Analysis Overview
SHA256
d71024ea9726f93736b24dbf799992bb9df7cd31e3a3889982a3b63a25a8ff22
Threat Level: Shows suspicious behavior
The file Mega2.8.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Unexpected DNS network traffic destination
UPX packed file
Loads dropped DLL
Program crash
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Modifies system certificate store
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-08 02:36
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-08 02:35
Reported
2024-03-08 02:43
Platform
win7-20240221-en
Max time kernel
152s
Max time network
156s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\URL Protocol | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open\command | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Mega2.8\\MegaDownloader.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mega | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\ = "URL: mega Protocol" | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.mega.nz | udp |
| US | 8.8.8.8:53 | www.checkforupdates.ovh | udp |
| LU | 31.216.145.5:443 | www.mega.nz | tcp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | bit.ly | udp |
| US | 8.8.8.8:53 | bit.ly | udp |
| US | 67.199.248.10:443 | bit.ly | tcp |
| US | 67.199.248.11:443 | bit.ly | tcp |
Files
memory/2752-0-0x0000000000AB0000-0x000000000108C000-memory.dmp
memory/2752-1-0x000007FEF5750000-0x000007FEF613C000-memory.dmp
memory/2752-2-0x000000001B330000-0x000000001B3B0000-memory.dmp
memory/2752-3-0x000000001B9D0000-0x000000001CD82000-memory.dmp
memory/2752-4-0x000000001D590000-0x000000001DAE0000-memory.dmp
memory/2752-5-0x000000001DAE0000-0x000000001F076000-memory.dmp
memory/2752-6-0x000000001CD90000-0x000000001CE7A000-memory.dmp
memory/2752-7-0x000000001CFF0000-0x000000001D0D8000-memory.dmp
memory/2752-8-0x00000000004B0000-0x000000000050A000-memory.dmp
memory/2752-9-0x0000000002700000-0x000000000276E000-memory.dmp
memory/2752-10-0x00000000221C0000-0x0000000022994000-memory.dmp
memory/2752-11-0x00000000229A0000-0x0000000023054000-memory.dmp
memory/2752-12-0x000000001B330000-0x000000001B3B0000-memory.dmp
memory/2752-13-0x000000001B7F0000-0x000000001B86C000-memory.dmp
memory/2752-25-0x000000001B330000-0x000000001B3B0000-memory.dmp
memory/2752-39-0x000007FEF5750000-0x000007FEF613C000-memory.dmp
memory/2752-41-0x000000001B330000-0x000000001B3B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1112.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar1213.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 742c0024712d2c6b498a809c0b13bed8 |
| SHA1 | d8cbf7db0d30bf410c6cd23b9b5102910bd5478d |
| SHA256 | 7cea52bef080e381a55c53ee8117f2d256ccd8d07f005a58a476a118f3b9506a |
| SHA512 | 91e99f1ebf0f5f3b1ce0a512dc19d1a9609726516aff0f5522da30259a67d71de498f5a2b69157574effe88958f1ac0f065517120f1661db83ce9b245ea659e3 |
memory/2752-116-0x000000001B330000-0x000000001B3B0000-memory.dmp
C:\Users\Admin\AppData\Local\MegaDownloader\Language\en-US.xml
| MD5 | 93e68a613f33169bc0ef56c39f8e5b66 |
| SHA1 | 80e3d00cbd49791703098ff6fa683b5be81238aa |
| SHA256 | bc758d067d03984110c21cc76115807be4831bbd0fec92ca4076773d5417f51e |
| SHA512 | 2b6e65853ad27130797f7f765d8b68b353ac9946d8893eae80a9e213ee680f4b4619bf5bf747f1e7570e494f73ffdf445b3cb4a4d7207d904d28115004da8eb0 |
memory/2752-130-0x000000001B330000-0x000000001B3B0000-memory.dmp
memory/2752-131-0x000000001B330000-0x000000001B3B0000-memory.dmp
memory/2752-132-0x000000001B330000-0x000000001B3B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-08 02:35
Reported
2024-03-08 02:42
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
129s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\ = "URL: mega Protocol" | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\URL Protocol | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open\command | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mega\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Mega2.8\\MegaDownloader.exe\" %1" | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mega | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaDownloader.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.checkforupdates.ovh | udp |
| US | 8.8.8.8:53 | www.mega.nz | udp |
| LU | 31.216.144.5:443 | www.mega.nz | tcp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | 5.144.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bit.ly | udp |
| US | 67.199.248.10:443 | bit.ly | tcp |
| US | 67.199.248.10:443 | bit.ly | tcp |
| US | 8.8.8.8:53 | megadownloaderapp.blogspot.com | udp |
| GB | 142.250.187.225:443 | megadownloaderapp.blogspot.com | tcp |
| GB | 142.250.187.225:443 | megadownloaderapp.blogspot.com | tcp |
| US | 8.8.8.8:53 | 10.248.199.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2212-0-0x000001F784380000-0x000001F78495C000-memory.dmp
memory/2212-1-0x00007FFE0D930000-0x00007FFE0E3F1000-memory.dmp
memory/2212-2-0x000001F79EE30000-0x000001F79EE40000-memory.dmp
memory/2212-3-0x000001F7A0390000-0x000001F7A1742000-memory.dmp
memory/2212-4-0x000001F79F520000-0x000001F79FA70000-memory.dmp
memory/2212-5-0x000001F7A2CF0000-0x000001F7A4286000-memory.dmp
memory/2212-6-0x000001F79F270000-0x000001F79F35A000-memory.dmp
memory/2212-7-0x000001F79F360000-0x000001F79F448000-memory.dmp
memory/2212-8-0x000001F7A2800000-0x000001F7A285A000-memory.dmp
memory/2212-9-0x000001F7A2AD0000-0x000001F7A2B3E000-memory.dmp
memory/2212-10-0x000001F7A4A70000-0x000001F7A5244000-memory.dmp
memory/2212-11-0x000001F7A1B60000-0x000001F7A1BDC000-memory.dmp
memory/2212-12-0x000001F7A5250000-0x000001F7A5904000-memory.dmp
memory/2212-24-0x000001F79EE30000-0x000001F79EE40000-memory.dmp
memory/2212-25-0x000001F79EE30000-0x000001F79EE40000-memory.dmp
memory/2212-38-0x000001F7A5BB0000-0x000001F7A5C00000-memory.dmp
C:\Users\Admin\AppData\Local\MegaDownloader\Language\en-US.xml
| MD5 | 93e68a613f33169bc0ef56c39f8e5b66 |
| SHA1 | 80e3d00cbd49791703098ff6fa683b5be81238aa |
| SHA256 | bc758d067d03984110c21cc76115807be4831bbd0fec92ca4076773d5417f51e |
| SHA512 | 2b6e65853ad27130797f7f765d8b68b353ac9946d8893eae80a9e213ee680f4b4619bf5bf747f1e7570e494f73ffdf445b3cb4a4d7207d904d28115004da8eb0 |
memory/2212-53-0x00007FFE0D930000-0x00007FFE0E3F1000-memory.dmp
memory/2212-54-0x000001F79EE30000-0x000001F79EE40000-memory.dmp
memory/2212-56-0x000001F79EE30000-0x000001F79EE40000-memory.dmp
memory/2212-57-0x000001F79EE30000-0x000001F79EE40000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-08 02:35
Reported
2024-03-08 02:42
Platform
win10v2004-20231215-en
Max time kernel
89s
Max time network
150s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaVPN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaVPN.exe
"C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaVPN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/5084-0-0x0000020EE8FC0000-0x0000020EE9000000-memory.dmp
memory/5084-1-0x00007FFCB7800000-0x00007FFCB82C1000-memory.dmp
memory/5084-2-0x0000020EEBD50000-0x0000020EEC404000-memory.dmp
memory/5084-3-0x0000020EED7D0000-0x0000020EEEB82000-memory.dmp
memory/5084-4-0x0000020EEC410000-0x0000020EEC960000-memory.dmp
memory/5084-5-0x0000020EEEB90000-0x0000020EEF364000-memory.dmp
memory/5084-6-0x0000020EEC960000-0x0000020EECF3C000-memory.dmp
memory/5084-9-0x0000020EEB780000-0x0000020EEB86A000-memory.dmp
memory/5084-8-0x0000020EEB690000-0x0000020EEB778000-memory.dmp
memory/5084-7-0x0000020EE9400000-0x0000020EE9410000-memory.dmp
memory/5084-10-0x0000020EEB8D0000-0x0000020EEB8F0000-memory.dmp
memory/5084-11-0x0000020EF1A60000-0x0000020EF1B0A000-memory.dmp
memory/5084-12-0x00007FFCB7800000-0x00007FFCB82C1000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-08 02:35
Reported
2024-03-08 02:43
Platform
win7-20240221-en
Max time kernel
122s
Max time network
157s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\Updater.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mega2.8\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Mega2.8\Updater.exe"
Network
Files
memory/1240-0-0x0000000000CE0000-0x0000000000D3A000-memory.dmp
memory/1240-1-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp
memory/1240-2-0x0000000000160000-0x0000000000170000-memory.dmp
memory/1240-3-0x000000001B9E0000-0x000000001BA60000-memory.dmp
memory/1240-4-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-08 02:35
Reported
2024-03-08 02:43
Platform
win10v2004-20240226-en
Max time kernel
123s
Max time network
170s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\Updater.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mega2.8\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Mega2.8\Updater.exe"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/2128-0-0x00000205D5340000-0x00000205D539A000-memory.dmp
memory/2128-1-0x00000205D5760000-0x00000205D5770000-memory.dmp
memory/2128-2-0x00007FFA37620000-0x00007FFA380E1000-memory.dmp
memory/2128-4-0x00007FFA37620000-0x00007FFA380E1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-08 02:35
Reported
2024-03-08 02:43
Platform
win7-20240221-en
Max time kernel
157s
Max time network
175s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 185.144.83.91 | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{685EC6A1-DCF5-11EE-BFAA-5267BFD3BAD1} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e00000000020000000000106600000001000020000000843f52f435f8605f5e4c41734adbed241954d1bc19f471bfa821a36d7ca5eebd000000000e8000000002000020000000c57b5ed4ecf9924a8e90cf6c60a360cc2ea421bc8c9dfcc73e276129b9745fa290000000f9275fb6a5b42c037108f124e9166af6bf8fe94d40f9d5c1393cd3aa9ee1f839bc2da8df76fb1dcfea1903212fe31ec2b63714d621e6fa500ca4fe7a9fa3300c05370e4f51471aff0357de7546bd0c6b3da879281a91a3b55e9a28ab45c87d2893d77db2402c06c44db3e875371145c74121daaf3c6dfe78d617995555999aefa6fe2f5f8ae3525dbcc2cff59cfb4f0140000000494370588fd8b96701522bb74dab75f2fe2775b6900b015da0cc4b3881c0efcb3597515674f6e640c0a8f069fd3816c53c8a395758504a27e2c4f02ef7e4b2ad | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e00000000020000000000106600000001000020000000ecae7f7124d3825a181b493b4b93efd765c1ff8cdd4f3bcc4873738b12b57d39000000000e8000000002000020000000f76e090de0bda9527bf2800bf117e4a52c9dd619a3869b8b9abb67c3f9c95ba82000000070979331d62ede4159296f1c7a04128cb07cf8c2c274092627d16ec5a36c5cb7400000004175bc079d961286331ae9065e5004ee90cae536d6d11f3d79ffbf1388b495072b1839279be0342f0560044690b2374b062bf4c2d9266ca9dea5d4d6d026192c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600ed63e0271da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416027575" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\psiphon\URL Protocol | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\psiphon\shell\open\command | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\psiphon\shell | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\psiphon\shell\open | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Mega2.8\\pVPN.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\psiphon | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\psiphon\ = "URL:psiphon" | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe
"C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe"
C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Admin\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\Admin\AppData\Local\Psiphon3\server_list.dat"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=GB&client_asn=3257&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJjbGllbnRfcmVnaW9uIjoiR0IiLCJjbGllbnRfdmVyc2lvbiI6IjE4MSIsInByb3BhZ2F0aW9uX2NoYW5uZWxfaWQiOiI5MkFBQ0M1QkFCRTA5NDRDIiwic3BvbnNvcl9pZCI6IjFCQzUyN0QzRDA5OTg1Q0YiLCJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc2lDYXNoLVdpbmRvd3MiLCJ2IjoxfSwidGltZXN0YW1wIjoiMjAyNC0wMy0wOFQwMjo0MTo0OC4wODlaIiwidG9rZW5zIjpudWxsLCJ2IjoxfQ
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | k.sni.global.fastly.net | udp |
| US | 151.101.194.137:443 | k.sni.global.fastly.net | tcp |
| US | 8.8.8.8:53 | a3695.na.akamai.net | udp |
| US | 104.74.65.57:443 | a3695.na.akamai.net | tcp |
| DE | 217.160.104.167:443 | tcp | |
| BG | 217.138.221.51:554 | tcp | |
| GB | 109.228.49.100:443 | udp | |
| ES | 217.160.155.160:443 | tcp | |
| RO | 185.144.83.91:53 | tcp | |
| HU | 185.252.223.186:443 | udp | |
| CA | 144.217.89.141:22 | tcp | |
| IE | 196.196.192.18:983 | udp | |
| DE | 217.160.34.131:443 | udp | |
| US | 45.33.69.60:80 | www.friendsdatesfitness.org | tcp |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp | |
| N/A | 127.0.0.1:49284 | tcp |
Files
memory/2880-0-0x0000000000FA0000-0x0000000002629000-memory.dmp
memory/2880-2-0x0000000004610000-0x0000000004630000-memory.dmp
memory/2880-3-0x0000000004610000-0x0000000004630000-memory.dmp
memory/2880-13-0x0000000004610000-0x0000000004630000-memory.dmp
memory/2880-14-0x0000000004610000-0x0000000004630000-memory.dmp
memory/2880-21-0x0000000004610000-0x0000000004630000-memory.dmp
memory/2880-22-0x0000000004610000-0x0000000004630000-memory.dmp
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod
| MD5 | 5ad5cc4d26869082efd29c436b57384a |
| SHA1 | 693dad7d164d27329c43b1c1bff4b271013514f5 |
| SHA256 | c5c24f7ca1c946fa4dfd44407409c8e11ec6e41f0e1c7c45bf8381b42afb31f1 |
| SHA512 | 36efc511a98e53031d52dacdd40292a46fe5eab0194a0e9512f778f88b84fac5aac1eebb6e281c44e40ef2ddc3cdea41df7f5a50e4024cd86c087ed909fe8629 |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | b193e94e0567557c8b6ac0bfb401b305 |
| SHA1 | 66fc3989d2ab7cd0599ccb0eedaee09d9a4efe3a |
| SHA256 | 8804d34e0e110edda2e3a19941e388a3ab5639223fef80ba5add99342f2df4a0 |
| SHA512 | a5604ea6912903296d502fb2abe88fea15d04ad3601f350095b5e8c37c9f8095a54b463fa76a5395651807aa6f047c818bd29a1d1f5b568420c8cbd2b1c0a71a |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | c729b5c0c4f6cf31a3a3035f30fcc77c |
| SHA1 | 4ee653e65832b2b6c8f0b571e07af38de0fa672a |
| SHA256 | b5841ade9158d0dc9cae0f831795ec761328e9ab2f1202aeaa3c9958b5ca7de5 |
| SHA512 | 434adad6d46a14b9450c4e153ddcccdd2b1a1a2b3ee4d26fbcf860c17934af65226f50e5156fa997da0db771780e0732cfa6e43e178de451f7c61ba13dfb0da9 |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | f98a5fd42fc0ceebbfa1d961f2c12341 |
| SHA1 | 66726532d78f758713122959f1898588aba717d4 |
| SHA256 | 9b13809a73306204ce2c8df5d418f33a7bcf101c8148de0ea748c59d07ef8eff |
| SHA512 | 015e9d8b2950cda3aef10b05b0cd7dd5935277550a0e3d1cb4f959632e90bb060477f90595d1812aa1bd9a397c18ff7c0b97c0daa2eeefec6d36e6829c43f080 |
\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
| MD5 | 5b1d13ad97a7f7029bd21fbbfefa8b6e |
| SHA1 | 43d77669c682737e97cbf9dcee053253ca6fc81f |
| SHA256 | 2367aec61ba4e93f7525717421036bc09cbf024b93d3f973a7538c050d5b45e1 |
| SHA512 | b6b623119178af21a86f55593a8915744514a33fb62e70fedd3a857bafe75b16a5baf6844345159b2dcd062e10636287e21de072141f32260b1dfdbd0433006d |
C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
| MD5 | 600cb0ca09afbf139ced2ab8b0bfce86 |
| SHA1 | ed18ba694c9c7fba12e23b4147ade5ad5cf5e6c0 |
| SHA256 | fd18d2be4397a0b4d7eeaaf6713b11c6f400e6996a9e848706a912ad380af481 |
| SHA512 | 0fa92edfbac4b32b6163e28291b374fd876f34cef0cbcf52e68fa022c72aa057e4c487914fd354b5d9febc745280cbb3436e69d0d443cdeb0cbacf6b8b110121 |
C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
| MD5 | 7f4da0e5028f41c77d674191b54c2c13 |
| SHA1 | d714df8c97186d9c213902ba1290f4a2faf19fec |
| SHA256 | a7dca1bce83f9c732046aee0745ccfb9cdc1d9c0106bd53d6b18abb73d1d504f |
| SHA512 | 935c01d7a87b7485b09ef5c5c3cf26821d190c501a7e19aeb2d522a9f1c4e4a7dae01413f6264784b73179cea8bd2835b33145bce451de4d719bb5e3f7b09a43 |
\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
| MD5 | 3855cbdaed429ee5b81921279b129ccd |
| SHA1 | 9a4a4359eb63f8334ea3e72ee85cab3f6987fef1 |
| SHA256 | 5013498b6c4b1b11d69940396b0b9b766ab06af6c5587467997b1609a9e433a6 |
| SHA512 | db3af88f01a6c64e3f13d958bea2ce11112e6a4b01094463fa43a934388e4632847ce46669e92bacbd87b5dbbff2f3f4dca7803d22870a8dddbaaa3df6c08b53 |
C:\Users\Admin\AppData\Local\Psiphon3\psiphon.config
| MD5 | 323e71d3365fd9e9e80a1b129b76fd75 |
| SHA1 | a6dffaac7bb65f9a4ee38297a38c489dd3323dc4 |
| SHA256 | 0079668c53a12dd3ca7b2e0e1a5ed70bd5822092d9a2c69c596dbb3c4001dbcd |
| SHA512 | 6534f326c77d49df95deaefa67b08ab45b601902f016b60909855e409ed2d2b907c1d50a55895fb5a25b7013236a8a504a6fcaa741ff6b5fb1084f3de2445cd9 |
C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
| MD5 | 3c9303393a8b94dd0ff423d9ac727fd9 |
| SHA1 | fd2595577562bfcbfbdb74324ff6122a210c8389 |
| SHA256 | 9b890f2332e6773fab467f0818cb2b112942d84c8f0ace1feccd040535aaaf47 |
| SHA512 | 0eb0779c2b6319a58db17698d77c8ec879689d884a2924daec095071395c0eb871583efc9089fc00c988e7196a0289d7d771466ab002dfb7133c99ef34d6fb47 |
C:\Users\Admin\AppData\Local\Psiphon3\server_list.dat
| MD5 | 7b2b60a348dd7b61d077c1a598d90820 |
| SHA1 | 4a4828ea8102ba57db67535481fd73146ea7f88d |
| SHA256 | e52a9520f93660103e89187117a6ea237a9103482af3be718567076a79f8e18f |
| SHA512 | 7c06f9a13c14e6546a70edf21e248669d4f5a4549c501f478ffdc142c87e362143f7b778af73ff091ccd10dc4c21c3a6831e1298a90210966108ca24898ad140 |
memory/2880-90-0x0000000000FA0000-0x0000000002629000-memory.dmp
memory/2880-92-0x0000000004610000-0x0000000004630000-memory.dmp
memory/2880-95-0x0000000000FA0000-0x0000000002629000-memory.dmp
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | 7e3f3abfefc9eb0cb4bacf294cd25f49 |
| SHA1 | da1a05419e1af842fd56d7edd31673321c532f8c |
| SHA256 | e548e94a1b30416aac1d2e1b138e09fe00401bf754a06231740c294e388722e6 |
| SHA512 | e7b67a6edd202bafe8cb03b96214d4acf2e9eb8c37fa55ac27a404035fd0986b164de7bedd184c70083a78ee08bd3c235da441990970b5f85311eeabc7e80408 |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | 0408c5b0ee6b809ccb0379fa6d7c9b80 |
| SHA1 | b36e7c7e25aa5b1dc61d768f59761b17452f4d85 |
| SHA256 | 6e84f0923b9a53c99b0f838e9c77651da3c8c25259ed1fefe000a7678f6c0548 |
| SHA512 | ebbec7d25908ac10124bb6294864a1d08ad7e6509f66b179e37d7cd9ff38a98d8e8ecb8c5fd40bc64c346bd4cfc06e0619ea22932ae7f85643bc6b94917d15fc |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | c71eadff77905ab9a3ef06fefd66ff50 |
| SHA1 | 8b04e7bec39769dd50442f60fcd87cbcc0890413 |
| SHA256 | 47075d2203b4e1a20529c69ca5bffb067c0448979b8d94bcf55a4d8e1d0e43cc |
| SHA512 | 854d138c5e9b13991bdf9b4fb4dca340687815e249a2ae356c05eede7ddb77903748f6e756eaea7d97d0a5386a17cd5816faa28b387a91f9ed3da67339be3b06 |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | e09121c992599e8d4b87969e92d95b70 |
| SHA1 | 448656dd72175db697d9793564ff7c5891ee41c6 |
| SHA256 | 44ec7109011115b07804c71430383a68ae5f3699d3ae93dae809275003966d68 |
| SHA512 | 6b437891ab669f949240505efe9a2ca08a5720764f94cd5c17ba4da13209628aac116076232ea128cc0a5bb369287905d2094f01dc444df7daf2d0ad22ab8440 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\TarAC2E.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | 305b91c210f29f4677d173239435f330 |
| SHA1 | 04752854ceb008f4ac115de26086948531e4c1f0 |
| SHA256 | 035b3eba707bba2017c992cb4c813ecf379fc3939d10bb962a5a4060c3776f85 |
| SHA512 | 97245db0022f6eedd0af57918beac2147d3f415c39f77c0cbd056c64d0b382e3d855518c17bcde63d9e9643e46f39461f632b752267c662ca93fd513508fa110 |
memory/2880-199-0x0000000000FA0000-0x0000000002629000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75OMIGJ7\favicon[1].ico
| MD5 | f210fc0564ae5a5a2985b2848e75cba2 |
| SHA1 | 29bf0540e4c291cc6c6d071ac8125cc65314fbe9 |
| SHA256 | d453748d5f8e5bb6c62791b97c733dba1d7dc3340bde957470285b2a7185b7ec |
| SHA512 | 46fac4e98cc34105d74a8a159c70d48191612f88e5ab1a7ee7276e7b2c95407d71d307509ef8b9f0aed28465688839f49b2a55da4b03f7d01b3f03c908067e8c |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jre0bgm\imagestore.dat
| MD5 | 2949558731a3904390a60f2b7ca0306c |
| SHA1 | 6346c0d676c6bbd09019edcc8f7017178450bb21 |
| SHA256 | 54712e160ac4ede46470534a8de4fd304dcaa8b64d6bb32db1ce92dee879dbdb |
| SHA512 | e7d019286dc3f8c20ad60ff5ea90eea758ff9eecd1b7027f225ee01de80a98ef60a660382a86303b1f89b4b68d3fe2c63b0a86f8c1ef378a81fce7ae8014cc13 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80c9f512b385fd0c9832ebb1c34e3b65 |
| SHA1 | 9121782fcb71bb72a28835e6d83ec31b990d753c |
| SHA256 | 061a4d9013d3624abe62c4043b271614db785a8f9537ba315d783d53d05fb0de |
| SHA512 | 1482aa1887ad7a5ddcc5fd9255bdb4ba98afedd891acce6340722d88fc341ab9681cf663df276ef87fc0fc9a464075db775e2c8b5a36d8526fcb8713161f72e2 |
memory/2880-532-0x0000000000FA0000-0x0000000002629000-memory.dmp
memory/2880-808-0x0000000000FA0000-0x0000000002629000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-08 02:35
Reported
2024-03-08 02:42
Platform
win7-20240220-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaVPN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1992 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaVPN.exe | C:\Windows\system32\WerFault.exe |
| PID 1992 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaVPN.exe | C:\Windows\system32\WerFault.exe |
| PID 1992 wrote to memory of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaVPN.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaVPN.exe
"C:\Users\Admin\AppData\Local\Temp\Mega2.8\MegaVPN.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1992 -s 864
Network
Files
memory/1992-0-0x0000000001010000-0x0000000001050000-memory.dmp
memory/1992-1-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
memory/1992-2-0x000000001AE10000-0x000000001B4C4000-memory.dmp
memory/1992-3-0x000000001B980000-0x000000001CD32000-memory.dmp
memory/1992-4-0x000000001CF40000-0x000000001D490000-memory.dmp
memory/1992-5-0x000000001D490000-0x000000001DC64000-memory.dmp
memory/1992-6-0x000000001E250000-0x000000001E82C000-memory.dmp
memory/1992-7-0x000000001E140000-0x000000001E1C0000-memory.dmp
memory/1992-9-0x000000001B4D0000-0x000000001B5BA000-memory.dmp
memory/1992-8-0x000000001A7D0000-0x000000001A8B8000-memory.dmp
memory/1992-10-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
memory/1992-11-0x000000001E140000-0x000000001E1C0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-08 02:35
Reported
2024-03-08 02:43
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
180s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\psiphon\shell\open | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Mega2.8\\pVPN.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\psiphon | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\psiphon\ = "URL:psiphon" | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\psiphon\URL Protocol | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\psiphon\shell\open\command | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\psiphon\shell | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe
"C:\Users\Admin\AppData\Local\Temp\Mega2.8\pVPN.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3128 -ip 3128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1752
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
Files
memory/3128-0-0x0000000000590000-0x0000000001C19000-memory.dmp
memory/3128-2-0x0000000000590000-0x0000000001C19000-memory.dmp