c4feb67e53e9d06a3e4fb11a1a4f0103987dc5b8b0aebf59bc701d13878e855e5e0f57f3f7152bc94590bd80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
ea973665015dd6b95bc97ce019644adb

SHA1
5abfba09b377355f945748d0aec4c6e254815ec5

SHA256
8cb08a52a156920dd3d3a18bbf2f0e032427fcb4f6c3e01c259556c05996a310

SHA512
0a8e2286ea25da60c74a2d2804474e60c0ba269a5253bb7bb451ee78b4f266991bc4064fddadb051cf01b0eb4e53dd3e607d24b7310fe84eebe677011ea45ef7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a54e88f28bbebec2b3b6059b2ed207f2

SHA1
f2a7b1a1f8fcd8db6dff3931db41a2863e42d535

SHA256
8298b3d492e6cdd89f3d553a7e151d0b86de241d45bf3c98fd8e71d75098e255

SHA512
94f68afdc905c47df667bab29a470f267f9c206b6496b7d37462eea7549c331d19f2f1f900a2e9ed67f01140768018bd85f4f067eb42a826d4e78da55329f9c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
66da6b732f05f62da3e7b69c7bc9330d

SHA1
e17959726829f683539e9da13cdc12a9d686bdbe

SHA256
5d294386a442e979008323299456613b0a68c7cc59f4e23f33054ebaef83c2bd

SHA512
e2d9e657aac983c296abf4b87c7e52e6cc66ac314caaeb8b0fbb96064ac686adb9adc7a0113b4ee69c3648da523e2b98d2f29a49344272782863d2c6215a214b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
fb8f0db28f1a0544c5e951e1fbab463c

SHA1
7a514e556af5cf926756683a6c1986f3f479af72

SHA256
ca4cefe5976ff5556b0b08d6a3bcadf1a92be507942d2bf1bdb065c8dbdf0195

SHA512
0817f510e39485d34a51c0698dee2e45c0de74e82cdd7bfb94c2cf302ae6ea19b94dd5a653b41d150d24f48bbb9b37ea6f975a967205ddfa3bde00ef70eb7d6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f434253d2d4c45ba4bb1c9074d2ef127

SHA1
05a6e5354f7c878178c1a5f13e54e3d066e7d00a

SHA256
7aa574a37d8d4a628590aadb38dea81bddbd975cb3b0b9d9efc0397165d3e644

SHA512
27864ead44dfd9da3d95567644ed5c6eebb94b8408752d3c785eea35c6887e76a122f7f6ed3444f6ccdaee85ec340b45b1a6e2b84d06aeb42cdacdf4139575fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e29a6a3ed401830017712404eebe8058

SHA1
3678c1406294ed39efa76ba1413175a09c32301d

SHA256
632096c6e6bd2bb454bfec8b82735e3c1b219083e991e12b4668caf4aedc355c

SHA512
49da2fd57484d821457f73959ea965b6fd68c0a027cc139c1614035d5dcf86a606f6dc58c1b262f3859a5aa76753148642a9ee6dd83446084e6caa6dd91efcbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
974b1214ac2ac6029c6d4b7fc0b6a163

SHA1
81147f616a6484ff65e23e3fe55ce6e2ab261b8f

SHA256
d10e0c60608dbe98e5495e91e7ff65c786cda5cf1ad01701febc594c3749cfb3

SHA512
fa120af1194825aaeddeb34c36bb8e8ea79762dcc2c30d3a9a3a9fd22319f9694b929fa6ac91b5851c1576a32aee6777e40abe2d4a4988aa0f750c9487d80df5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6dff130b149911450ef1f86da2cfc405

SHA1
a13adc45e50d8eb2632e15526cf49446e4c08338

SHA256
72e57ee98af3ceb90db1c2ec6040f1d8235872167e720631f6620bfbddb29298

SHA512
d3db12c1a46b895f38b09e404e3822a977eb83e486a96ae7f480001c657755533310583cf7b80e4f34ba5bdbccb75e30b75fc8b9865fd595ede3a33224603775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
da99632628278869bbe9ad1a95081b2c

SHA1
eebdea0bc519b851e3e91897047da790c796ab8b

SHA256
402a6fa95941f9edda3c710424fb88c684740f416028b4ca6abb63272ce9aa5e

SHA512
011688bb2a40dd8cafe625840916fdc1ee4a82061c90bd7fff9b2e6642a2bf721ab33c0ee81024f7a50981a75408a205ac6c75a8dc0f8fd6aee788e77b82d850

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
80cae1c3f132f8665dfd3aad0f1756b9

SHA1
d63d6a0e546613099efa704b58a5d429a2abb8df

SHA256
dcde119a2110430f55163ee212acbb320df76a4d7095b0248d29f51c9c2bc414

SHA512
3580a4942f997a7e03aa95c9bddb177659975343e23239365d5aa3012ec41c8eb57b6a5a1e7921eec8929a69033a5697533b4f5fb8dba1eb0933847485b948b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fcc9c7c4cb21923f298f4a1050ae6223

SHA1
ea3725996814f3773c67361e6c5cbfafe1fc3389

SHA256
74f7a3e167f4a022e5a5cd6fccd47187fbbfbc70e9bb23f0d633ed4901e19788

SHA512
dccce4569af65559b53beb2abb8aac7f243930a9c4f612eebb9a11bd587b6c3573956e00d951de88f5c673c26b15b114e29c1a2a2a1fc771a949f9f6cdd70714

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6d552ac562b2896bc74975419b8aee62

SHA1
388cbe6e08a4a14a2dd5bd6e697c00984d7199cb

SHA256
9f73d1d32f2ec3cf1be9e874edbb5c5266fb54061c80f6d96553461a1fcdab64

SHA512
7125f34c1a23e03f2bcb770082a4352b2c37a8be37b8180aa9cec4e31d731c2c223d7c5a5168046da8fd8e94b338621b1616cdb9c6ab874709007054fa8a4703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3e3d1cfd5f0fbef1f5dfa2f02a7ddf97

SHA1
8168069e310ab40e1480ae3f8da2fa87f79a6175

SHA256
c25ba81652a851ade84108c68dde8fe22a14d808f648f96ba8f48793336ed341

SHA512
4c7c394dca2ce850dcbe5223358a31015a3463b9278ff1e907a612753d3ac8394f5b741343d9ffbdb915b868b1479a235ba8668730e677de07102dcfa523a436

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
0c88e3c712de2c816d02867c5f6de1ec

SHA1
11a7336707daa6b12c1019b6c93ad5c2cbbfdc8a

SHA256
f69848581f2d1ea54f809c3bd09f1e887b1dadcb2e8618c8dfee0fecd569d003

SHA512
1eca4fb82d4adabd4d4490c051e04b859049ba0d3bbba077538b86883c5c5cc2015de48ce319566f0e60d8edbd304977042caa6ef8fa9cc301e093cebaed12c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Femordial.exe

Filesize
4.1MB

MD5
52c2c8f32ec5d0be08f4dd5836a841bd

SHA1
5f02924b99dc2fecee1bc548cccf3f4e13ab1d21

SHA256
2f8685139340dce1783992c772fcac66b58cb3a79633662735ad3e74231bc425

SHA512
a5e3096d5f478dce04dcdeb29305a6c4f7439d9c2340247577c2668d2315b969084fdbba66ef2df3bfc5ee1e2c466ea70330190e2a4f39f62305ff25552031cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Primordial.exe

Filesize
17.4MB

MD5
1446e59018110a69e4ca0ef3e59824a4

SHA1
09fad19371fbf8a0ef465b196929fec3b1cf9a47

SHA256
61dd79a1c7dc1df74b426016deec513ba6d02caf6a5c7036a4cc81dee4ca73f2

SHA512
77dcbf81e3f2a706b45e5aca2b0b95dcb2f826c560491ee4fce21386cb707874ed1277dcb54a1da019d477916f8379449bb77e01ae8a6a7ae1f1f0e94b869a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\gay.exe

Filesize
9.7MB

MD5
45a95950e2729f636409be502fe19458

SHA1
6a5162a32ff97ac61c2872973b9e080e2ba7c3ce

SHA256
f365b460aae3c1170681d91c25892d855d1d5926cccf5aae504b33a7a4bad545

SHA512
688b65acd1c8e06b13f70a7738430c46c4303da58baf957cd4e7120e05c1fc97289197577e70d2c214e386a53a3a120c0fbe7c60315b200cefd1f917f23c9704

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp32BE.tmp.bat

Filesize
199B

MD5
7346701bc3bc1e1e07a6e2f40894b941

SHA1
77c6c858ca8e242c95fd6567e0584f464288ea48

SHA256
0eb989de169e85b5eddaded1e7fb5eeeecb6af906e69e9b9ef5da718e648440e

SHA512
183c2746d986abad7148c80963e10e208dcfeaaa3fd0b2916b44e270a48d0661f0f0d06f9ea296011b462de4afef873d22b8a314c729ca54037e1fad409b562c

Download Submit
C:\Users\Admin\Downloads\Femordial.exe

Filesize
34.6MB

MD5
9892c34aa46be5d6f884f95b7caf8b08

SHA1
df5f729d4f72e85a2a3fd9a6b2b3b0f5ac1c8eab

SHA256
d017c49fad2bf041c9fb5a717258740b440392a357171ac46e76e24b60bad388

SHA512
80ae58a429bf081119b6448f560e3da9ea16757b1ad533f170d25d0ead18fc62fbd1a6a0e54a2aa2222fc1bbd230b2d98baaf6f1947f90404025eca1db28ee62

Download Submit
C:\Users\Admin\Downloads\Femordial.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_1784_MYQWCXRNQYKLPXSL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1212-624-0x00000000057F0000-0x0000000005D96000-memory.dmp

Filesize
5.6MB

Download
memory/1212-641-0x0000000000400000-0x0000000000F48000-memory.dmp

Filesize
11.3MB

Download
memory/1212-614-0x0000000000400000-0x0000000000F48000-memory.dmp

Filesize
11.3MB

Download
memory/1212-625-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/1212-623-0x0000000000400000-0x0000000000F48000-memory.dmp

Filesize
11.3MB

Download
memory/1212-622-0x0000000000400000-0x0000000000F48000-memory.dmp

Filesize
11.3MB

Download
memory/1300-613-0x0000000140000000-0x000000014107A000-memory.dmp

Filesize
16.5MB

Download
memory/1300-607-0x0000000140000000-0x000000014107A000-memory.dmp

Filesize
16.5MB

Download
memory/1300-656-0x0000000140000000-0x000000014107A000-memory.dmp

Filesize
16.5MB

Download
memory/1524-621-0x0000000000400000-0x0000000002BEB000-memory.dmp

Filesize
39.9MB

Download
memory/1524-586-0x0000000000400000-0x0000000002BEB000-memory.dmp

Filesize
39.9MB

Download
memory/1524-580-0x0000000000400000-0x0000000002BEB000-memory.dmp

Filesize
39.9MB

Download
memory/2756-647-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2756-652-0x00000000040C0000-0x0000000004125000-memory.dmp

Filesize
404KB

Download
memory/2756-648-0x0000000000400000-0x0000000002363000-memory.dmp

Filesize
31.4MB

Download
memory/2932-654-0x0000000000400000-0x0000000000F48000-memory.dmp

Filesize
11.3MB

Download
memory/2932-655-0x0000000000400000-0x0000000000F48000-memory.dmp

Filesize
11.3MB

Download
memory/2932-645-0x0000000000400000-0x0000000000F48000-memory.dmp

Filesize
11.3MB

Download
memory/2932-657-0x0000000006B80000-0x0000000006B8A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads