Analysis Overview
SHA256
e444b4058d7ce00244581868383d14b7e159c27b9b65dcc3751fb56a69796d40
Threat Level: Known bad
The file 550112f9f98e8b7e7ff55b3cbb985c68_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Blackmoon family
Detect Blackmoon payload
UPX packed file
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 13:43
Signatures
Blackmoon family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 13:43
Reported
2024-05-18 13:46
Platform
win7-20231129-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\btsearcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\???????\\unpacked.exe tray" | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | happygolife.com | udp |
| US | 67.225.218.22:443 | happygolife.com | tcp |
| US | 67.225.218.22:443 | happygolife.com | tcp |
| US | 8.8.8.8:53 | ww12.happygolife.com | udp |
| US | 75.2.81.221:80 | ww12.happygolife.com | tcp |
| US | 75.2.81.221:80 | ww12.happygolife.com | tcp |
Files
memory/1960-0-0x0000000000400000-0x000000000055BAED-memory.dmp
C:\Users\Admin\AppData\Roaming\btSearcher\setting.ini
| MD5 | 2ae006985074e066e98832bb643c6714 |
| SHA1 | 964ab257b7802dcdcf2099209f8125254e504e5c |
| SHA256 | bcd08e12ade691bc6e24faa4540d4519bd2f3a7fc9afaf5cc88b15474469c567 |
| SHA512 | d9c48e5760153fcaf44dcb38d57dad76cac2578691c53d14641ffaaf0a225e22dff66a65709419abb1a68a7a56bfecb7ae8eb2fd6d9ad25e16ca7a9bcbb9b61a |
memory/1960-32-0x0000000000400000-0x000000000055BAED-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 13:43
Reported
2024-05-18 13:46
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\btsearcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\???????\\unpacked.exe tray" | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | happygolife.com | udp |
| US | 67.225.218.22:443 | happygolife.com | tcp |
| US | 67.225.218.22:443 | happygolife.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.218.225.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww12.happygolife.com | udp |
| US | 75.2.81.221:80 | ww12.happygolife.com | tcp |
| US | 75.2.81.221:80 | ww12.happygolife.com | tcp |
| US | 8.8.8.8:53 | 221.81.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3964-0-0x0000000000400000-0x000000000055BAED-memory.dmp
C:\Users\Admin\AppData\Roaming\btSearcher\setting.ini
| MD5 | 2ae006985074e066e98832bb643c6714 |
| SHA1 | 964ab257b7802dcdcf2099209f8125254e504e5c |
| SHA256 | bcd08e12ade691bc6e24faa4540d4519bd2f3a7fc9afaf5cc88b15474469c567 |
| SHA512 | d9c48e5760153fcaf44dcb38d57dad76cac2578691c53d14641ffaaf0a225e22dff66a65709419abb1a68a7a56bfecb7ae8eb2fd6d9ad25e16ca7a9bcbb9b61a |
memory/3964-26-0x0000000000400000-0x000000000055BAED-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-18 13:43
Reported
2024-05-18 13:46
Platform
win7-20240419-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\btsearcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\???????\\unpacked.dll tray" | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\Media\Desktop.ini:dbase.mdb | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
| File opened for modification | C:\WINDOWS\Media\Desktop.ini:dbase.mdb | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
| File opened for modification | C:\WINDOWS\Media\Desktop.ini:dbase.ldb | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
| File created | C:\WINDOWS\Media\ActiveX.ocx | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\Media\Desktop.ini:dbase.mdb | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
| File opened for modification | C:\WINDOWS\Media\Desktop.ini:dbase.mdb | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
| File opened for modification | C:\WINDOWS\Media\Desktop.ini:dbase.ldb | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe
"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe"
C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll
unpacked.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | happygolife.com | udp |
| US | 67.225.218.22:443 | happygolife.com | tcp |
| US | 67.225.218.22:443 | happygolife.com | tcp |
| US | 8.8.8.8:53 | ww12.happygolife.com | udp |
| US | 75.2.81.221:80 | ww12.happygolife.com | tcp |
| US | 75.2.81.221:80 | ww12.happygolife.com | tcp |
Files
memory/2424-0-0x00000000021E0000-0x000000000233C000-memory.dmp
C:\Users\Admin\AppData\Roaming\btSearcher\setting.ini
| MD5 | 2ae006985074e066e98832bb643c6714 |
| SHA1 | 964ab257b7802dcdcf2099209f8125254e504e5c |
| SHA256 | bcd08e12ade691bc6e24faa4540d4519bd2f3a7fc9afaf5cc88b15474469c567 |
| SHA512 | d9c48e5760153fcaf44dcb38d57dad76cac2578691c53d14641ffaaf0a225e22dff66a65709419abb1a68a7a56bfecb7ae8eb2fd6d9ad25e16ca7a9bcbb9b61a |
memory/3036-16-0x0000000000400000-0x000000000055BAED-memory.dmp
C:\WINDOWS\Media\ActiveX.ocx
| MD5 | a73431462998145c37a7b8da674bc0bb |
| SHA1 | 8532ec2289490763fb304a88918bf74fa53dd716 |
| SHA256 | 12b90653bfe0d052d84ead17226688a5c5ce278f28128d5e36b0096c900dfa95 |
| SHA512 | 958a8d7b1c85a210010207f39da13f04b7c40d792bd9bf2f4ff27dc3a86ef3b7bc2d44dad1accc13e1bbc94a0a92dbdbcf79e694be04fc7c6b5554bd08a3c7f8 |
memory/3036-46-0x0000000000400000-0x000000000055BAED-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-18 13:43
Reported
2024-05-18 13:46
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\btsearcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\???????\\unpacked.dll tray" | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\Media\Desktop.ini:dbase.mdb | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
| File created | C:\WINDOWS\Media\ActiveX.ocx | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\Media\Desktop.ini:dbase.mdb | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1280 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll |
| PID 1280 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll |
| PID 1280 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll |
| PID 1280 wrote to memory of 4012 | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1280 wrote to memory of 4012 | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1280 wrote to memory of 4012 | N/A | C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe
"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe"
C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll
unpacked.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | happygolife.com | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 67.225.218.22:443 | happygolife.com | tcp |
| US | 67.225.218.22:443 | happygolife.com | tcp |
| US | 8.8.8.8:53 | 22.218.225.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww12.happygolife.com | udp |
| US | 75.2.81.221:80 | ww12.happygolife.com | tcp |
| US | 75.2.81.221:80 | ww12.happygolife.com | tcp |
| US | 8.8.8.8:53 | 221.81.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/4548-0-0x0000000000400000-0x000000000055BAED-memory.dmp
C:\Users\Admin\AppData\Roaming\btSearcher\setting.ini
| MD5 | 2ae006985074e066e98832bb643c6714 |
| SHA1 | 964ab257b7802dcdcf2099209f8125254e504e5c |
| SHA256 | bcd08e12ade691bc6e24faa4540d4519bd2f3a7fc9afaf5cc88b15474469c567 |
| SHA512 | d9c48e5760153fcaf44dcb38d57dad76cac2578691c53d14641ffaaf0a225e22dff66a65709419abb1a68a7a56bfecb7ae8eb2fd6d9ad25e16ca7a9bcbb9b61a |
C:\WINDOWS\Media\ActiveX.ocx
| MD5 | e153e6f751d7b30640cff939cf299a8c |
| SHA1 | d12c43a87b4d46ef1e3a3f8d6a4b645fe4c95dfb |
| SHA256 | a55c223f4deab41e67cc1037efc6c5ef0c28c18e99861360cacbfa24b2ca84f1 |
| SHA512 | 2bbdbe683f323caad94c4b1252ae284a8a5ee2eaa5768b274757601f31dbf5f5b98c419e8075f6c3f9b8111727d1707da9be29c3e78b85bff5774928a7a93764 |
memory/4548-29-0x0000000000400000-0x000000000055BAED-memory.dmp