danabot | 5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1

Resubmissions

20-06-2024 20:22

240620-y5qgrazfkk 10

20-06-2024 18:55

240620-xkvejawhkq 10

Analysis

max time kernel
130s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 18:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Loader.exe
Size

16.6MB
MD5

d4c24856daa2edf79bd799e83f0a7e68
SHA1

6d75c42674416078e020060ace152eb94b0a47fc
SHA256

5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1
SHA512

6b94b058c08c33cebdbcf8af3c30aec45695cad4f210db76da19c61c057bbbb3383e380d05fd100b976a04c445f8c0283a87584d9ea2f0b3647ae9730b94aa81
SSDEEP

393216:qlJ41TXb46gZ9A9xLj7wAAA7AnxsdAAnBoVakGUIQUTAp:cKl4GL3X7eVAn6VakGUIop

Score

10^/10

danabot mimikatz banker bootkit botnet evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
botnet

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll family_danabot
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll	family_danabot

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

loader.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ loader.exe
mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\1CE5.tmp mimikatz
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

111 2124 rundll32.exe
126 2124 rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1CE5.tmp	mimikatz

flow	pid	process
111	2124	rundll32.exe
126	2124	rundll32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe

Executes dropped EXE 7 IoCs

Processes:

loader.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe1CE5.tmp

pid process

4540 loader.exe
700 icsys.icn.exe
964 explorer.exe
3608 spoolsv.exe
5008 svchost.exe
1876 spoolsv.exe
1036 1CE5.tmp
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exerundll32.exe

pid process

4152 regsvr32.exe
2124 rundll32.exe
1388 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4540	loader.exe
700	icsys.icn.exe
964	explorer.exe
3608	spoolsv.exe
5008	svchost.exe
1876	spoolsv.exe
1036	1CE5.tmp

pid	process
4152	regsvr32.exe
2124	rundll32.exe
1388	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

loader.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA loader.exe
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

rundll32.exePetya.A.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe
File opened for modification \??\PhysicalDrive0 Petya.A.exe
Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe
File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

loader.exe

pid process

4540 loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	Petya.A.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

pid	process
4540	loader.exe

Drops file in Program Files directory 56 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrome.7z	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{F0237BE9-D6E4-4703-93AC-27360BF5E970}\EDGEMITMP_1D2FD.tmp\MSEDGE.PACKED.7Z	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jawt.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h	rundll32.exe
File opened for modification	C:\Program Files\RenameUninstall.pptx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jni.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	rundll32.exe
File opened for modification	C:\Program Files\SendShow.zip	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\javafx-src.zip	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg	rundll32.exe

Drops file in Windows directory 9 IoCs

Processes:

explorer.exeNotPetya.exerundll32.exeLoader.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File created	C:\Windows\dllhost.dat	rundll32.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Loader.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4548 432 WerFault.exe DanaBot.exe

pid	pid_target	process	target process
4548	432	WerFault.exe	DanaBot.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633833312260824"	chrome.exe

Modifies registry class 18 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exechrome.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3692 schtasks.exe

pid	process
3692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Loader.exeicsys.icn.exe

pid	process
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
1888	Loader.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe
700	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

explorer.exesvchost.exeOpenWith.exe

pid process

964 explorer.exe
5008 svchost.exe
4936 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

5088 chrome.exe
5088 chrome.exe
5088 chrome.exe
5088 chrome.exe
5088 chrome.exe
5088 chrome.exe

pid	process
964	explorer.exe
5008	svchost.exe
4936	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe
Token: SeShutdownPrivilege	5088	chrome.exe
Token: SeCreatePagefilePrivilege	5088	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe
5088	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Loader.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeNotPetya.exeOpenWith.exe

pid	process
1888	Loader.exe
1888	Loader.exe
700	icsys.icn.exe
700	icsys.icn.exe
964	explorer.exe
964	explorer.exe
3608	spoolsv.exe
3608	spoolsv.exe
5008	svchost.exe
5008	svchost.exe
1876	spoolsv.exe
1876	spoolsv.exe
3988	OpenWith.exe
3736	OpenWith.exe
4588	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3736	OpenWith.exe
3736	OpenWith.exe
2976	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4656	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
4588	OpenWith.exe
2976	OpenWith.exe
2976	OpenWith.exe
2976	OpenWith.exe
2976	OpenWith.exe
2976	OpenWith.exe
2976	OpenWith.exe
2976	OpenWith.exe
2976	OpenWith.exe
3652	OpenWith.exe
4656	OpenWith.exe
4656	OpenWith.exe
428	OpenWith.exe
4616	OpenWith.exe
2968	OpenWith.exe
4988	OpenWith.exe
3688	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
4988	OpenWith.exe
1372	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3444	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
3688	OpenWith.exe
2956	OpenWith.exe
4788	OpenWith.exe
3144	OpenWith.exe
8	NotPetya.exe
4936	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exechrome.exe

description	pid	process	target process
PID 1888 wrote to memory of 4540	1888	Loader.exe	loader.exe
PID 1888 wrote to memory of 4540	1888	Loader.exe	loader.exe
PID 1888 wrote to memory of 700	1888	Loader.exe	icsys.icn.exe
PID 1888 wrote to memory of 700	1888	Loader.exe	icsys.icn.exe
PID 1888 wrote to memory of 700	1888	Loader.exe	icsys.icn.exe
PID 700 wrote to memory of 964	700	icsys.icn.exe	explorer.exe
PID 700 wrote to memory of 964	700	icsys.icn.exe	explorer.exe
PID 700 wrote to memory of 964	700	icsys.icn.exe	explorer.exe
PID 964 wrote to memory of 3608	964	explorer.exe	spoolsv.exe
PID 964 wrote to memory of 3608	964	explorer.exe	spoolsv.exe
PID 964 wrote to memory of 3608	964	explorer.exe	spoolsv.exe
PID 3608 wrote to memory of 5008	3608	spoolsv.exe	svchost.exe
PID 3608 wrote to memory of 5008	3608	spoolsv.exe	svchost.exe
PID 3608 wrote to memory of 5008	3608	spoolsv.exe	svchost.exe
PID 5008 wrote to memory of 1876	5008	svchost.exe	spoolsv.exe
PID 5008 wrote to memory of 1876	5008	svchost.exe	spoolsv.exe
PID 5008 wrote to memory of 1876	5008	svchost.exe	spoolsv.exe
PID 5088 wrote to memory of 2308	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 2308	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 3564	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 904	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 904	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe
PID 5088 wrote to memory of 4284	5088	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888

\??\c:\users\admin\appdata\local\temp\loader.exe
c:\users\admin\appdata\local\temp\loader.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4540

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:700

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde7ebab58,0x7ffde7ebab68,0x7ffde7ebab78
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:2
2⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:8
2⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:8
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:1
2⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:1
2⤵
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3644 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:1
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:8
2⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:8
2⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:8
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:8
2⤵
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2296 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:1
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5040 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:1
2⤵
PID:3764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3216 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:1
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:8
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:8
2⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:8
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1940,i,15125080220589900472,15728065175936312241,131072 /prefetch:2
2⤵
PID:3396

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3688

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
PID:432

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.exe@432
2⤵
- Loads dropped DLL
PID:4152

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 460
2⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 432 -ip 432
1⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\NotPetya.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\NotPetya.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:8

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1388

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 19:60
3⤵
PID:1984

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 19:60
4⤵
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Users\Admin\AppData\Local\Temp\1CE5.tmp
"C:\Users\Admin\AppData\Local\Temp\1CE5.tmp" \\.\pipe\{EB7619F1-5F2F-4A56-8AAD-A73DC34DBF6F}
3⤵
- Executes dropped EXE
PID:1036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4936

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Petya.A.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Petya.A.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:4148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
f5292db3c1a566b1255f0533bde82538

SHA1
6b7be6f20b114db888d1ab4dd2d0c3aa4f4b4618

SHA256
01d2c894eba24239a09fb6744c91c40f83a9669e25999375124a134e86b23960

SHA512
85682c2db058601f3b42488a91a5cbf793540cce7cec032d73fb0ddf1c1118d10c019c8045e04a04100cd8433504d00f7f145727d03da63780c68b872de2cf82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
4da09b5b4f50555bbe9e0a5f9e012074

SHA1
f680732452859a740f1294493e581de750824ba7

SHA256
f415d2995e16d04a4e76042b5afbd42ca16ab1398e7ab0cf41fe5b07566b5996

SHA512
cdce93b6b5d8d01b52ba7599594b9f97818a555db9f86945b79434a8916bdc2da212cb4f176379e75b6a46c3d593c76d3db2fd2e06d87fad25d6e0ae460c20ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
690B

MD5
f80dfe0c938847dbe9a7d92cdcfaac93

SHA1
2b04a72aa54c39c7533aa233f5977e1c2460206c

SHA256
d393b6de78a55680a399db214da6a31106fd0e6c4c583b487903ec350305db08

SHA512
ff05e61d75625ee1654de6ce5f0931d4732b1447b398a2df61ab865f75c25df2db6bccc124475a26e7a0e79d000e3f627d3b78ea4a8bc365caba09d1a199f4cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
e0ca205e79d06e044fc3449d52c0d3b1

SHA1
aa1583c35a12ff191f5818b8839c7a8cb2045608

SHA256
fec81f9f64e5316891476ad0e0843b84d3b9c96bb4ea4e152915a70cb5cb89ed

SHA512
142713ddcdfa422980635c11325b7b865ab54c761da16ef88fdea871e2c19663b9757e923bfbbe9e46a9a3b606b1cf1075cb89c3b5ab420b8416ee2906e174a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
371e9a80bfcf771cba76ae32b96044c6

SHA1
6c66e57fc1cf9ec08b76439a426bf8d32aa2ff01

SHA256
bf998e6f3690cfb8a25450dc8afd198c51271da87e0908459e96ded170b417ea

SHA512
a8249f2790d2ebb51347f5854c8952e74496d7f5f2d0ab49aae834a397431f63ac606643768821f0e47222c85b43c353632d47381fe5776b5398ecdb627567ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
de4c437b848de62cab7b2fce1cbf05b7

SHA1
f6785f09116661edc7f8d2de47d9544ab807f5fe

SHA256
17c8053bbcd5a6ada5763cfc734340408269be9df79752483564c97d56b32197

SHA512
18d88445a28af4c0b3af0f2fbdf75005996463cb841ae12a31bc200b59a6d2ce10d42c5c5dd372178c00d113211bcfe91fa1f7a23c42111884933bc52a1d7963

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
11aeff9cf80f969cc02ddd49246bf876

SHA1
8589fdc969201ca00417936fe1078950125aa91a

SHA256
093c54d92046820ca746bf8e1a53394d5b0c4adcafc3ee10d0d06f8ec649c0c0

SHA512
291f20ab281eea5261e503536ebea5db6906c4cc4b1175b2eb592663fc0c911c7350f8a4bb54fc570576f454fdaa5df4fdcdde7ba7d6af7ea314b20675aad791

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
db960897910290b123cba47ddcafc9f0

SHA1
c6872cb4bc60daaa9a4bad6a196d88438be96b94

SHA256
b3bad088438c87a56a818e225dcb5ca18d2c5a99d26a0fd6be15eeaf488b456a

SHA512
36aefaa784023f6d83b2be1c1a0abe7652eef1ed81f5c9c9e410c754cd2e7a530bc988f5023e6b6b47f0844ce459f0b972a83fb8b4e84351532100d6d4d6eb7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
278KB

MD5
765ec8970b7de8a85777515f4cfbc808

SHA1
f6c1b1e5e3a728fea4a2ae19242c7184561d4885

SHA256
6974ec9730c6f3af6c4ca5740ca825c083f72bbc2b3ab5124d65e4f9ccd6ee84

SHA512
cf415cdffcf38082439258575e711e8b4e6b8f860e6123da6aed2708a680682a413b2c4fdcd9d113a7170d0a74f13ea6b8a1057017782c3f70415b9343264ecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
96KB

MD5
ebfcc03e24b071e92df299535f8c4f46

SHA1
e1655bf71241c611904c3543076df9c5876dd64c

SHA256
7b36ca0dcd2e22ccddba45769c36d4f0f81f890aac2296ff64ba7153a5ce6664

SHA512
eaf2180e4082ac143dbb5653e1369ba4412ba917f2cc8be2dd2bdc3b06967f20a5610326109f4db811eb086c7a99536c84499ca8703697f1429905a312662c2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
93KB

MD5
c1490502674558bf93391f8ec2df3cd5

SHA1
82f6abec2df00ce6c115d9c7dce059a9bcf305e6

SHA256
c45371be24d57bf37f4b74df7c7c5cbdb5abb5c45cedafec9e05524fd84359d7

SHA512
83a9c5fa4f222df386d8ec45977b85d3c2a5f3474e14a46b4b1e43cf7b02d93411ae9d7887d72ea0e240680061603e349249e9aa0eba460123348cff96764ebe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580d69.TMP
Filesize
87KB

MD5
5c5d56898c61c2d158aec9b7f513ceeb

SHA1
e3a3cd6d9ea46c9a494b5d0dd684e7f460015489

SHA256
b9f764a01398a48eaf29ccb4ac20accd61aa823016c2a1ba3ea056b9bb65e239

SHA512
b43abb9007543e7275f4a954b8f1bdebc963a7d64fb71945352aa48e43cd20e6f1200bf1d8c96bacafc432af0b651d0c552d6c0bef631cb33cf866ce7e54cbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CE5.tmp
Filesize
55KB

MD5
7e37ab34ecdcc3e77e24522ddfd4852d

SHA1
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

SHA256
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

SHA512
1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll
Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe
Filesize
16.4MB

MD5
771eb39dd1312a63bb974018cb70d1b4

SHA1
94d751af62d417ff127ec0890179b5412b5e9e41

SHA256
98007690007fc38b33912f4113ccd7ddddbf881adfea23bf5cf53031666f2cfb

SHA512
4f9c5cefb8d9329ca7145fe15c0ab8bc445e5b9430776eaf06c51e810c14cb96a6cb679e36cf5713c3f1576e26199b72d6a8b1c819305a7d18f4c59b39e32af5

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
a9df3d5c780a576447f4e725b29438cc

SHA1
db6b99ab600e1c277e23794cc85408a9e5db78ed

SHA256
a4621de8673399623b56654849b3fe124844418dc867de4353a66ee20f1d2dd9

SHA512
42d585ced63c763133e89e5b615827307c2873e317b1deb01a193e183b1f09a40d11a1ac501c9e5f8757233e2fb340eb8cf31cdd6a7ce49537d2340121652126

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
902bc13c7b437a5ea7814a56c7083c7e

SHA1
61ec421d2c0d10c50fb3fdd0ebe040ea1eba07e8

SHA256
a2006295e0e65e89662634bb44b688b670ed4596ab419aab6f54bb40a0340e7b

SHA512
032c3fb9f425730aa3cdbc1e9d602cc1381b6da845e5308aea44124eaccb489f7911e86c211d4248539c1e9b1145451c5c8e2ac15c051191ae4515f913f5649a

Download Submit
C:\Windows\perfc.dat
Filesize
353KB

MD5
71b6a493388e7d0b40c83ce903bc6b04

SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
135KB

MD5
9f7b7798e77eae4228b3d34fe099d1b5

SHA1
1424e67056150088520f3f6f3d08e3fa66385bda

SHA256
99fd17de605675c80133108c2b70ae00bb12da3daab8cdcc9a766c049093b0ec

SHA512
d96dbb77904a70514a23797839506a6ad45b87ec2727c54661c26e7936a57089539ef799848c725d04322ecbfd6bf1b6c1c190c3c66e8a993349412b9b26f3e8

Download Submit
\??\c:\windows\resources\svchost.exe
Filesize
135KB

MD5
4acf999935fd6dbc14cc0e519cc4a543

SHA1
293e569ef4809e79137e2c50c53d3465e58dba57

SHA256
e57da2e6eab6dc61c7c55cbfa3097945c42c9f2d85fa1c46a0bb72db4c07fb3a

SHA512
57a17e7f9b6d09fb6f066aa1c05b3ba7e7ccc31da09f57497a329a4c71c4b4912a12852d674da048716bf8a66e0886c6c79d8773c1bada9ff5758497fd08c518

Download Submit
\??\pipe\crashpad_5088_JCUBIEZOZKAWMRLZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/432-225-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/700-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/700-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1388-252-0x0000000002540000-0x000000000259E000-memory.dmp

Filesize
376KB

Download
memory/1388-241-0x0000000002540000-0x000000000259E000-memory.dmp

Filesize
376KB

Download
memory/1388-239-0x0000000002540000-0x000000000259E000-memory.dmp

Filesize
376KB

Download
memory/1388-238-0x0000000002540000-0x000000000259E000-memory.dmp

Filesize
376KB

Download
memory/1388-230-0x0000000002540000-0x000000000259E000-memory.dmp

Filesize
376KB

Download
memory/1876-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-226-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/3608-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3608-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4540-53-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/4540-21-0x00007FFE06750000-0x00007FFE06752000-memory.dmp

Filesize
8KB

Download
memory/4540-20-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/5008-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads