Analysis Overview
SHA256
1f7553701ef80138d6fd387a8a5919bd34684600b8c81e45102d2a4c720786c1
Threat Level: Known bad
The file #!~#0Pen_9898_P@$SW0rd~!!$.zip was found to be: Known bad.
Malicious Activity Summary
Stealc
Vidar
Detect Vidar Stealer
Downloads MZ/PE file
Reads user/profile data of local email clients
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: MapViewOfSection
Modifies system certificate store
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 14:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 14:16
Reported
2024-06-14 14:19
Platform
win11-20240508-en
Max time kernel
66s
Max time network
81s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Reads data files stored by FTP clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1120 set thread context of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\coml.au3" & rd /s /q "C:\ProgramData\DGHIECGCBKFH" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | feeldog.xyz | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
Files
memory/1120-0-0x00007FFCABD20000-0x00007FFCABE9A000-memory.dmp
memory/1120-12-0x00007FFCABD38000-0x00007FFCABD39000-memory.dmp
memory/1120-13-0x00007FFCABD20000-0x00007FFCABE9A000-memory.dmp
memory/1120-14-0x00007FFCABD20000-0x00007FFCABE9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c54124af
| MD5 | f3283379426fb1c80d682bf32409a2c9 |
| SHA1 | d4be3a44e701a41a762bd616767330489f5ae261 |
| SHA256 | 978b497c407f8e766c9ac205e8cafe4783b2c4d0f2bc0632db184a3bca193fb1 |
| SHA512 | 3e020237ac6398e9160d3c8d29b14aabf11a7e097108f9d0609dfffaa5e35a61f56b02f70301679e5edaaebbe4bd2beab418017a928b761987c799aa200037a7 |
memory/2860-17-0x00007FFCBB7E0000-0x00007FFCBB9E9000-memory.dmp
memory/2860-19-0x000000007425E000-0x0000000074260000-memory.dmp
memory/2860-20-0x0000000074251000-0x000000007425F000-memory.dmp
memory/2860-24-0x0000000074251000-0x000000007425F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\coml.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2792-26-0x0000000000C40000-0x000000000138B000-memory.dmp
memory/2792-28-0x00007FFCBB7E0000-0x00007FFCBB9E9000-memory.dmp
memory/2792-29-0x0000000000C40000-0x000000000138B000-memory.dmp
memory/2792-30-0x0000000000C40000-0x000000000138B000-memory.dmp
memory/2792-32-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2792-44-0x0000000000C40000-0x000000000138B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 14:16
Reported
2024-06-14 14:18
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2276 set thread context of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\coml.au3 |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 148
Network
Files
memory/2276-0-0x000007FEF54D0000-0x000007FEF5628000-memory.dmp
memory/2276-12-0x000007FEF54E8000-0x000007FEF54E9000-memory.dmp
memory/2276-13-0x000007FEF54D0000-0x000007FEF5628000-memory.dmp
memory/2276-14-0x000007FEF54D0000-0x000007FEF5628000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8e069a28
| MD5 | a8c1d81e49e8b8fba8583ea05e7e6ea9 |
| SHA1 | 156f3b8d46ee2f344f6a253cfefba4ce0f57aa9f |
| SHA256 | 905d2b13392e4cb3e47e233d5e7f4c0fd025f399df3072dd647e9e1429b4939d |
| SHA512 | 0447d4d5be309f7c21c7c6274550082e791d9b31683323ee10a476531cccdd8d15b0f6b2f9ee52184d9df52356e13a72da324d9f576ff096acf13ef714047351 |
memory/2980-17-0x0000000076D50000-0x0000000076EF9000-memory.dmp
memory/2980-19-0x0000000073050000-0x00000000731C4000-memory.dmp
memory/2980-23-0x000000007305E000-0x0000000073060000-memory.dmp
memory/2980-24-0x0000000073050000-0x00000000731C4000-memory.dmp
\Users\Admin\AppData\Local\Temp\coml.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2628-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2628-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2980-28-0x0000000073050000-0x00000000731C4000-memory.dmp
memory/2628-30-0x00000000007A0000-0x0000000000EEB000-memory.dmp
memory/2628-37-0x00000000007A0000-0x0000000000EEB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 14:16
Reported
2024-06-14 14:19
Platform
win10v2004-20240611-en
Max time kernel
117s
Max time network
108s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\EGDAEBGIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\AAKEGDAKEH.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2384 set thread context of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2536 set thread context of 5068 | N/A | C:\ProgramData\EGDAEBGIDB.exe | C:\Windows\SysWOW64\ftp.exe |
| PID 4484 set thread context of 4136 | N/A | C:\ProgramData\AAKEGDAKEH.exe | C:\Windows\SysWOW64\ftp.exe |
| PID 4136 set thread context of 3956 | N/A | C:\Windows\SysWOW64\ftp.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Watcher Com SH.job | C:\Windows\SysWOW64\ftp.exe | N/A |
| File created | C:\Windows\Tasks\TWI Cloud Host.job | C:\Windows\SysWOW64\ftp.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\ProgramData\EGDAEBGIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\AAKEGDAKEH.exe | N/A |
| N/A | N/A | C:\ProgramData\EGDAEBGIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\AAKEGDAKEH.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\ProgramData\EGDAEBGIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\AAKEGDAKEH.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_9898_P@$SW0rd~!!$\Setup.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\ProgramData\EGDAEBGIDB.exe
"C:\ProgramData\EGDAEBGIDB.exe"
C:\ProgramData\AAKEGDAKEH.exe
"C:\ProgramData\AAKEGDAKEH.exe"
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FBFIJJEBKEBF" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 131.253.33.237:443 | g.bing.com | tcp |
| BE | 23.41.178.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | feeldog.xyz | udp |
| US | 172.67.133.78:443 | feeldog.xyz | tcp |
| US | 8.8.8.8:53 | 78.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 195.201.251.58:9000 | tcp | |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.251.201.195.in-addr.arpa | udp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| US | 8.8.8.8:53 | businessdownloads.ltd | udp |
| US | 172.67.212.123:443 | businessdownloads.ltd | tcp |
| US | 8.8.8.8:53 | 123.212.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| US | 8.8.8.8:53 | i.imgur.com | udp |
| US | 199.232.196.193:443 | i.imgur.com | tcp |
| US | 8.8.8.8:53 | 193.196.232.199.in-addr.arpa | udp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
| DE | 195.201.251.58:9000 | 195.201.251.58 | tcp |
Files
memory/2384-0-0x00007FF8865E0000-0x00007FF886752000-memory.dmp
memory/2384-12-0x00007FF8865F8000-0x00007FF8865F9000-memory.dmp
memory/2384-13-0x00007FF8865E0000-0x00007FF886752000-memory.dmp
memory/2384-14-0x00007FF8865E0000-0x00007FF886752000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c3709396
| MD5 | 131f1ece6198bf5bd7c4006e4c3dd23e |
| SHA1 | 57f8ea37d81cbc5dfd49d79b16b4bc4ecab1f40d |
| SHA256 | 7366168906f36f7e2341babdb03ee48bb03075f85bf5e64d29680fadbfe44692 |
| SHA512 | 50c6edca0adfba4e4ea59a9026c5555387feb862b579c29a42f741d314a5da9f9aa7de222760a03a4efc216a92d2e3c109e9d3f2d10c4df7840e416ba919f5ea |
memory/1844-17-0x00007FF8A4ED0000-0x00007FF8A50C5000-memory.dmp
memory/1844-20-0x000000007417E000-0x0000000074180000-memory.dmp
memory/1844-21-0x0000000074171000-0x000000007417F000-memory.dmp
memory/1844-24-0x0000000074171000-0x000000007417F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\coml.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/4928-26-0x0000000000CA0000-0x00000000013EB000-memory.dmp
memory/4928-28-0x00007FF8A4ED0000-0x00007FF8A50C5000-memory.dmp
memory/4928-29-0x0000000000CA0000-0x00000000013EB000-memory.dmp
memory/4928-32-0x0000000000CA0000-0x00000000013EB000-memory.dmp
memory/4928-33-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\FBFIJJEBKEBF\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\FBFIJJEBKEBF\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\EGDAEBGIDB.exe
| MD5 | 6cfddd5ce9ca4bb209bd5d8c2cd80025 |
| SHA1 | 424da82e9edbb6b39a979ab97d84239a1d67c48b |
| SHA256 | 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7 |
| SHA512 | d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8 |
memory/2536-114-0x00000000002A0000-0x00000000007B3000-memory.dmp
C:\ProgramData\AAKEGDAKEH.exe
| MD5 | daaff76b0baf0a1f9cec253560c5db20 |
| SHA1 | 0311cf0eeb4beddd2c69c6e97462595313a41e78 |
| SHA256 | 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c |
| SHA512 | 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3 |
memory/4484-125-0x0000000000720000-0x0000000000968000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6c0ba3b5
| MD5 | 8d443e7cb87cacf0f589ce55599e008f |
| SHA1 | c7ff0475a3978271e0a8417ac4a826089c083772 |
| SHA256 | e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a |
| SHA512 | c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5 |
C:\Users\Admin\AppData\Local\Temp\6ada8537
| MD5 | c62f812e250409fbd3c78141984270f2 |
| SHA1 | 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806 |
| SHA256 | d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8 |
| SHA512 | 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092 |
memory/2536-136-0x00000000725D0000-0x000000007274B000-memory.dmp
memory/4484-137-0x00000000725D0000-0x000000007274B000-memory.dmp
memory/2536-138-0x00007FF8A4ED0000-0x00007FF8A50C5000-memory.dmp
memory/4484-139-0x00007FF8A4ED0000-0x00007FF8A50C5000-memory.dmp
memory/4928-140-0x0000000000CA0000-0x00000000013EB000-memory.dmp
memory/4928-147-0x0000000000CA0000-0x00000000013EB000-memory.dmp
memory/4928-148-0x0000000000CA0000-0x00000000013EB000-memory.dmp
memory/2536-149-0x00000000725D0000-0x000000007274B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6f4bafa0
| MD5 | 4b62c9da2552d8c99ae12bb1adc20348 |
| SHA1 | 08319c92645f2c0a67875be86edd023219a5b337 |
| SHA256 | 57fc36ce2821eeab236bd84f1722e2ff300a534ee86dcf20dae0891d7d10cdaf |
| SHA512 | e8a4e30e17ae063ee2f38e9d228c128cfa89f0dc2f41184dc0a50cf325205be336959b9398ec676e534514472449a8d9454fca0937f27d99744990bf4460afa1 |
memory/4484-152-0x00000000725D0000-0x000000007274B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7202448b
| MD5 | 8945ba5562718897fbb4a550ecf1e4d1 |
| SHA1 | c972b3a4bfc89c733862ac3fe5fa5216889412da |
| SHA256 | e6773fca6207461699fa058a08574bbd86eda79e41ffbc0694734f308c271993 |
| SHA512 | cadffe3a8e45e94dc2cf086bd533b94091fb02e49203720948d45a5b9903f0e58c2618efa8ddddb40a75e8bfff8842f87cd6b0ad17b6811a1a2d38aa63c7c7f6 |
memory/5068-155-0x00007FF8A4ED0000-0x00007FF8A50C5000-memory.dmp
memory/4136-156-0x00007FF8A4ED0000-0x00007FF8A50C5000-memory.dmp
memory/4928-165-0x0000000000CA0000-0x00000000013EB000-memory.dmp
memory/4928-170-0x0000000000CA0000-0x00000000013EB000-memory.dmp
memory/4136-171-0x00000000725D0000-0x000000007274B000-memory.dmp
C:\ProgramData\FBFIJJEBKEBF\VCRUNT~1.DLL
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\FBFIJJEBKEBF\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\FBFIJJEBKEBF\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
memory/5068-186-0x00000000725D0000-0x000000007274B000-memory.dmp
memory/3956-190-0x00007FF8860C0000-0x00007FF887737000-memory.dmp