Malware Analysis Report

2024-11-30 02:16

Sample ID 240328-r25c6shg45
Target ProjectMainGitHub.zip
SHA256 f55cf52fd39c12fbb2ead65587a71ae2f8a563930c89e4a41e64eae9e041a39e
Tags
rhadamanthys stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f55cf52fd39c12fbb2ead65587a71ae2f8a563930c89e4a41e64eae9e041a39e

Threat Level: Known bad

The file ProjectMainGitHub.zip was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealer discovery

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

GoLang User-Agent

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 14:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:45

Platform

win10v2004-20240226-en

Max time kernel

101s

Max time network

108s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ProjectMainGitHub.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ProjectMainGitHub.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
N/A 204.79.197.203:443 tcp
SE 192.229.221.95:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:44

Platform

win7-20240221-en

Max time kernel

39s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:45

Platform

win10v2004-20240226-en

Max time kernel

90s

Max time network

94s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\settingss

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\settingss

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:44

Platform

win7-20231129-en

Max time kernel

47s

Max time network

16s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Engine.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Engine.js

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:44

Platform

win7-20240215-en

Max time kernel

46s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderB.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8D8E0D61-ED11-11EE-B411-768C8F534424} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50fdc4621e81da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000840f81bbfc2af1e30a1cd11825619c5d6bf0a4c7c22ee595f712feff6c3bb6b3000000000e8000000002000020000000205b0a0ee54d83d584c70e388b4742266d5d14ab289d06a5e76471b02d6a517c40010000057e3a060d34231eaf567891eb68570934c379c1815149457552ba8de908de6540a457977d6f5d8024d0d4ceab62d7f3802c56b5a6e0f75097cbc5b124f4945aafb5328eb5f506d8608e47b2bc165bff1636ada926cb36e69d7e8db5cb09bfc37cfc4c2e1aed45305632c751c5b8cf9093e9d40330f333165bafd6f50336672ee7de68a9f8b602e6678d10ab361ef1eb7f53af2734acf8880371d5faba9ef48263213e12567c86877d10fc61c5f84067ea24e5d5ddbe7920ddbc031b80c4d1ecda3218b9b3ee7e9c8d2f03bbc12488d8f2fda2e2f91017ec2f984178ed827af4cbf50b640166f9da9df8050b86b6f581b785fbd7e78388a2251b8491e0e262fdbae39eb6ea551b6d0f0b2f81adda069d7c0609fcbc51a4ee6ad1713d19d2254419def0f05852d86ad3df8047f383367f81944ed625a71468c57be2e69be6d6834000000068f99dd6d6e9c537a606dee73fd015d222b6246cf93984b81154aa63a26a543cb83ba20bbed1e3ea344da3a44cb599a754f20024a70ce2651e96f7b9fb43b2dd C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c6000000000200000000001066000000010000200000009847d0fc544299eff2b6a5812a4a3597249653432ea12435ef7ff8f802941668000000000e800000000200002000000014c41053e1374caf65ab9ee3cf40ccdf14f04fca3dc38d6bb9eb67e504b625fa200000009a9c79c311a7f10c428ed22f80dcd552563212c962b7a078be4f657ff54accd5400000006f916c33d08cf96087e9172990b43258bef07249e96dc999326cd8a51263aca0b6a52bbe6f28d8a224c3efc0bdcf1077f9037a98118b32b79f1d9ce35443c90e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderB.exe

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderB.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 java.com udp
GB 2.16.34.139:80 java.com tcp
GB 2.16.34.139:80 java.com tcp
US 8.8.8.8:53 www.java.com udp
GB 2.16.34.139:80 www.java.com tcp
GB 2.16.34.139:80 www.java.com tcp
GB 2.16.34.139:443 www.java.com tcp
US 8.8.8.8:53 static.ocecdn.oraclecloud.com udp
GB 23.204.227.109:443 static.ocecdn.oraclecloud.com tcp
GB 23.204.227.109:443 static.ocecdn.oraclecloud.com tcp
US 8.8.8.8:53 s.go-mpulse.net udp
GB 96.16.108.176:443 s.go-mpulse.net tcp
GB 96.16.108.176:443 s.go-mpulse.net tcp
GB 2.16.34.139:443 www.java.com tcp
GB 2.16.34.139:443 www.java.com tcp
US 8.8.8.8:53 c.go-mpulse.net udp
GB 92.123.28.132:443 c.go-mpulse.net tcp
GB 92.123.28.132:443 c.go-mpulse.net tcp
GB 2.16.34.139:443 www.java.com tcp
US 8.8.8.8:53 www.oracle.com udp
US 8.8.8.8:53 c.oracleinfinity.io udp
GB 96.16.109.107:443 www.oracle.com tcp
GB 96.16.109.107:443 www.oracle.com tcp
GB 2.16.34.112:443 c.oracleinfinity.io tcp
GB 2.16.34.112:443 c.oracleinfinity.io tcp
US 8.8.8.8:53 dc.oracleinfinity.io udp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp

Files

memory/3004-0-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\MDN3SXPM\www.java[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\favicon[1].ico

MD5 8e39f067cc4f41898ef342843171d58a
SHA1 ab19e81ce8ccb35b81bf2600d85c659e78e5c880
SHA256 872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd
SHA512 47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\92bocja\imagestore.dat

MD5 b8ae54c61f965945d50820dcea7877d4
SHA1 187c86b4d0144539512b005c8ae51f6f0527826c
SHA256 4b6c64e50a603deea349f34a2c8966797275a0c63253635cadf907a9781928a0
SHA512 1a57da92e7254284ac4bf6b3a6a364955a882192e0a9ed301bdec32443b0d2efe728591d710e5734db833432e26aba22bc053ac155633d7989deb402e9237d00

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\MDN3SXPM\www.java[1].xml

MD5 5c2a9df63c22841c3df6e664143bec45
SHA1 9034b7f351652c11907cc23c2e00020254d82b78
SHA256 b561a326039a291c3e2ecd4e85e9c6fe055c8f6a506468faca8cc1221bfe1ad8
SHA512 2651b78e687813a3ef87d86e0929b3128b9a35fe6118ff7332c48421f6b32fea667bfdb5f14200b0dab2a61885070530d3ea841483929c753b41f6d613459afd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\MDN3SXPM\www.java[1].xml

MD5 badae086ab63a0d691b95c7bbdd7504c
SHA1 54e484b0cf6d287a28848b0b01c1e5cd7a64b45a
SHA256 a035f9b60eefc786172b696633a4414c247452be9d531918d32e7bf211384350
SHA512 980a91e77890ebab1ed7f427bb051eca5a1ed5d2a80871987eeec3a96206892640957038c22001f206ac1631bf1f7eb5e7063478061b0ae4bc151c36a553aeeb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac2db196e9fcbfd563dcb097f5565157
SHA1 c163d4b9912ad6bf4071a11f9023ecb4393ef992
SHA256 de7ae208cc4790a157db1e77d19ea030e22aa6fbd62ec156bcc33d6ce0b22a9d
SHA512 d82244ea037071931a19423f7738525c58c6c1c3e2275b8b80ce671391d4be30b16ef017a562454a8cade6ebcf942d200b6a3cd5adbcb135d7c222c4053f4378

C:\Users\Admin\AppData\Local\Temp\Cab4A7A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar4A7B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar4B5C.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b4c04467718eb20d4ce31176a7063ac
SHA1 d8caf9c0061a59be6fa347ee6bdad62d48971ddf
SHA256 03b665a1ba2e237b19042ba5d762b7fe26bd3c6e4735768fd1ef0b281efa8653
SHA512 4c561f6cb84c03325a2a2280240ccb450036d05018b941e3b00ed610bcbf65f06f077eca6111c3db77103b17f58fba43f9458f12179a94a8121db288146bdf0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5be5d2206eca5b2e289c8e4c5c830afc
SHA1 0270e181662189e05548a00dcc663d394292efa5
SHA256 ca23267cb2ba59045ae6abee3c3349580fd7f9a28f650f2322bd8ef79a564e8b
SHA512 bbadd225e155ffcf631e151093474c3a1be330eda24b7d9d230cce584f901ded385e2184497368580830b4d80ec791d4ac65de742bb2db441314bab1958d7041

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea596851b63274f906cb9c6cf41b756f
SHA1 a23d6e30e10848027eea7fc68bfb03f6cb495856
SHA256 46551c84afdeab8a77db8454ec55ad99d136bb56b6766214554411678db26f5b
SHA512 d933b975b4b6aac29e2bc7f0e8ddb59b6dd2f40b9ad068a5e32bdc72c7931fb88719c86b686625be49748c9bd3538a067a515fd3ed808c9df60e369c409871eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d420f37c0ea897b657123a484cbb880a
SHA1 a95942cae91a8b7868ec629f2b8ef1f8faa033d3
SHA256 15df47ce61296083e457bca124ff01f68b1aa491fead018e9582f42d5629ee8a
SHA512 c4b6701607bd118ba190eaa51aeb4139f0574c2e4850e03a1857615455ee07c15c41f83e24170afe83b17b0b5f5deb40345c49a7e13ce26082a1ad8638f779a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba51a5e1028545a0ece012e1a99b2a82
SHA1 a2b0f0877864870e47638cc1b4c1be8265f73812
SHA256 c5bb118b8fb55930b94c5563616a635f5459b082db8a05494b0b5c99252532c3
SHA512 22c1314b5a10f53ae946e3de874400fc560856cd5a3b448b133e4649a26c06d6568206866e0a5d55afb84866c9f11022450addc908a4cb83de0391358bbd0c43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34acb7ad733d5ee6ec36bfa92382c3c4
SHA1 7a44f3dae875b0153a0e440da088e5b6f639b653
SHA256 7a9f098a05b3ce5a5f815bc31fd8678b5657a551439ebcc0ac07e803637f8ffe
SHA512 c47834e2e176cbca3231ac4a68d7e37db6b9959c26b5f504959490b5d28b2b6e934c6b7d10a93b420efe75ca534adb079c8f34e12f0340b0da59a8e1642c1beb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b85401e8028ce26f4a8474e699c1c4c1
SHA1 bc91cfc8b99f5f3bf57d4d918aa3ee3fb13feee8
SHA256 4a31f1fcc304f7be134b5bcb253973d07cb6cbf42d448b6f36cd443ef306bf01
SHA512 21c4874916e733e839171b59eed2f3df16b669de3b678c4dade6832b6e1f782c08548f922423e5ee66f7e91b227d0b34ab998eedcd0fa9cee7c0368a075ce37e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 954ec492e03fe8b047d426f6264c9051
SHA1 c385bbecf3f976314cf59a5e90a4b3c96a35168f
SHA256 9e3b1f092fcb097e36ac079c6c3dbdf1a5008f002596ff2e47ee3cf2aacd98c1
SHA512 4e5460f42c4de11310f92198ba1ab31ea6b834e39b81b0674d3bd375ef64fbc5e2189a3cd771d75fc8f083340fa7365e90f728e60734dbb5158c403949bab9ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2138b4243ddfb11e37b952b4c644abfa
SHA1 8b72817505d59e885dea037d6550b1ef577ea8c2
SHA256 487260892a2d9f180c1f248f4b7a5dc3e7496489419834241b8ac50e02371a96
SHA512 6eee44b508fd6b8472f365b997a59e0e459566b4134ea1f9584124cc1536c85981f2ed184cf91a194ac3cdd7154d11526894676ed1abf9d894fd41d0066b8d52

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:45

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

122s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\scv.jar

Signatures

N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\scv.jar

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:44

Platform

win10v2004-20240226-en

Max time kernel

61s

Max time network

76s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\xNet.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\xNet.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:44

Platform

win10v2004-20240226-en

Max time kernel

72s

Max time network

81s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Engine.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Engine.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:45

Platform

win7-20240221-en

Max time kernel

43s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderS.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40620d611e81da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8BBF40D1-ED11-11EE-B826-EA483E0BCDAF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000019011891636eb96e5bd51d82a8a0b2140b53b29c3443c43dea1f2c94baa5683a000000000e80000000020000200000006cf67174e2f8278dc7e982d79809350bf7627dbd528bfa8800538dc79da0f58c20000000ebf820ade4bea116ee023ca8ec082e964d2d7bce92d6dc790bf45a139427eb57400000008c42e5e269c9fcd41ec79bf86ca1e2d6792c01a7cab0765fcf1c58f4368b1d76ea71570697b764f63fb08e6d0cc57f8bac38e06fc067de8e544a87229922d31b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderS.exe

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderS.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3032 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 java.com udp
GB 2.16.34.139:80 java.com tcp
GB 2.16.34.139:80 java.com tcp
US 8.8.8.8:53 www.java.com udp
GB 2.16.34.139:80 www.java.com tcp
GB 2.16.34.139:80 www.java.com tcp
GB 2.16.34.139:443 www.java.com tcp
US 8.8.8.8:53 static.ocecdn.oraclecloud.com udp
GB 23.204.227.109:443 static.ocecdn.oraclecloud.com tcp
GB 23.204.227.109:443 static.ocecdn.oraclecloud.com tcp
US 8.8.8.8:53 s.go-mpulse.net udp
GB 96.16.108.176:443 s.go-mpulse.net tcp
GB 96.16.108.176:443 s.go-mpulse.net tcp
GB 2.16.34.139:443 www.java.com tcp
GB 2.16.34.139:443 www.java.com tcp
US 8.8.8.8:53 c.go-mpulse.net udp
GB 92.123.28.132:443 c.go-mpulse.net tcp
GB 92.123.28.132:443 c.go-mpulse.net tcp
GB 2.16.34.139:443 www.java.com tcp
US 8.8.8.8:53 www.oracle.com udp
US 8.8.8.8:53 c.oracleinfinity.io udp
GB 2.16.34.107:443 c.oracleinfinity.io tcp
GB 2.16.34.107:443 c.oracleinfinity.io tcp
GB 96.16.109.107:443 www.oracle.com tcp
GB 96.16.109.107:443 www.oracle.com tcp
US 8.8.8.8:53 dc.oracleinfinity.io udp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp
DE 147.154.150.92:443 dc.oracleinfinity.io tcp

Files

memory/2956-0-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\BUBP79MG\www.java[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\favicon[1].ico

MD5 8e39f067cc4f41898ef342843171d58a
SHA1 ab19e81ce8ccb35b81bf2600d85c659e78e5c880
SHA256 872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd
SHA512 47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\re26ad0\imagestore.dat

MD5 30773147af44447e7fd48e2d2ce7d0de
SHA1 6ea117d2875bb308d9094427f04ce77dfcfb3a4c
SHA256 ec835046ca85a071f26928823f5a6c8c8de6097d583138f19703e899a29313c2
SHA512 581f0e7c55158b00d588c25a496197f3e651908788060298917c853907d3b9c41362f42148da65ccabcb6020bb710ce59e8ea315c877c1eb46d0c53ad6c8e41e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\BUBP79MG\www.java[1].xml

MD5 12328666f2760f9556ad83e23d9c8980
SHA1 72bea694bdba2be4848105503fd601425b3d14bd
SHA256 6332933bedff9519f43ffd1514c47dedafc743be9b5c030ece22dcef2be7492c
SHA512 218842e93b5e9f5b60fa5d9edeb6b5d3fede932bce903bae6da40ec7352f8157f5eddc78f2a44fe99fafe88cdb242aa66143ee63b4a012c4940f8290b132e9d9

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\BUBP79MG\www.java[1].xml

MD5 e65449addc05adf70fb55aa24a60d63e
SHA1 0e0811cb597b4f2dda62534f8940746d5336930c
SHA256 94909ad7794d729c6945edbe4f8144511957949dd9028162ac935d5287296eef
SHA512 0729cf0717e9f0957278edd098e49ce0dd5ab1c689af724684149e153b94e9c63ab1e50ea0af18a34270e8502c79fb3292dcd51f354959d0916b62252256af4b

C:\Users\Admin\AppData\Local\Temp\Cab5B6A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f302b018843ab7556fae18a3c21b6bac
SHA1 959bb987be60e77a0135649375f57aec8817ae24
SHA256 64f1ee64119be7045d117644838b44735a4cc5926e143445d56c5b9702d5852a
SHA512 fe14f2673f2c48841a2b1792922e08fc3b8ea63f4ff827a976b8705f20ff9b42a90e340fcda178b92c6bead9216b4dfb9b23db47ed898efe6d1040bf3328d950

C:\Users\Admin\AppData\Local\Temp\Tar5B7C.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar5C5D.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b81b3de06edd59fc31933a1004427d40
SHA1 aa6c8c0ddadb0cfe04930862506efbaf349491bf
SHA256 7c752af278af211fa8a60524e91f04ca0b34a9bd5b2900d614a429afcf362498
SHA512 78fd4ee94f5d78cc0c36aac47c96e5c879bbfd23df7f948ad6c7d8dbf867574c69a2e2faac3da9b016677bbd3e7278d79bbf467f38f1dbe1b36ba13f083c682a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3a23e2e50581f6f5fb9ca972157cb6a
SHA1 1d036228ae31731b897edb4e136b0b97d3cfbf17
SHA256 e6e5f773669391735d1d016439c14465bc49b7f2228e2a6b894010d26e64f816
SHA512 5f24c1a4465ba3fcc811e91832749dc83625607c6722d938bf6a7f65fe123cc1a48bf566190e1ee5cf3d4c0076e88b4fd8d1a65cf2b85371ced3085ac7fe17a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfc06e4ea9bfc2fb0b6d52c9d6899f48
SHA1 d8c88af3dff46c64c99273b0ae441f98c6a7bee3
SHA256 1fd51f79cd0efc304a1bb142cf2c5510c73eb5be9589c36321bf246ba710cd11
SHA512 2cdfc1c159c8d231de5fc2d83999969fc7fa756a04036b60bf5365cdeab7d6ea4e9b66eb63b25b29e9f98d57dfa0d1b324a08622a9a7ca096b8379c71822b294

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6114aea022622bc1e933cc883c3f624
SHA1 1be2c22566622a1a4fd8be9f0dbff613cfc292e4
SHA256 876e306769e6bac43318cb1f5773c2a5af1a0d1c1625c97a6e19fe470964f8eb
SHA512 7b0a4f47c43df1842195bd1c17e77e1f2c23c43e6e4852f2194f9ece0bc75a13cad5dbdaf121477f7545d52e2f0e42995364cdc646ae9610d39c3aa4f1ef0a7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14dffc7a21cd0d25bb8670b4e433da99
SHA1 1a775e29c6d36adf3747eebe9cd9e9b86477c47d
SHA256 dc8e312834b2f681bc01a91cd107d7edd11e3ccd6df0afd01ac9ec663bd45f07
SHA512 90a39fe2f3eeeed1868031c6c05a29021056df7ec794cc9b0fe48d222e68b49425d0b3f46c0f34aa3da0c172a6fb418c785ec941b38e64e172c8c16d0f9121a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7b0c42fcf1b9d85a22d403996da5b8d
SHA1 5547cbb286e5562d4faa1163ef27964dae1ee1ec
SHA256 a1a867a2a2104500afbffe226c4296d493d62c98fc689626a3f19e8f5efe552a
SHA512 083c35e69368748d1443937d1346fc320910dd756c3a42ecc9d4bf5096f6418472f45e871e43ff18869c5538e32fae3863ba0c0ff40f196302dafcd3df9bd494

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 584c8a4c4f351de88cdd8b438662bd15
SHA1 6aebe1518f461788601dc97c8c04f698723d83b2
SHA256 472afebba51ecdb23af6cf3e2593161a5007511a792f124a14dd3d622eed1b3a
SHA512 1260acaf171010917e21cc2a54f6d427ce5a230a824db37fc1293151de5e88bd0ae7d344c9f3f8092ac8fee2e866e8976cb47b9fd9a38fce8de828623a13a84e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 562023270052d12b8eaf2027b9f694d6
SHA1 b678035d0a699c47618b0795caf8b3d6ccaec9dc
SHA256 37f2ef5c23fa920732625ff715dd820f1d1977abc2b8ca610078f9190179fe18
SHA512 b8bf28b13b4361d00d612d1c23bbbfa2c108919bf16a1c21750f0956aca7c21f9a0da64abae20858b70b44246534ffa9fb9af9bfca9363f9981455f355a910d8

C:\Users\Admin\AppData\Local\Temp\~DF2467006C14EA6396.TMP

MD5 9ebee76392cc6885a6c6397ccc4a9675
SHA1 100bf5b7e0a4c9a5115028dfd4095908ecf85605
SHA256 e98d2ef1c44e14aeeee91a244ef54a0882853b335bd987d897d019255def6ca3
SHA512 91c7404dc76bc90d29fda970c6196250aa7dc674ef7c989e20d12bdcf0e15afed7dc56d9538a53c1f44987e120018439f0c4bcb5302b4a0db1a031946f9d8c51

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:46

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\opengl32.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\opengl32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:45

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\key_datas

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\key_datas

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:46

Platform

win7-20240221-en

Max time kernel

120s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\prefix

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\prefix

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:44

Platform

win7-20240221-en

Max time kernel

44s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\driver1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1720 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\Wbem\wmic.exe
PID 1720 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\Wbem\wmic.exe
PID 1720 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\Wbem\wmic.exe
PID 1720 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\ProgramData\driver1.exe
PID 1720 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\ProgramData\driver1.exe
PID 1720 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\ProgramData\driver1.exe
PID 1720 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe
PID 1720 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe
PID 1720 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe
PID 1720 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe
PID 1720 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe
PID 1720 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\Microsoft\\\""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get uuid

C:\ProgramData\driver1.exe

C:\ProgramData\driver1.exe

C:\Windows\system32\schtasks.exe

schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM

C:\Windows\system32\schtasks.exe

schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 89.23.97.199:1445 89.23.97.199 tcp
RU 89.23.97.199:1444 89.23.97.199 tcp

Files

memory/2488-4-0x000000001B270000-0x000000001B552000-memory.dmp

memory/2488-5-0x0000000002410000-0x0000000002418000-memory.dmp

memory/2488-6-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

memory/2488-7-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/2488-8-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

memory/2488-9-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/2488-10-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/2488-11-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F77MPMEYIAUPPSS7KL03.temp

MD5 06057887ade6eb73cf58b921f039021c
SHA1 38c3449442275fa9d0734cdc01f349e75654d680
SHA256 7332c0511b7407e632c228283b758b69da001e3a4e0517cbd4efd0a569844d3a
SHA512 523ee08c93a2d2fcd721239c6e95b3e3265860ff3ec386a6239be21c8f01e1774bf820980c4ade9be0e39ef49e7370f5bb9bf6252153292110864031987ddd86

memory/2544-17-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

memory/2544-18-0x000007FEF4BD0000-0x000007FEF556D000-memory.dmp

memory/2544-20-0x0000000002890000-0x0000000002910000-memory.dmp

memory/2544-19-0x00000000022F0000-0x00000000022F8000-memory.dmp

memory/2544-22-0x0000000002890000-0x0000000002910000-memory.dmp

memory/2544-21-0x000007FEF4BD0000-0x000007FEF556D000-memory.dmp

memory/2544-23-0x0000000002890000-0x0000000002910000-memory.dmp

memory/2544-24-0x000007FEF4BD0000-0x000007FEF556D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarA819.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\ProgramData\driver1.exe

MD5 c9ba72dd40efccd9ea8b199984bfcea8
SHA1 047bb1776528de85752efb7e5cd8505637db610f
SHA256 1ee785bcc72ba77941a98128ee17cd5fa85e86c8056fc0ec607392075b16f481
SHA512 2bba3781fab039f210c637b54c77be771733c2adf5a6e8064a6ec803b9d798d5ed820c950cf70501411a4ef4009640e8eb9e9a3fa7dd3b97ba2b8a181c5cdec8

memory/2636-66-0x000000013F140000-0x000000013F58E000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:44

Platform

win10v2004-20240226-en

Max time kernel

67s

Max time network

75s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4576 created 2712 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\system32\sihost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\driver1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3660 set thread context of 4576 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3924 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\Wbem\wmic.exe
PID 3924 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\System32\Wbem\wmic.exe
PID 3924 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\ProgramData\driver1.exe
PID 3924 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\ProgramData\driver1.exe
PID 3660 wrote to memory of 4576 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
PID 3660 wrote to memory of 4576 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
PID 3660 wrote to memory of 4576 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
PID 3660 wrote to memory of 4576 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
PID 3660 wrote to memory of 4576 N/A C:\ProgramData\driver1.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
PID 4576 wrote to memory of 1944 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\SysWOW64\dialer.exe
PID 4576 wrote to memory of 1944 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\SysWOW64\dialer.exe
PID 4576 wrote to memory of 1944 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\SysWOW64\dialer.exe
PID 4576 wrote to memory of 1944 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\SysWOW64\dialer.exe
PID 4576 wrote to memory of 1944 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\SysWOW64\dialer.exe
PID 3924 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe
PID 3924 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe
PID 3924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe
PID 3924 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Loader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\Microsoft\\\""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get uuid

C:\ProgramData\driver1.exe

C:\ProgramData\driver1.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4576 -ip 4576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4576 -ip 4576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 468

C:\Windows\system32\schtasks.exe

schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM

C:\Windows\system32\schtasks.exe

schtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
RU 89.23.97.199:1445 89.23.97.199 tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 199.97.23.89.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 89.23.97.199:1444 89.23.97.199 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yes132wo.tx4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4212-5-0x000001DC7FFE0000-0x000001DC80002000-memory.dmp

memory/4212-10-0x00007FFCE44F0000-0x00007FFCE4FB1000-memory.dmp

memory/4212-12-0x000001DC02230000-0x000001DC02240000-memory.dmp

memory/4212-11-0x000001DC02230000-0x000001DC02240000-memory.dmp

memory/4212-15-0x00007FFCE44F0000-0x00007FFCE4FB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/816-17-0x00007FFCE44F0000-0x00007FFCE4FB1000-memory.dmp

memory/816-19-0x0000016DA4540000-0x0000016DA4550000-memory.dmp

memory/816-18-0x0000016DA4540000-0x0000016DA4550000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/816-30-0x0000016DA4540000-0x0000016DA4550000-memory.dmp

memory/816-31-0x0000016DA4540000-0x0000016DA4550000-memory.dmp

memory/816-33-0x00007FFCE44F0000-0x00007FFCE4FB1000-memory.dmp

C:\ProgramData\driver1.exe

MD5 c9ba72dd40efccd9ea8b199984bfcea8
SHA1 047bb1776528de85752efb7e5cd8505637db610f
SHA256 1ee785bcc72ba77941a98128ee17cd5fa85e86c8056fc0ec607392075b16f481
SHA512 2bba3781fab039f210c637b54c77be771733c2adf5a6e8064a6ec803b9d798d5ed820c950cf70501411a4ef4009640e8eb9e9a3fa7dd3b97ba2b8a181c5cdec8

memory/4576-43-0x0000000000F80000-0x0000000000FED000-memory.dmp

memory/3660-44-0x00007FF64C0D0000-0x00007FF64C51E000-memory.dmp

memory/4576-46-0x0000000000F80000-0x0000000000FED000-memory.dmp

memory/4576-47-0x0000000000F80000-0x0000000000FED000-memory.dmp

memory/4576-48-0x0000000004000000-0x0000000004400000-memory.dmp

memory/4576-49-0x0000000004000000-0x0000000004400000-memory.dmp

memory/4576-50-0x0000000004000000-0x0000000004400000-memory.dmp

memory/4576-52-0x0000000004000000-0x0000000004400000-memory.dmp

memory/4576-51-0x00007FFD045B0000-0x00007FFD047A5000-memory.dmp

memory/4576-54-0x0000000075960000-0x0000000075B75000-memory.dmp

memory/1944-55-0x00000000004B0000-0x00000000004B9000-memory.dmp

memory/1944-57-0x00000000020E0000-0x00000000024E0000-memory.dmp

memory/1944-58-0x00000000020E0000-0x00000000024E0000-memory.dmp

memory/1944-59-0x00007FFD045B0000-0x00007FFD047A5000-memory.dmp

memory/1944-61-0x00000000020E0000-0x00000000024E0000-memory.dmp

memory/1944-62-0x0000000075960000-0x0000000075B75000-memory.dmp

memory/1944-64-0x00000000020E0000-0x00000000024E0000-memory.dmp

memory/4576-63-0x0000000004000000-0x0000000004400000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:45

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\scv.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\scv.jar

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:46

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

159s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\key_datas

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\key_datas

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.197.77.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:45

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

96s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\user_data\cache\version

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\user_data\cache\version

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:44

Platform

win10v2004-20240319-en

Max time kernel

90s

Max time network

98s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\user_data\media_cache\version

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\user_data\media_cache\version

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3380 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
IE 94.245.104.56:443 tcp
GB 51.140.242.104:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 51.11.108.188:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
GB 13.105.221.15:443 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:44

Platform

win7-20240221-en

Max time kernel

34s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\xNet.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\xNet.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:44

Platform

win10v2004-20240226-en

Max time kernel

60s

Max time network

68s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\Newtonsoft.Json.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1292 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 35.58.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:46

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderS.exe"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderS.exe

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderS.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderS.exe" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/4192-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/60-5-0x000002166F770000-0x0000021670770000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 a1079a6237062df888cabf07d7af7279
SHA1 3a1253c6b952169b9da76442599531b1f82a85a2
SHA256 694e9af625ef58d5b99f09038d72772c13bce78f1e25419a63f552922351b20a
SHA512 731c5d67017bd326949649814e91c8f7786cf9b4ed0b6304fb103e512fac5a496fcbe438a90a6a585c9c27fc082c80c01ee7853e45952c90254ed2467ba5cdbd

memory/60-13-0x000002166DEB0000-0x000002166DEB1000-memory.dmp

memory/60-18-0x000002166F770000-0x0000021670770000-memory.dmp

memory/60-28-0x000002166F770000-0x0000021670770000-memory.dmp

memory/60-39-0x000002166F770000-0x0000021670770000-memory.dmp

memory/60-43-0x000002166F9F0000-0x000002166FA00000-memory.dmp

memory/60-44-0x000002166FA20000-0x000002166FA30000-memory.dmp

memory/60-45-0x000002166FAC0000-0x000002166FAD0000-memory.dmp

memory/60-46-0x000002166FA40000-0x000002166FA50000-memory.dmp

memory/60-47-0x000002166FA50000-0x000002166FA60000-memory.dmp

memory/60-50-0x000002166FA70000-0x000002166FA80000-memory.dmp

memory/60-48-0x000002166FA60000-0x000002166FA70000-memory.dmp

memory/60-49-0x000002166F770000-0x0000021670770000-memory.dmp

memory/60-53-0x000002166FAA0000-0x000002166FAB0000-memory.dmp

memory/60-51-0x000002166FA80000-0x000002166FA90000-memory.dmp

memory/60-52-0x000002166FA90000-0x000002166FAA0000-memory.dmp

memory/60-54-0x000002166F770000-0x0000021670770000-memory.dmp

memory/60-55-0x000002166F770000-0x0000021670770000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:45

Platform

win7-20240220-en

Max time kernel

44s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\user_data\cache\version

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\user_data\cache\version

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:44

Platform

win10v2004-20240226-en

Max time kernel

46s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderB.exe"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderB.exe

"C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderB.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\bin\UbuilderB.exe" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp

Files

memory/1604-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4524-9-0x0000016837030000-0x0000016838030000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 88cdbfcafeba0abd334f9fc7c2bd76ca
SHA1 2563bd31fdbd97113261a650c5a58d59365d880b
SHA256 380d739ae16661bfb27cc23b500150c7360bbbef7de1014589cbb2061c237882
SHA512 7106bbf2894af4e9e2a1ff273d08b7c4d24b874a42ba0bb163b299214b19d0cf0eb300900e4e6566f09ae931d419dccc805166fe35dee05e1c4fa7b2e507dda2

memory/4524-13-0x00000168357D0000-0x00000168357D1000-memory.dmp

memory/4524-18-0x0000016837030000-0x0000016838030000-memory.dmp

memory/4524-26-0x0000016837030000-0x0000016838030000-memory.dmp

memory/4524-30-0x00000168372B0000-0x00000168372C0000-memory.dmp

memory/4524-31-0x00000168372E0000-0x00000168372F0000-memory.dmp

memory/4524-32-0x00000168372D0000-0x00000168372E0000-memory.dmp

memory/4524-33-0x0000016837300000-0x0000016837310000-memory.dmp

memory/4524-34-0x0000016837310000-0x0000016837320000-memory.dmp

memory/4524-35-0x0000016837030000-0x0000016838030000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:46

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ProjectMainGitHub.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ProjectMainGitHub.zip

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:45

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

96s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\prefix

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\prefix

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:45

Platform

win7-20240215-en

Max time kernel

47s

Max time network

16s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\settingss

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\packages\settingss

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-28 14:42

Reported

2024-03-28 14:45

Platform

win7-20231129-en

Max time kernel

49s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\user_data\media_cache\version

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ProjectGitHubMain\user_data\media_cache\version

Network

N/A

Files

N/A