Analysis Overview
SHA256
9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6
Threat Level: Known bad
The file 9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6 was found to be: Known bad.
Malicious Activity Summary
GCleaner
Socelars payload
Process spawned unexpected child process
Socelars
Executes dropped EXE
VMProtect packed file
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Enumerates system info in registry
Kills process with taskkill
Suspicious use of FindShellTrayWindow
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-24 06:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-24 06:34
Reported
2023-01-24 06:37
Platform
win10v2004-20221111-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
GCleaner
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
Socelars
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pb1109.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png | C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe | N/A |
| File created | C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js | C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe | N/A |
| File created | C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js | C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe | N/A |
| File created | C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html | C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe | N/A |
| File created | C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js | C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe | N/A |
| File created | C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js | C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe | N/A |
| File created | C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js | C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe | N/A |
| File created | C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js | C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe | N/A |
| File created | C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json | C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe | N/A |
| File opened for modification | C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js | C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe | N/A |
Enumerates physical storage devices
Program crash
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6.exe
"C:\Users\Admin\AppData\Local\Temp\9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6.exe"
C:\Users\Admin\AppData\Local\Temp\cc.exe
"C:\Users\Admin\AppData\Local\Temp\cc.exe"
C:\Users\Admin\AppData\Local\Temp\pb1109.exe
"C:\Users\Admin\AppData\Local\Temp\pb1109.exe"
C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe
"C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\cc.exe
"C:\Users\Admin\AppData\Local\Temp\cc.exe" -h
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2888 -ip 2888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4488 -ip 4488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4488 -ip 4488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 888
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabaf54f50,0x7ffabaf54f60,0x7ffabaf54f70
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4488 -ip 4488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4488 -ip 4488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 924
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1712 /prefetch:2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4488 -ip 4488
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 932
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4488 -ip 4488
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1056
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4488 -ip 4488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4488 -ip 4488
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1448
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4648 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4488 -ip 4488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 668
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4612 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5600 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1572 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1668,11747147184576053363,12207577638821383457,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5488 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.icodeps.com | udp |
| N/A | 149.28.253.196:443 | www.icodeps.com | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.201.35:443 | www.facebook.com | tcp |
| N/A | 8.8.8.8:53 | xv.yxzgamen.com | udp |
| N/A | 188.114.96.0:443 | xv.yxzgamen.com | tcp |
| N/A | 8.8.8.8:53 | ocsp.trust-provider.cn | udp |
| N/A | 47.246.48.208:80 | ocsp.trust-provider.cn | tcp |
| N/A | 8.8.8.8:53 | iueg.aappatey.com | udp |
| N/A | 45.66.159.142:80 | iueg.aappatey.com | tcp |
| N/A | 8.8.8.8:53 | iplogger.org | udp |
| N/A | 148.251.234.83:443 | iplogger.org | tcp |
| N/A | 8.8.8.8:53 | siaoheg.aappatey.com | udp |
| N/A | 45.66.159.142:80 | siaoheg.aappatey.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 45.12.253.56:80 | 45.12.253.56 | tcp |
| N/A | 8.8.8.8:53 | ferramentasadicionais.s3.sa-east-1.amazonaws.com | udp |
| N/A | 8.8.8.8:53 | m.facebook.com | udp |
| N/A | 8.8.8.8:53 | accounts.google.com | udp |
| N/A | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 142.251.36.45:443 | accounts.google.com | tcp |
| N/A | 172.217.168.238:443 | clients2.google.com | tcp |
| N/A | 52.95.165.67:443 | ferramentasadicionais.s3.sa-east-1.amazonaws.com | tcp |
| N/A | 157.240.212.35:443 | m.facebook.com | tcp |
| N/A | 8.8.8.8:53 | edgedl.me.gvt1.com | udp |
| N/A | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
| N/A | 8.8.8.8:53 | secure.facebook.com | udp |
| N/A | 157.240.212.15:443 | secure.facebook.com | tcp |
| N/A | 8.8.8.8:53 | www.gooeg.com | udp |
| N/A | 8.8.8.8:53 | apis.google.com | udp |
| N/A | 188.114.96.0:80 | www.gooeg.com | tcp |
| N/A | 216.58.208.110:443 | apis.google.com | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | tcp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 216.58.208.99:443 | ssl.gstatic.com | tcp |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 142.250.179.163:443 | update.googleapis.com | tcp |
| N/A | 8.8.8.8:53 | edgedl.me.gvt1.com | udp |
| N/A | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
| N/A | 142.250.179.163:443 | udp | |
| N/A | 8.8.8.8:53 | dns.google | udp |
| N/A | 8.8.8.8:443 | dns.google | udp |
| N/A | 8.8.8.8:53 | www.listfcbt.top | udp |
| N/A | 216.58.214.3:443 | beacons.gcp.gvt2.com | tcp |
| N/A | 8.8.8.8:53 | www.typefdq.xyz | udp |
| N/A | 8.8.8.8:53 | www.rqckdpt.top | udp |
Files
memory/3536-132-0x0000000000200000-0x000000000077A000-memory.dmp
memory/1896-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cc.exe
| MD5 | b40d68dd8bc069c7c9bdcf30fd6c4e6d |
| SHA1 | 82c6c3c03619bfc68b6426b1102084f22ceb1667 |
| SHA256 | ee98f7f20da57050ef47be4200dbd3c507fcb516223877803ba7a75a652301ed |
| SHA512 | 16e7b1d768f0ab6a1d379583a9863995e80d049dda12973667d620ed6f8db52d843fe7c3498805507444acf8c7d2f64345205e64dc51af4e3e524b6324164591 |
memory/2568-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\pb1109.exe
| MD5 | c57530389e55709d3c47bdc5ed1818b9 |
| SHA1 | f9a52eda0609f627456f7d49859fc5e239a8bc2d |
| SHA256 | 55d48f81aa6e29e7ef2a380c5d1efd05fd71754a87a5af9138208f9eb96bf99c |
| SHA512 | f67d5ebbe9e37f856f4b2e8bfdf66476f55053147cb4140e78e3cdb8ff2916fda840c41a37a8c6899f8a7db5636f35ca6b115cc047a63a29d54d8b70b3086fda |
C:\Users\Admin\AppData\Local\Temp\pb1109.exe
| MD5 | c57530389e55709d3c47bdc5ed1818b9 |
| SHA1 | f9a52eda0609f627456f7d49859fc5e239a8bc2d |
| SHA256 | 55d48f81aa6e29e7ef2a380c5d1efd05fd71754a87a5af9138208f9eb96bf99c |
| SHA512 | f67d5ebbe9e37f856f4b2e8bfdf66476f55053147cb4140e78e3cdb8ff2916fda840c41a37a8c6899f8a7db5636f35ca6b115cc047a63a29d54d8b70b3086fda |
C:\Users\Admin\AppData\Local\Temp\cc.exe
| MD5 | b40d68dd8bc069c7c9bdcf30fd6c4e6d |
| SHA1 | 82c6c3c03619bfc68b6426b1102084f22ceb1667 |
| SHA256 | ee98f7f20da57050ef47be4200dbd3c507fcb516223877803ba7a75a652301ed |
| SHA512 | 16e7b1d768f0ab6a1d379583a9863995e80d049dda12973667d620ed6f8db52d843fe7c3498805507444acf8c7d2f64345205e64dc51af4e3e524b6324164591 |
memory/4660-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe
| MD5 | b76b5bc22398e69bb8a64736673c336d |
| SHA1 | acbda659f1ffc44aa2b7121dfd08517f16b4e889 |
| SHA256 | c6eb7205e47d8c232e18c7eeb5a34cae5ed9c2b0fa22129a2d612ddc7ea2d88f |
| SHA512 | a1f2bdea4aa8818286b758361547538d071258debe2817b6ada58caf3d362df614144bd05739f43b1b61b8d309847ab5ad7a8bd5129de1040b481d5d7e5b9e4c |
C:\Users\Admin\AppData\Local\Temp\handdiy_3.exe
| MD5 | b76b5bc22398e69bb8a64736673c336d |
| SHA1 | acbda659f1ffc44aa2b7121dfd08517f16b4e889 |
| SHA256 | c6eb7205e47d8c232e18c7eeb5a34cae5ed9c2b0fa22129a2d612ddc7ea2d88f |
| SHA512 | a1f2bdea4aa8818286b758361547538d071258debe2817b6ada58caf3d362df614144bd05739f43b1b61b8d309847ab5ad7a8bd5129de1040b481d5d7e5b9e4c |
memory/4488-143-0x0000000000000000-mapping.dmp
memory/2568-142-0x0000000140000000-0x0000000140616000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 924c4cffe8dae0f3e5ff1be0cfbcbe70 |
| SHA1 | 62430999b73929ea4fe4c690c065bde023fd8802 |
| SHA256 | 9f28da4bff089416d5ce9db630ec5af733925a7feb5bc1dfbccbe2525ce5ad4f |
| SHA512 | eb18513ab843b4cac27fc45735ff4cb9deaa0c90c837a7e057295a32be37831b59754e0caf528849876d412370e21eed20b35247037af0079403a6a5f8dc871a |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 924c4cffe8dae0f3e5ff1be0cfbcbe70 |
| SHA1 | 62430999b73929ea4fe4c690c065bde023fd8802 |
| SHA256 | 9f28da4bff089416d5ce9db630ec5af733925a7feb5bc1dfbccbe2525ce5ad4f |
| SHA512 | eb18513ab843b4cac27fc45735ff4cb9deaa0c90c837a7e057295a32be37831b59754e0caf528849876d412370e21eed20b35247037af0079403a6a5f8dc871a |
C:\Users\Admin\AppData\Local\Temp\cc.exe
| MD5 | b40d68dd8bc069c7c9bdcf30fd6c4e6d |
| SHA1 | 82c6c3c03619bfc68b6426b1102084f22ceb1667 |
| SHA256 | ee98f7f20da57050ef47be4200dbd3c507fcb516223877803ba7a75a652301ed |
| SHA512 | 16e7b1d768f0ab6a1d379583a9863995e80d049dda12973667d620ed6f8db52d843fe7c3498805507444acf8c7d2f64345205e64dc51af4e3e524b6324164591 |
memory/2880-149-0x0000000000000000-mapping.dmp
memory/3748-151-0x0000000000000000-mapping.dmp
memory/1564-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
memory/2888-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | 9ac15413299558174055dc5601e114c2 |
| SHA1 | 5f9507e6689fb18c1d9de33b550b412b18d6682f |
| SHA256 | 56e8a703e9cc3e3d46f72f387bd8e3bb40011715bde0cbbf12468deaea33e5d4 |
| SHA512 | fb30f39883db7071e014008c3d1c068ba89fee5c3d58efd4e72dd3e4d4f3172928f94d421f6ea17f4bf16521347a0ceac632e7733077c76128ae751175361e65 |
memory/4488-157-0x00000000004C7000-0x00000000004ED000-memory.dmp
memory/4488-158-0x00000000005A0000-0x00000000005E0000-memory.dmp
memory/4488-159-0x0000000000400000-0x0000000000468000-memory.dmp
\??\pipe\crashpad_4468_RDJVBFBYPYHCQLFA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 788aa159bfd9b5c396d6798ed1717d10 |
| SHA1 | 0583dc1dc3902022466a58005ea4c5918e612e03 |
| SHA256 | e8f0d94881281aea17a7ffbe7e17e48358fb325428bf7268252ab297728938de |
| SHA512 | 4498a7eff65b1e7f5d6b616f3cde60133498a26b96b7521b2505dd508c89b0b532b879b9f7d293f983da7fe3604be5792e942bf5237ca4a072419e462ffbf7d1 |
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json
| MD5 | 05bfb082915ee2b59a7f32fa3cc79432 |
| SHA1 | c1acd799ae271bcdde50f30082d25af31c1208c3 |
| SHA256 | 04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1 |
| SHA512 | 6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3 |
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png
| MD5 | 362695f3dd9c02c83039898198484188 |
| SHA1 | 85dcacc66a106feca7a94a42fc43e08c806a0322 |
| SHA256 | 40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca |
| SHA512 | a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f |
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
| MD5 | a09e13ee94d51c524b7e2a728c7d4039 |
| SHA1 | 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae |
| SHA256 | 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef |
| SHA512 | f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a |
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
| MD5 | e4f23ca32cacfb4de268eb194cc21143 |
| SHA1 | 8d747bec1f49e0de55efefe79765870ea5b1b27c |
| SHA256 | 1fa3f358c7877cd49011adc35d8ac163b3b7dfa5703ac840ae01777c379cb71c |
| SHA512 | ecc4c7da2b69b9badec1fb378ad1d8773142d2fa6377ff0ab2d825568a950205cfb48752c84479863eedf3f362b84aecc9bc6c542eb8fb26f136b8df364162ca |
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html
| MD5 | 9ffe618d587a0685d80e9f8bb7d89d39 |
| SHA1 | 8e9cae42c911027aafae56f9b1a16eb8dd7a739c |
| SHA256 | a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e |
| SHA512 | a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12 |
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
| MD5 | a1f351babd23a71c434a51eb2a46a8ec |
| SHA1 | 8989fd69e099cfccf5f9d475b9a0411400dedf02 |
| SHA256 | 695d7f1496eb1166709ebba0982bacbd3ded5517ee50f8eca43d3163d9ba6b5d |
| SHA512 | 44f197da6a4e46f8c0316a747f3f8b27b135846d049d82618a27b9faad53db24535f4599dd8c221f9fc9a1301da66f2e7d96e45839f9da1142e19b60ea52b688 |
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js
| MD5 | 23231681d1c6f85fa32e725d6d63b19b |
| SHA1 | f69315530b49ac743b0e012652a3a5efaed94f17 |
| SHA256 | 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a |
| SHA512 | 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2 |
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
| MD5 | 4ff108e4584780dce15d610c142c3e62 |
| SHA1 | 77e4519962e2f6a9fc93342137dbb31c33b76b04 |
| SHA256 | fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a |
| SHA512 | d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2 |
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
| MD5 | 0f26002ee3b4b4440e5949a969ea7503 |
| SHA1 | 31fc518828fe4894e8077ec5686dce7b1ed281d7 |
| SHA256 | 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d |
| SHA512 | 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11 |
memory/1200-171-0x0000000000000000-mapping.dmp
memory/4760-172-0x0000000000000000-mapping.dmp
memory/4488-173-0x00000000004C7000-0x00000000004ED000-memory.dmp
memory/4488-174-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4488-175-0x00000000005A0000-0x00000000005E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |