Analysis Overview
Threat Level: Known bad
The file https://github.com/Sysk3y/Itsmegodhimself/blob/main/Arked%20V4.exe was found to be: Known bad.
Malicious Activity Summary
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
Downloads MZ/PE file
Looks for VMWare Tools registry key
Executes dropped EXE
Reads user/profile data of web browsers
Checks BIOS information in registry
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Looks up external IP address via web service
Program crash
Uses Volume Shadow Copy service COM API
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy WMI provider
Modifies Internet Explorer settings
Enumerates system info in registry
Modifies Internet Explorer Phishing Filter
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-21 10:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-21 10:13
Reported
2023-02-21 10:16
Platform
win7-20230220-en
Max time kernel
99s
Max time network
140s
Command Line
Signatures
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
Downloads MZ/PE file
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PhishingFilter | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 903511a0e545d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc4589900000000020000000000106600000001000020000000689e2b6e96a7ac77b8897eeba6651c98acedaba87fe7279e375a000af7d6c313000000000e80000000020000200000002b19ab4c7de78641b86acbcd6c507afcb33a1c4b394961cd8da10e30c33d468620000000b3d37a289270974deecaf9d8472262c9703478c84008998bfe50d21c22f2ece240000000601c7be573005697e75c7ca5b81b189bfffd1c441818aeb374a37ee1e437e7a1006c63bf0a48883d4e102d2d5667ba6d547a4b8dbaac545650437f6d633c96b0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc4589900000000020000000000106600000001000020000000b77e94aca56824bfcd611cc0a7a7bce9827f4e7ff97add25237f991af12e2e54000000000e8000000002000020000000a63dcb45be82a1ffb6cee235ec1a6056fbf685073f7b7267611ab652d44a49549000000085567851182309fddbda7867ccd7dfa5e41595c75380375a4554e844590181b7df08149f8334a7c9f86ad8ffbc46f0726e7aa4a7119e71f01f33ee8a3a8f51269a8a7e5abd74a34407935ba29bda8a2b86e38e36f891bcc080548f0cb8a8bc0303da9e09e364f61c9ed62734a482bcde00b52c9678d3bb2887c50f4c9de4ef8e98bba6e67b728b44d363b2ac0f8f8d17400000002e056bba0852f6305b9ccd17a44c2e62357c1e4b59cdefbf14668c73724531214b43f6009007b76c6da570a1587886384a1fd8f0b6508861204fa9e1b0d9451d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383742992" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 905541a5e545d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C9A6AF71-B1D8-11ED-AAFE-C6F40EA7D53E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Sysk3y/Itsmegodhimself/blob/main/Arked%20V4.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 964 -s 1780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| IN | 20.207.73.82:443 | github.com | tcp |
| IN | 20.207.73.82:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 104.109.143.91:80 | apps.identrust.com | tcp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1996-54-0x0000000002A30000-0x0000000002A40000-memory.dmp
memory/1624-55-0x0000000002AC0000-0x0000000002AC2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | 493001cbf4d76dc953b16865a46cc6b0 |
| SHA1 | 392151e4c647f3f79d93b314c1abdb6f98fb3600 |
| SHA256 | ca73847fc8e6cf3a19e64c4b3c85ba938365a5dc879accf1e1cc011e85aa447b |
| SHA512 | b29b9bf679411541361fa62ed14619ffa7b6a52ab4d1be0a4073e6ae5b15e621925a66ca305659aae1da135f4782244ff34a3cfcc18411a1ebc4647ad22a10f4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYXN1WWD\favicon[1].png
| MD5 | 346e09471362f2907510a31812129cd2 |
| SHA1 | 323b99430dd424604ae57a19a91f25376e209759 |
| SHA256 | 74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08 |
| SHA512 | a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jo5ozfo\imagestore.dat
| MD5 | d87f7697d16c501c3bda7c731f77e84d |
| SHA1 | 7d50684babba4bfddcf7361463882a2173cf5c0f |
| SHA256 | 5f404a34f8c4eb1db669d7c961faa75f273017c3ce4a8446ee428b29284c6f23 |
| SHA512 | 9f686099ee5f442426bea53bd1076194ee5b1762a2686ddcf44f610b2ed69ec1a3dd17b637436ec356e5bdf4f21a4cbafc7825c26d66bcdb136f9490bd46b126 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e2452abd909758a928f28d590365fcad |
| SHA1 | e92c86659158f9ed9f17f6bb591f3216d88d7b39 |
| SHA256 | c42e5a5e369fb70be621eb5ae788544e09ac82c6044211721e1d2d58887fa5b5 |
| SHA512 | e348e627c6a094ef35065c8c5cf9c5d3b5a318d7be01e5a3e88d49d08859be38c7b7a52bd2f5a2116bea52a58039ae5cca0d7f72187c611f68acc1d477052c61 |
C:\Users\Admin\AppData\Local\Temp\Cab4435.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\Local\Temp\Tar4436.tmp
| MD5 | 73b4b714b42fc9a6aaefd0ae59adb009 |
| SHA1 | efdaffd5b0ad21913d22001d91bf6c19ecb4ac41 |
| SHA256 | c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd |
| SHA512 | 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b0a43606f2fc545cb604564f95496b11 |
| SHA1 | 8d9b8b3db574c6842a19c482e95a45345fb82b1e |
| SHA256 | 40583abdeedad71104051afd19f0e5ae292e1b851d12ee9e29cdc37e1e41d72d |
| SHA512 | b4c47a3b351f0282aac86459527136027d2ad9f5d8ddb3bb2149a131b2dacba32ca015b341df2befbb1357f17eb1c1da3472ab578083f06bc6f6e7d6fef12a08 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c499e9da369d00109a63e3db7f6f9686 |
| SHA1 | 3e934d461edb3a7d166fb037830670df379db443 |
| SHA256 | 63f29036a0e4b97b502f6455231ff593d496aeab5210c43b85fbe679316a602d |
| SHA512 | 224e806874528ccc80ea94f94fde9ddd9b9bd5b38bede07f0f1251abe2cd172398e52f0d4dd6b7467217e6b5e7af522fca167b1bdbcacd0aa9a085ad66561063 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c1784e7b0b239aa5b46ea024b9ca67d |
| SHA1 | 12f3484ae6feb338b50acf47dcfba2bb77e14f11 |
| SHA256 | e61a6c54decb924b692c7ca97eed7b2609bb84587643c9d40aea23e3a87f1f6e |
| SHA512 | 2f556e8912b8f876027a4f0295da433d803b41fac9839142d6d4edf7a1826659de0f8ddffa89794b18e83635c094b43f4c4a0654f9a9de64a1d5e61193c4a765 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d1100ebc1326da8097a5bd4dd51c9269 |
| SHA1 | b010fda8e1cf2ea87742b1c491724243c1920f70 |
| SHA256 | 82d7daf74dd3c49188ef4813466e5819be8297da571a2550c08aea1d60b18c52 |
| SHA512 | e75d65de44789751efaa1444fa3fd66d9b2d4b725e91e97310da1de126e91a1aaf6963ab08bbf53a830fbe5f0deef43670a84756757dc1b4e215b2ab087748c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b53d4ad71ca32a00d254622e42c05934 |
| SHA1 | 2cd057178b4370edbbefd9aa473a85acb7cde0b1 |
| SHA256 | 4bbae27500e41bf3d98061d2ef2076bb3d3d277db264959b6acdf17df03e7c8d |
| SHA512 | df08666e49f270c54e7f5e456455691ec6eb5955eb5508e31efd685dfb3dc7cf7cd2be8643a5f093dc605fee25c072a10786b44d8498336d213ae547e5fde5cb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24b7f79722a6fe867d3a48ba8e37e073 |
| SHA1 | 94761bca69a2b633683ebe62199dd9c1291c7564 |
| SHA256 | 87f0423c3bf5d72ae19a96fcf75ae22f2c8359c338c64aa3fe091e54a40d3ba0 |
| SHA512 | 3a2265f643ef042f5dd133c1060cc20a518011ddfc80d00aa52c3f2f72160e6b41abe61d242e2adb89ffcc1cd0261faa72ed88fefb3e29e49897e6d8e1fcb76b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0d24f798115f1e5db7fd973a9f4a35ca |
| SHA1 | 576e8387444fad75673cee9251fbd56b2349d1ef |
| SHA256 | 977c514f81c8f41cd01796ff7e12d05f210accbd328da0339751af240596563a |
| SHA512 | 0d09cf33e4849b7ad06722fb62a5b2fda79917b07395100a32458eed02669aebae7e20a2c511dd1964dfea316270ccc9b8c8033c971e74e1993cbb43725855ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 29442c6fe54441ea008f67c2c50ccfa5 |
| SHA1 | 3d9feed50f513f6eda0009a320a0fb67a8170f81 |
| SHA256 | 5a8f5f6a4babcf9c82a09bcfc60f27bb6b605aa82dc5b9b2fad1790dc6c27d37 |
| SHA512 | 77233799fa066da6b30732a16ab1f4e840b1041255e890f5d9b1dbd3e11e1992392566130c0b43fab7ca40227daa7a1c8190c5a6313486ca22ead03a583f00ae |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BA5D7P93\Arked%20V4[1].exe
| MD5 | 7159961354638dacfda4a5838fceefb7 |
| SHA1 | a2f1237c7111c25c768e90318c10f5d38e6bed7c |
| SHA256 | 24197b92b6392237ffc435ef1ec2250f71616df258d7b265f9b82f87f836696d |
| SHA512 | 9769bc113c2ca00b14db49d0594270044ba10810a27cc3a63afd5853e244b74614aa68cf37522bc06fd430aa43358dd11e7db451d2894b2c41cf337361e19b1f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe.vm1nr4c.partial
| MD5 | 7159961354638dacfda4a5838fceefb7 |
| SHA1 | a2f1237c7111c25c768e90318c10f5d38e6bed7c |
| SHA256 | 24197b92b6392237ffc435ef1ec2250f71616df258d7b265f9b82f87f836696d |
| SHA512 | 9769bc113c2ca00b14db49d0594270044ba10810a27cc3a63afd5853e244b74614aa68cf37522bc06fd430aa43358dd11e7db451d2894b2c41cf337361e19b1f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\Arked V4.exe
| MD5 | 7159961354638dacfda4a5838fceefb7 |
| SHA1 | a2f1237c7111c25c768e90318c10f5d38e6bed7c |
| SHA256 | 24197b92b6392237ffc435ef1ec2250f71616df258d7b265f9b82f87f836696d |
| SHA512 | 9769bc113c2ca00b14db49d0594270044ba10810a27cc3a63afd5853e244b74614aa68cf37522bc06fd430aa43358dd11e7db451d2894b2c41cf337361e19b1f |
memory/964-708-0x0000000000280000-0x0000000000292000-memory.dmp
memory/964-709-0x000000001AF40000-0x000000001AFC0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5ecf12e0131aac48fa880f272353374 |
| SHA1 | 8c93b4bb6d625d28ff83d0b197494dbaf3326660 |
| SHA256 | 32e208d0168b3d1aae149b993c53d9146521240783fd3c16c3115a3f0131a2c4 |
| SHA512 | 0a93b30ac69deafe5ec0231a39bf7e749ecfd4813e2a3c0a288ebc3a6c01b7e075979a29d1b4380dafeb6e59bb63c21c7073b01891307017fbea204e3a939212 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4e5e5776b3337e4ba7a31beff35bd0a |
| SHA1 | 9c7fc2b9fc6d1ac639f13910ab6dca67d2503795 |
| SHA256 | a5929396748cdca6eda10d430e16bc37cc56d307ec7411b51a864d8c36480393 |
| SHA512 | f86c593d9a22e2dafc5d6ff9d49eea76a232a0c106673c3d5896d96a34cfb71d35bf9d862a40eca315ef932c73c358ab580785ff5d805d064091126365d792d9 |
memory/964-790-0x000000001AF40000-0x000000001AFC0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 983caee9c72718daf3057d046508feec |
| SHA1 | b43d10269764fafffc45bcafec292f8231ffdaf3 |
| SHA256 | 8077409dc72c07a9fd5ff0c03f74327245373d98a941dc74922ca578f6c9034e |
| SHA512 | 48c335384601dd1b16089084fb0d5bf6b071d9eef93056cbf163c6cef02b6c7420cae87fc421b790d2568068366eb4ef4ce08d6a5bb3b149b3d691bc2fbfa12e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M7WRYJB3.txt
| MD5 | aac11ff35557a0b58db10059a028d98e |
| SHA1 | 537a60ba1c0d0ba6b1afed404fbff81d07769ea2 |
| SHA256 | 9109008cdbbdb44b1d1200c67e628c666d2a2dfca7a041ee43e5a509a79ab0ec |
| SHA512 | 36075fefd345c2794aa728055b604ca317aa475d149cebc0b0b2b80234a50491af64ed17a8cf2d3376e27a497e16cd2da024f82a140baf43dc35bd75fe45530f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BA5D7P93\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-21 10:13
Reported
2023-02-21 10:16
Platform
win10v2004-20230220-en
Max time kernel
100s
Max time network
116s
Command Line
Signatures
Mercurial Grabber Stealer
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
Downloads MZ/PE file
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\PhishingFilter | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 402aab7ba945d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1038551109" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1038551109" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000bb103193c507b543a37638710463de37e229ba82ef71658bbc976f497ce318b1000000000e8000000002000020000000e59f1def381eb23eddb0a710a08fdd12658fb512289160b9729aedef3d47d7992000000041f3b8cfc5424148dd01d1a1226fac10cac6bd92881e081b3e3b5400075708f640000000a960d0f99ebb8a12a5a5947c4baf903e6b63c193d282518c8b0c584db887449a074293557ddd7e252e65f053339f4c01caece1d15cbea0ff3b1d4795ba3b5b0d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1049490079" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0bea840dd45d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\RepId | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f69740dd45d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000480bfdcaa25a551bfd038f0d68146bf6a47637fefb411603578b0c36d08b8872000000000e80000000020000200000002c8337ebe94db518bd5c142c12d633087575be176ce007805e42cbf92b8044c220000000d9f54b7e102e1496490bea54c761f03ba43424b959ed1343dd3232406521516e400000008114315a77e345d89569db185e7e3441fcb5c771992fbf03a839fa2897b3f9c5da8a60d2a89a42429eacf191c87dee89379bcd9b248082976045e73dbf2006e7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31016413" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383739394" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{68D69544-B1D0-11ED-8FFF-6E21A4042E2D} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31016413" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31016413" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{35CA121D-3994-4405-A2C5-C80020A11708}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3152 wrote to memory of 5060 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3152 wrote to memory of 5060 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3152 wrote to memory of 5060 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3152 wrote to memory of 3876 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe |
| PID 3152 wrote to memory of 3876 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Sysk3y/Itsmegodhimself/blob/main/Arked%20V4.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3152 CREDAT:17410 /prefetch:2
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3876 -ip 3876
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3876 -s 2092
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| IN | 20.207.73.82:443 | github.com | tcp |
| IN | 20.207.73.82:443 | github.com | tcp |
| US | 8.8.8.8:53 | 82.73.207.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.232.18.117.in-addr.arpa | udp |
| US | 20.189.173.5:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| NL | 8.238.177.126:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 141.64.128.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 11.175.53.84.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\favicon[1].png
| MD5 | 346e09471362f2907510a31812129cd2 |
| SHA1 | 323b99430dd424604ae57a19a91f25376e209759 |
| SHA256 | 74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08 |
| SHA512 | a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\phzg4yt\imagestore.dat
| MD5 | 74aba052aef6feda8353212ad3ed941a |
| SHA1 | 0c0859e35475d5c51d9ab136d37f4301a6e3c5e5 |
| SHA256 | bb10e9250905d29b789ba3c99d644d12bb445e522737340a4be3a680f4877d20 |
| SHA512 | 8517a22c9abde6fa8f76f54306d092f695b8fabeb01db3765a8e60b25c9b1aa1b43e174c095d824de9f6059993f546b2aa366080efcf799f2d5027621cafc7b3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\Arked%20V4[1].exe
| MD5 | 7159961354638dacfda4a5838fceefb7 |
| SHA1 | a2f1237c7111c25c768e90318c10f5d38e6bed7c |
| SHA256 | 24197b92b6392237ffc435ef1ec2250f71616df258d7b265f9b82f87f836696d |
| SHA512 | 9769bc113c2ca00b14db49d0594270044ba10810a27cc3a63afd5853e244b74614aa68cf37522bc06fd430aa43358dd11e7db451d2894b2c41cf337361e19b1f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe.xwcul63.partial
| MD5 | 7159961354638dacfda4a5838fceefb7 |
| SHA1 | a2f1237c7111c25c768e90318c10f5d38e6bed7c |
| SHA256 | 24197b92b6392237ffc435ef1ec2250f71616df258d7b265f9b82f87f836696d |
| SHA512 | 9769bc113c2ca00b14db49d0594270044ba10810a27cc3a63afd5853e244b74614aa68cf37522bc06fd430aa43358dd11e7db451d2894b2c41cf337361e19b1f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\Arked V4.exe
| MD5 | 7159961354638dacfda4a5838fceefb7 |
| SHA1 | a2f1237c7111c25c768e90318c10f5d38e6bed7c |
| SHA256 | 24197b92b6392237ffc435ef1ec2250f71616df258d7b265f9b82f87f836696d |
| SHA512 | 9769bc113c2ca00b14db49d0594270044ba10810a27cc3a63afd5853e244b74614aa68cf37522bc06fd430aa43358dd11e7db451d2894b2c41cf337361e19b1f |
memory/3876-308-0x0000000000D80000-0x0000000000D92000-memory.dmp
memory/3876-309-0x000000001D120000-0x000000001D130000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |