Analysis Overview
SHA256
7e85e9eea33b5c3576d801f9206cba0132f81e569c31e0f76f0ba9229b50b083
Threat Level: Known bad
The file 0b174fea183b59e9fd82bbbf4d6ca51a was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
NullMixer
Vidar
Nirsoft
Vidar Stealer
Obfuscated with Agile.Net obfuscator
UPX packed file
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Looks up external IP address via web service
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 02:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 02:06
Reported
2023-12-30 15:31
Platform
win7-20231215-en
Max time kernel
0s
Max time network
147s
Command Line
Signatures
NullMixer
SmokeLoader
Vidar
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe
"C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_3.exe
metina_3.exe
C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_7.exe
metina_7.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe
C:\Users\Admin\AppData\Local\Temp\is-FLGI5.tmp\metina_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FLGI5.tmp\metina_5.tmp" /SL5="$2019C,189670,105984,C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_5.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",init
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 408
C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_4.exe
metina_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_5.exe
metina_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_1.exe
metina_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_2.exe
metina_2.exe
C:\Users\Admin\AppData\Local\Temp\7zS8577FE96\metina_6.exe
metina_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_1.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\system32\taskeng.exe
taskeng.exe {5C9CF218-CB7E-490E-A85A-35DCE85C43CC} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\sjtitag
C:\Users\Admin\AppData\Roaming\sjtitag
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | razino.xyz | udp |
| US | 8.8.8.8:53 | email.yg9.me | udp |
| US | 8.8.8.8:53 | cor-tips.com | udp |
| US | 8.8.8.8:53 | bandakere.tumblr.com | udp |
| US | 74.114.154.22:443 | bandakere.tumblr.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 195.133.40.148:80 | 195.133.40.148 | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| DE | 159.69.20.131:80 | 159.69.20.131 | tcp |
| US | 8.8.8.8:53 | dinger-bauunternehmen.de | udp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| US | 8.8.8.8:53 | uehge4g6gh.2ihsfa.com | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | ppcspb.com | udp |
| US | 8.8.8.8:53 | mebbing.com | udp |
| US | 8.8.8.8:53 | twcamel.com | udp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| US | 8.8.8.8:53 | howdycash.com | udp |
| CA | 23.227.38.32:80 | howdycash.com | tcp |
| US | 8.8.8.8:53 | lahuertasonora.com | udp |
| US | 8.8.8.8:53 | kpotiques.com | udp |
| US | 104.253.227.240:80 | kpotiques.com | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| US | 8.8.8.8:53 | pupdatastar.tech | udp |
| N/A | 127.0.0.1:49263 | tcp | |
| N/A | 127.0.0.1:49265 | tcp | |
| DE | 159.69.20.131:80 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
| DE | 159.69.20.131:443 | dinger-bauunternehmen.de | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS8577FE96\setup_install.exe
| MD5 | af41d6d43df35d8c831695e584169a71 |
| SHA1 | bb8d6f081e93d2860ce62fabefbe9cdf80ebf06e |
| SHA256 | cbab323219211a8bb57f5b0ee9bdd97b45724c61da8b842f02174ed87f908141 |
| SHA512 | 5fce8bb65d14ca38178ac1cf9ba7d012a2e64b7af9ae3c6cf31b6cf7be44708474b9381da50cb9c9eea9a4b0429eb4b2e280afba0424b6f5ef0a26379221af9a |
memory/680-42-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/680-58-0x0000000064940000-0x0000000064959000-memory.dmp
memory/680-67-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/680-74-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2800-123-0x00000000003A0000-0x00000000003A8000-memory.dmp
memory/1728-140-0x0000000000260000-0x000000000036E000-memory.dmp
memory/2540-108-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1728-164-0x00000000710F0000-0x0000000071170000-memory.dmp
memory/880-165-0x0000000000520000-0x000000000056B000-memory.dmp
memory/880-166-0x0000000000DD0000-0x0000000000E41000-memory.dmp
memory/880-168-0x0000000000520000-0x000000000056B000-memory.dmp
memory/2832-169-0x0000000000060000-0x00000000000AB000-memory.dmp
memory/2576-172-0x0000000002620000-0x0000000002721000-memory.dmp
memory/2576-175-0x0000000001F80000-0x0000000001FDC000-memory.dmp
memory/2832-171-0x00000000004F0000-0x0000000000561000-memory.dmp
memory/1728-176-0x0000000000750000-0x0000000000776000-memory.dmp
memory/2552-187-0x0000000000270000-0x0000000000279000-memory.dmp
memory/2552-186-0x0000000000CD0000-0x0000000000DD0000-memory.dmp
memory/2552-188-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/1576-191-0x0000000000400000-0x0000000000C68000-memory.dmp
memory/2540-190-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2832-185-0x00000000004F0000-0x0000000000561000-memory.dmp
memory/1576-184-0x0000000000350000-0x00000000003E7000-memory.dmp
memory/1576-183-0x0000000000D80000-0x0000000000E80000-memory.dmp
memory/880-181-0x0000000000DD0000-0x0000000000E41000-memory.dmp
memory/880-180-0x0000000000520000-0x000000000056B000-memory.dmp
memory/2800-179-0x000000001AE80000-0x000000001AF00000-memory.dmp
memory/2800-178-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp
memory/680-75-0x0000000000400000-0x000000000051D000-memory.dmp
memory/680-73-0x0000000000400000-0x000000000051D000-memory.dmp
memory/680-72-0x0000000000400000-0x000000000051D000-memory.dmp
memory/680-71-0x0000000000400000-0x000000000051D000-memory.dmp
memory/680-69-0x0000000000400000-0x000000000051D000-memory.dmp
memory/680-68-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2632-197-0x0000000002640000-0x000000000269B000-memory.dmp
memory/2632-201-0x0000000002640000-0x000000000269B000-memory.dmp
memory/1780-200-0x0000000000240000-0x000000000029B000-memory.dmp
memory/1780-199-0x0000000000400000-0x000000000045B000-memory.dmp
memory/680-66-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/680-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/680-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/680-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/680-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/680-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/680-60-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/680-57-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/680-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/680-55-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8577FE96\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/680-49-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8577FE96\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
\Users\Admin\AppData\Local\Temp\7zS8577FE96\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
\Users\Admin\AppData\Local\Temp\7zS8577FE96\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zS8577FE96\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/1880-38-0x0000000003450000-0x000000000356D000-memory.dmp
memory/1880-30-0x0000000003450000-0x000000000356D000-memory.dmp
memory/2552-210-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/1220-209-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/680-314-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1576-316-0x0000000000400000-0x0000000000C68000-memory.dmp
memory/680-313-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1912-319-0x0000000000400000-0x00000000004C9000-memory.dmp
memory/680-312-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/680-311-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/680-310-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/680-309-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2540-320-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2800-457-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp
memory/1576-467-0x0000000000D80000-0x0000000000E80000-memory.dmp
memory/880-466-0x0000000000520000-0x000000000056B000-memory.dmp
memory/2800-465-0x000000001AE80000-0x000000001AF00000-memory.dmp
memory/2632-475-0x0000000002640000-0x000000000269B000-memory.dmp
memory/2632-476-0x0000000002640000-0x000000000269B000-memory.dmp
memory/3008-509-0x0000000000290000-0x0000000000390000-memory.dmp
memory/3008-511-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/3008-523-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/1728-560-0x00000000058A0000-0x000000000591A000-memory.dmp
memory/2520-575-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1728-561-0x0000000000CA0000-0x0000000000CD8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 02:06
Reported
2023-12-30 15:30
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
146s
Command Line
Signatures
NullMixer
SmokeLoader
Vidar
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_3.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\urvwhgw |
Processes
C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe
"C:\Users\Admin\AppData\Local\Temp\0b174fea183b59e9fd82bbbf4d6ca51a.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_2.exe
C:\Users\Admin\AppData\Local\Temp\is-JT5M1.tmp\metina_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JT5M1.tmp\metina_5.tmp" /SL5="$8005E,189670,105984,C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_5.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 976 -ip 976
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4016 -ip 4016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 600
C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",init
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_3.exe
metina_3.exe
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_5.exe
metina_5.exe
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_7.exe
metina_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_6.exe
metina_6.exe
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_2.exe
metina_2.exe
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_4.exe
metina_4.exe
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\metina_1.exe
metina_1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c metina_1.exe
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3816 -ip 3816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1040
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SVHOST.exe"
C:\Users\Admin\AppData\Roaming\urvwhgw
C:\Users\Admin\AppData\Roaming\urvwhgw
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3172 -ip 3172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | razino.xyz | udp |
| NL | 195.133.40.148:80 | 195.133.40.148 | tcp |
| US | 8.8.8.8:53 | cor-tips.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 148.40.133.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | bandakere.tumblr.com | udp |
| US | 74.114.154.18:443 | bandakere.tumblr.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| IE | 163.70.147.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.147.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uehge4g6gh.2ihsfa.com | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 74.114.154.18:443 | bandakere.tumblr.com | tcp |
| US | 74.114.154.18:443 | bandakere.tumblr.com | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ppcspb.com | udp |
| US | 8.8.8.8:53 | mebbing.com | udp |
| US | 8.8.8.8:53 | twcamel.com | udp |
| US | 8.8.8.8:53 | howdycash.com | udp |
| CA | 23.227.38.32:80 | howdycash.com | tcp |
| US | 8.8.8.8:53 | lahuertasonora.com | udp |
| US | 8.8.8.8:53 | kpotiques.com | udp |
| US | 104.253.227.240:80 | kpotiques.com | tcp |
| US | 8.8.8.8:53 | 32.38.227.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.227.253.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | pupdatastar.tech | udp |
| US | 8.8.8.8:53 | pupdatastar.tech | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe
| MD5 | af41d6d43df35d8c831695e584169a71 |
| SHA1 | bb8d6f081e93d2860ce62fabefbe9cdf80ebf06e |
| SHA256 | cbab323219211a8bb57f5b0ee9bdd97b45724c61da8b842f02174ed87f908141 |
| SHA512 | 5fce8bb65d14ca38178ac1cf9ba7d012a2e64b7af9ae3c6cf31b6cf7be44708474b9381da50cb9c9eea9a4b0429eb4b2e280afba0424b6f5ef0a26379221af9a |
memory/976-32-0x0000000000400000-0x000000000051D000-memory.dmp
memory/976-47-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/976-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/976-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/976-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2840-81-0x0000000000360000-0x0000000000368000-memory.dmp
memory/2840-95-0x0000000000B20000-0x0000000000B30000-memory.dmp
memory/4936-100-0x0000000073690000-0x0000000073E40000-memory.dmp
memory/4936-102-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/4936-114-0x0000000004E70000-0x00000000051C4000-memory.dmp
memory/4936-122-0x0000000005AF0000-0x0000000005B8C000-memory.dmp
memory/4936-130-0x0000000005280000-0x000000000528A000-memory.dmp
memory/4936-134-0x0000000005DA0000-0x0000000005DC6000-memory.dmp
memory/760-142-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4320-131-0x0000000000400000-0x00000000004C9000-memory.dmp
memory/4936-121-0x0000000072110000-0x0000000072199000-memory.dmp
memory/4936-113-0x0000000004DD0000-0x0000000004E62000-memory.dmp
memory/976-145-0x0000000000400000-0x000000000051D000-memory.dmp
memory/976-146-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2952-154-0x0000000000400000-0x000000000045B000-memory.dmp
memory/976-159-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/976-155-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/976-150-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2840-163-0x00007FFC51190000-0x00007FFC51C51000-memory.dmp
memory/976-147-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3816-164-0x0000000000D20000-0x0000000000E20000-memory.dmp
memory/1272-167-0x0000000002900000-0x0000000002997000-memory.dmp
memory/1272-166-0x0000000000E10000-0x0000000000F10000-memory.dmp
memory/3816-165-0x0000000000C90000-0x0000000000C99000-memory.dmp
memory/4936-112-0x00000000052A0000-0x0000000005844000-memory.dmp
memory/4320-111-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4936-101-0x00000000003C0000-0x00000000004CE000-memory.dmp
memory/2840-90-0x00007FFC51190000-0x00007FFC51C51000-memory.dmp
memory/760-80-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1272-173-0x0000000000400000-0x0000000000C68000-memory.dmp
memory/3816-172-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/976-64-0x0000000000400000-0x000000000051D000-memory.dmp
memory/976-63-0x0000000000400000-0x000000000051D000-memory.dmp
memory/976-62-0x0000000000400000-0x000000000051D000-memory.dmp
memory/976-61-0x0000000000400000-0x000000000051D000-memory.dmp
memory/976-60-0x0000000000400000-0x000000000051D000-memory.dmp
memory/976-59-0x0000000000400000-0x000000000051D000-memory.dmp
memory/976-57-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/976-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/976-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/976-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/976-52-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/976-51-0x0000000064940000-0x0000000064959000-memory.dmp
memory/976-50-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/976-48-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/976-46-0x0000000000760000-0x00000000007EF000-memory.dmp
memory/976-40-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\libwinpthread-1.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS44C6D907\setup_install.exe
| MD5 | 66e4d85d4ca9857cf96683f0a03956a1 |
| SHA1 | 658d0f967a411314dc5e0f8d8da583c611eca53c |
| SHA256 | f58ea6ce680f31fb59c3b69588e6be86a400e6963782a8466cb62b92e5304d73 |
| SHA512 | c20f28cc43720694338fba1f12e2a68ac80ad669b960b337c502a9c4765c184a466a2da474e0181da081c97ea54f9c3aea59cdb66bbe0d6e7d455be62ce5835e |
memory/3180-184-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3180-178-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3428-185-0x00000000029F0000-0x0000000002A06000-memory.dmp
memory/3816-189-0x0000000000C90000-0x0000000000C99000-memory.dmp
memory/3816-188-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/4936-192-0x0000000073690000-0x0000000073E40000-memory.dmp
memory/1272-191-0x0000000000400000-0x0000000000C68000-memory.dmp
memory/1272-203-0x0000000002900000-0x0000000002997000-memory.dmp
memory/4936-207-0x0000000006340000-0x00000000063BA000-memory.dmp
memory/4936-208-0x0000000008B40000-0x0000000008B78000-memory.dmp
memory/2680-218-0x0000000005380000-0x00000000053BC000-memory.dmp
memory/2680-219-0x00000000053C0000-0x000000000540C000-memory.dmp
memory/2680-217-0x0000000005320000-0x0000000005332000-memory.dmp
memory/2680-220-0x0000000005610000-0x000000000571A000-memory.dmp
memory/2680-216-0x00000000052B0000-0x00000000052C0000-memory.dmp
memory/2680-215-0x0000000073690000-0x0000000073E40000-memory.dmp
memory/2680-214-0x00000000058E0000-0x0000000005EF8000-memory.dmp
memory/4936-213-0x0000000073690000-0x0000000073E40000-memory.dmp
memory/2680-209-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3172-229-0x0000000000E60000-0x0000000000F60000-memory.dmp
memory/3172-230-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/2680-231-0x0000000073690000-0x0000000073E40000-memory.dmp
memory/3428-232-0x0000000002A30000-0x0000000002A46000-memory.dmp
memory/3172-235-0x0000000000400000-0x0000000000C0F000-memory.dmp
memory/2680-236-0x00000000052B0000-0x00000000052C0000-memory.dmp