gh0strat | f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6

Analysis

max time kernel
131s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 21:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
Size

1.2MB
MD5

b47b227c2d8be3a9affe4c26db721b07
SHA1

8dfcb71d2c8b4d7e7592a872b528f8abb083bc76
SHA256

f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6
SHA512

11d62792b0594fdf5ec87588997a84e70dec7c76585a6f6d8aba28bd1167ba2eb229b29a5de6039085547c5b31ee26fd5f1d9c267e2a8be142cf784d27177445
SSDEEP

24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtiJ:WIwgMEuy+inDfp3/XoCw57XYBwKJ

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2568-26-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/2568-25-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/2716-34-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/2716-33-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/5088-44-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/5088-48-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/5088-49-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024251-17.dat	family_gh0strat
behavioral2/memory/2568-26-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/2568-25-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/2716-34-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/2716-33-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/5088-44-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/5088-48-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/5088-49-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Ghiya.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Ghiya.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	svchcst.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

Executes dropped EXE 11 IoCs

pid	Process
1400	AK47.exe
4388	AK47.exe
2568	AK74.exe
2716	Ghiya.exe
5088	Ghiya.exe
924	svchcst.exe
760	AK47.exe
4828	AK47.exe
2736	AK74.exe
6088	Ghiya.exe
3816	Ghiya.exe

Loads dropped DLL 2 IoCs

pid	Process
4388	AK47.exe
4828	AK47.exe

VMProtect packed file 11 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2216-0-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2216-1-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/files/0x000800000002425d-56.dat	vmprotect
behavioral2/memory/924-94-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2216-100-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2216-104-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2216-107-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2216-111-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2216-114-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2216-117-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2216-120-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\240610984.txt	AK47.exe
File created	C:\Windows\SysWOW64\240610984.txt	AK47.exe
File created	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File opened for modification	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File created	C:\Windows\SysWOW64\240613093.txt	AK47.exe
File created	C:\Windows\SysWOW64\240613093.txt	AK47.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2568-26-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/2568-25-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/2568-23-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/2716-34-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/2716-33-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/2716-31-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/5088-44-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/5088-48-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/5088-49-0x0000000010000000-0x00000000101BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4896	4388	WerFault.exe	87
6140	1400	WerFault.exe	86
2700	4828	WerFault.exe	107
5532	760	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
976	cmd.exe
5768	PING.EXE
2860	cmd.exe
5860	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5860	PING.EXE
5768	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
5088	Ghiya.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2568	AK74.exe
Token: SeLoadDriverPrivilege	5088	Ghiya.exe
Token: SeIncBasePriorityPrivilege	2736	AK74.exe
Token: 33	5088	Ghiya.exe
Token: SeIncBasePriorityPrivilege	5088	Ghiya.exe
Token: 33	5088	Ghiya.exe
Token: SeIncBasePriorityPrivilege	5088	Ghiya.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
924	svchcst.exe
924	svchcst.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1400	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	86
PID 2216 wrote to memory of 1400	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	86
PID 2216 wrote to memory of 1400	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	86
PID 2216 wrote to memory of 4388	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	87
PID 2216 wrote to memory of 4388	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	87
PID 2216 wrote to memory of 4388	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	87
PID 2216 wrote to memory of 2568	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	95
PID 2216 wrote to memory of 2568	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	95
PID 2216 wrote to memory of 2568	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	95
PID 2568 wrote to memory of 976	2568	AK74.exe	97
PID 2568 wrote to memory of 976	2568	AK74.exe	97
PID 2568 wrote to memory of 976	2568	AK74.exe	97
PID 2716 wrote to memory of 5088	2716	Ghiya.exe	98
PID 2716 wrote to memory of 5088	2716	Ghiya.exe	98
PID 2716 wrote to memory of 5088	2716	Ghiya.exe	98
PID 2216 wrote to memory of 4940	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	101
PID 2216 wrote to memory of 4940	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	101
PID 2216 wrote to memory of 4940	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	101
PID 2216 wrote to memory of 4804	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	100
PID 2216 wrote to memory of 4804	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	100
PID 2216 wrote to memory of 4804	2216	f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe	100
PID 4808 wrote to memory of 924	4808	cmd.exe	104
PID 4808 wrote to memory of 924	4808	cmd.exe	104
PID 4808 wrote to memory of 924	4808	cmd.exe	104
PID 924 wrote to memory of 760	924	svchcst.exe	106
PID 924 wrote to memory of 760	924	svchcst.exe	106
PID 924 wrote to memory of 760	924	svchcst.exe	106
PID 924 wrote to memory of 4828	924	svchcst.exe	107
PID 924 wrote to memory of 4828	924	svchcst.exe	107
PID 924 wrote to memory of 4828	924	svchcst.exe	107
PID 976 wrote to memory of 5768	976	cmd.exe	112
PID 976 wrote to memory of 5768	976	cmd.exe	112
PID 976 wrote to memory of 5768	976	cmd.exe	112
PID 924 wrote to memory of 2736	924	svchcst.exe	113
PID 924 wrote to memory of 2736	924	svchcst.exe	113
PID 924 wrote to memory of 2736	924	svchcst.exe	113
PID 2736 wrote to memory of 2860	2736	AK74.exe	115
PID 2736 wrote to memory of 2860	2736	AK74.exe	115
PID 2736 wrote to memory of 2860	2736	AK74.exe	115
PID 6088 wrote to memory of 3816	6088	Ghiya.exe	116
PID 6088 wrote to memory of 3816	6088	Ghiya.exe	116
PID 6088 wrote to memory of 3816	6088	Ghiya.exe	116
PID 2860 wrote to memory of 5860	2860	cmd.exe	118
PID 2860 wrote to memory of 5860	2860	cmd.exe	118
PID 2860 wrote to memory of 5860	2860	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
"C:\Users\Admin\AppData\Local\Temp\f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 488
    3⤵
    - Program crash
    PID:6140
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  C:\Users\Admin\AppData\Local\Temp\\AK47.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 424
    3⤵
    - Program crash
    PID:4896
- C:\Users\Admin\AppData\Local\Temp\AK74.exe
  C:\Users\Admin\AppData\Local\Temp\\AK74.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1400 -ip 1400
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4388 -ip 4388
1⤵
PID:5820

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\AK47.exe
    "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 364
      4⤵
      Program crash
      PID:5532
- - C:\Users\Admin\AppData\Local\Temp\AK47.exe
    C:\Users\Admin\AppData\Local\Temp\\AK47.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 428
      4⤵
      Program crash
      PID:2700
- - C:\Users\Admin\AppData\Local\Temp\AK74.exe
    C:\Users\Admin\AppData\Local\Temp\\AK74.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4828 -ip 4828
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 760 -ip 760
1⤵
PID:1992

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6088
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:3816

Network

DNS

cf1549064127.f3322.net

Ghiya.exe

Remote address:

8.8.8.8:53

Request

cf1549064127.f3322.net

IN A

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6c6abf2f91aa44979ef296072745a296&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6c6abf2f91aa44979ef296072745a296&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2FAABF6A5C766B74119BAAD65D966AA1; domain=.bing.com; expires=Tue, 21-Apr-2026 21:35:59 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2A1BADE3BF16422FA8895FF28397FBDD Ref B: LON04EDGE1208 Ref C: 2025-03-27T21:35:59Z
date: Thu, 27 Mar 2025 21:35:59 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6c6abf2f91aa44979ef296072745a296&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6c6abf2f91aa44979ef296072745a296&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2FAABF6A5C766B74119BAAD65D966AA1

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=kpOsZMsxZIjecJA_c1_HLFEa9BlCuTZtBZjCa-SiKdQ; domain=.bing.com; expires=Tue, 21-Apr-2026 21:35:59 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AFBC317D36554E848856D30B1847B144 Ref B: LON04EDGE1208 Ref C: 2025-03-27T21:35:59Z
date: Thu, 27 Mar 2025 21:35:59 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6c6abf2f91aa44979ef296072745a296&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6c6abf2f91aa44979ef296072745a296&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2FAABF6A5C766B74119BAAD65D966AA1; MSPTC=kpOsZMsxZIjecJA_c1_HLFEa9BlCuTZtBZjCa-SiKdQ

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D9063D98C2BC4053BB7476D8921D710F Ref B: LON04EDGE1208 Ref C: 2025-03-27T21:35:59Z
date: Thu, 27 Mar 2025 21:35:59 GMT
DNS

cf1549064127.f3322.net

Ghiya.exe

Remote address:

8.8.8.8:53

Request

cf1549064127.f3322.net

IN A

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 695371
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8BA059622DA2488D837ABA7C4B614886 Ref B: LON04EDGE0713 Ref C: 2025-03-27T21:36:37Z
date: Thu, 27 Mar 2025 21:36:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340417880_1PRMSECURT9IUDN7Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340417880_1PRMSECURT9IUDN7Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 502729
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0AE0636891C64E5C89A44716A97ECCF2 Ref B: LON04EDGE0713 Ref C: 2025-03-27T21:36:37Z
date: Thu, 27 Mar 2025 21:36:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239359734403_1QUIFQSNPPFE4TECL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239359734403_1QUIFQSNPPFE4TECL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 737279
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8C20B36E309D4CB68AC4FF9B65DF023E Ref B: LON04EDGE0713 Ref C: 2025-03-27T21:36:37Z
date: Thu, 27 Mar 2025 21:36:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 747785
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4B0C406E1B84405A8C92EB41F0FE45EB Ref B: LON04EDGE0713 Ref C: 2025-03-27T21:36:37Z
date: Thu, 27 Mar 2025 21:36:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418534_1SATV94N425TECTRU&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418534_1SATV94N425TECTRU&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 473680
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9EBF3B3129AB42A691BA5B2214853508 Ref B: LON04EDGE0713 Ref C: 2025-03-27T21:36:37Z
date: Thu, 27 Mar 2025 21:36:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239359734404_1RBLA5UG5KRWGU20H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239359734404_1RBLA5UG5KRWGU20H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 818456
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BC9DEE275C434F738C55A22AF23173BA Ref B: LON04EDGE0713 Ref C: 2025-03-27T21:36:38Z
date: Thu, 27 Mar 2025 21:36:37 GMT
DNS

cf1549064127.f3322.net

Ghiya.exe

Remote address:

8.8.8.8:53

Request

cf1549064127.f3322.net

IN A

Response
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.227
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.179.227:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Thu, 27 Mar 2025 20:58:28 GMT
Expires: Thu, 27 Mar 2025 21:48:28 GMT
Age: 2337
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding
DNS

cf1549064127.f3322.net

Ghiya.exe

Remote address:

8.8.8.8:53

Request

cf1549064127.f3322.net

IN A

Response
DNS

cf1549064127.f3322.net

Ghiya.exe

Remote address:

8.8.8.8:53

Request

cf1549064127.f3322.net

IN A

Response

43.249.193.73:54997

f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

260 B
5
150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6c6abf2f91aa44979ef296072745a296&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=

tls, http2

2.0kB
9.4kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6c6abf2f91aa44979ef296072745a296&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=6c6abf2f91aa44979ef296072745a296&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=6c6abf2f91aa44979ef296072745a296&localId=w:F0FEBB8E-8133-CF04-82BA-93AC06D5D739&deviceId=6896216935726017&anid=

HTTP Response

204
43.249.193.73:54997

f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

260 B
5
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239359734404_1RBLA5UG5KRWGU20H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

143.8kB
4.1MB
2977
2971

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360432892_19VCX0OIIPQAUNJ24&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340417880_1PRMSECURT9IUDN7Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239359734403_1QUIFQSNPPFE4TECL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360432890_1TOC5U5IB565A9QI0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418534_1SATV94N425TECTRU&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239359734404_1RBLA5UG5KRWGU20H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
43.249.193.73:54997

f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

260 B
5
43.249.193.73:54997

f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

260 B
5
43.249.193.73:54997

f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

260 B
5
142.250.179.227:80

http://c.pki.goog/r/r1.crl

http

384 B
355 B
4
3

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304
43.249.193.73:54997

f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

260 B
5
43.249.193.73:54997

f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

260 B
5

8.8.8.8:53

cf1549064127.f3322.net

dns

Ghiya.exe

68 B
129 B
1
1

DNS Request

cf1549064127.f3322.net
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

cf1549064127.f3322.net

dns

Ghiya.exe

68 B
129 B
1
1

DNS Request

cf1549064127.f3322.net
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

cf1549064127.f3322.net

dns

Ghiya.exe

68 B
129 B
1
1

DNS Request

cf1549064127.f3322.net
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.179.227
8.8.8.8:53

cf1549064127.f3322.net

dns

Ghiya.exe

68 B
129 B
1
1

DNS Request

cf1549064127.f3322.net
8.8.8.8:53

cf1549064127.f3322.net

dns

Ghiya.exe

68 B
129 B
1
1

DNS Request

cf1549064127.f3322.net

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AK47.exe

Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK74.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
29ce53e2a4a446614ccc8d64d346bde4

SHA1
39a7aa5cc1124842aa0c25abb16ea94452125cbe

SHA256
56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df

SHA512
b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1f76810769d2c15763800e78f28708a2

SHA1
60f58079c5bce326b2453af899c2b8d370e6fc26

SHA256
05e69f65c3a9a196bfc27a42f4dca91c3103cb058adc5b15478c87f69b219fc4

SHA512
492da02159da233413b4462514f0074e7609af39528ca1be4abf3610a129f5357f07f449f4792ebff8edf35b7927e67085bf3dcb7117318e7e08f231c4af9eef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
83e43e6366aeffce1a18627c33004d8c

SHA1
d2c4120f80570248e1236a7980ea037086c138dd

SHA256
cacb3ad27fda63a936b2c3fdf8b3b696430d0cff6d043f515252bfde05b6e025

SHA512
8249c455e1bbccb029e1e123762672baa77d589beb73f6424e736d828fe7278fa5a622cf0340e4f182a8f5eacbcd3292a934c643da6ef1d175b4ab4cbad89204

Download Submit
C:\Windows\SysWOW64\240610984.txt

Filesize
49KB

MD5
d1928007e76f6138401084487bd8401d

SHA1
7025ed913413ceb854584b5ea7c0a860cb6cdf88

SHA256
b62f5cde79dabd73ddb79576685e34fabacfe5e052bf2adc57bf07ca9013c943

SHA512
7a935542b30531cabb55a278f9e283090a80592ff639c3a1ce4fc13562e494084206b1c1e76e18ddf6d774b8f98f9d96022032c680205065a405ef104a4434ca

Download Submit
memory/924-94-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2216-114-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2216-117-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2216-0-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2216-111-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2216-107-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2216-104-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2216-100-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2216-120-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2216-1-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2568-25-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2568-23-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2568-26-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2716-31-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2716-33-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2716-34-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/5088-49-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/5088-48-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/5088-44-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.