Analysis Overview
SHA256
6f130c92d80d32761afc569d500cd7f82aaaa753209cbb22773c79fdd72da663
Threat Level: Known bad
The file 6f130c92d80d32761afc569d500cd7f82aaaa753209cbb22773c79fdd72da663.zip was found to be: Known bad.
Malicious Activity Summary
Vidar
Stealc
Detect Vidar Stealer
Detects Windows executables referencing non-Windows User-Agents
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Checks installed software on the system
Suspicious use of SetThreadContext
Command and Scripting Interpreter: JavaScript
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 01:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
98s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~32b5733f1.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240611-en
Max time kernel
133s
Max time network
108s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~5303f55e9.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
154s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~57063afaa.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240611-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~114e7a4e2.js
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~114e7a4e2.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~2dcc5aaf7.js
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240611-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4bfd2d106.js
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
59s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~643d02cb5.js
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
54s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4bfd2d106.js
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240508-en
Max time kernel
56s
Max time network
53s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5056 set thread context of 4540 | N/A | C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe | C:\Windows\SysWOW64\more.com |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe
"C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe"
C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe
C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Launcher32.exe" & rd /s /q "C:\ProgramData\DAKFCGIJKJKF" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe
| MD5 | 3eea73ea32478100a260cf5acf952878 |
| SHA1 | f2713d8ccf6a63a9ee2848e635ca1a3484e7ceb4 |
| SHA256 | 4c3ad8d00ff2a4fe6aec3dfaa605e9b8d3f4a35e3cfe01a4a96405d7b25551c2 |
| SHA512 | 4cef804c065ae8ac017a1a3d5af94d87adbe40519068c5b5f19d071df054087b10259f655215553445566843a62246752eb3d6c6901ab9ed26aed33a25a6d502 |
C:\Users\Admin\AppData\Local\Temp\ImUtilsU.dll
| MD5 | a7eaba8bc12b2b7ec2a41a4d9e45008a |
| SHA1 | 6a96a18bb4f1cd6196517713ed634f37f6b0362b |
| SHA256 | 914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a |
| SHA512 | 0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8 |
C:\Users\Admin\AppData\Local\Temp\ImLookU.dll
| MD5 | 3ea6d805a18715f7368363dea3cd3f4c |
| SHA1 | 30ffafc1dd447172fa91404f07038d759c412464 |
| SHA256 | a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d |
| SHA512 | a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070 |
C:\Users\Admin\AppData\Local\Temp\wlessfp1.dll
| MD5 | 5120c44f241a12a3d5a3e87856477c13 |
| SHA1 | cd8a6ef728c48e17d570c8dc582ec49e17104f6d |
| SHA256 | fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c |
| SHA512 | 67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1 |
C:\Users\Admin\AppData\Local\Temp\ImWrappU.dll
| MD5 | cbf4827a5920a5f02c50f78ed46d0319 |
| SHA1 | b035770e9d9283c61f8f8bbc041e3add0197de7b |
| SHA256 | 7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce |
| SHA512 | d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5 |
C:\Users\Admin\AppData\Local\Temp\mfc80u.dll
| MD5 | ccc2e312486ae6b80970211da472268b |
| SHA1 | 025b52ff11627760f7006510e9a521b554230fee |
| SHA256 | 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a |
| SHA512 | d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff |
C:\Users\Admin\AppData\Local\Temp\IMHttpComm.dll
| MD5 | a70d91a9fd7b65baa0355ee559098bd8 |
| SHA1 | 546127579c06ae0ae4f63f216da422065a859e2f |
| SHA256 | 96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a |
| SHA512 | f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa |
C:\Users\Admin\AppData\Local\Temp\SftTree_IX86_U_60.dll
| MD5 | 57bf106e5ec51b703b83b69a402dc39f |
| SHA1 | bd4cfab7c50318607326504cc877c0bc84ef56ef |
| SHA256 | 24f2399fc83198ab8d63ee6a1ad6ffbd1eda4d38048d3e809fecd2a3e0709671 |
| SHA512 | 8bf60649ece6bbb66c7b94ed0d9214fbeab030d5813e1e7b5d6d2349ee1de9075b7dfbbbbeae5af0dc21b071a00eafce0771ca1804e6752e9a71e71e6b1447df |
C:\Users\Admin\AppData\Local\Temp\ImNtUtilU.dll
| MD5 | bb326fe795e2c1c19cd79f320e169fd3 |
| SHA1 | 1c1f2b8d98f01870455712e6eba26d77753adcac |
| SHA256 | a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7 |
| SHA512 | a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1 |
C:\Users\Admin\AppData\Local\Temp\ImLookExU.dll
| MD5 | 6f2b4c12ceb2557adf0f18a87078214f |
| SHA1 | 374dfbd3a6f3ec59757408c7485bd658a2b0776e |
| SHA256 | 89f13c536f8e99e845f58c5021372acb4b3003045f23648306740aabf966dfb4 |
| SHA512 | 0c675a35ff6a1b6c7ffb86736ae12ee11b9f5a83c0c05a85a74aadac71a0def8df247514c0bc5f2a7613e19a7232cc9a64164c0a4121ae845b8d180f7dfe247b |
memory/4784-63-0x0000000000A50000-0x0000000000ADE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\debug.xls
| MD5 | ec96543c55bbb31e048c4a4b226837a9 |
| SHA1 | d992f214a039756a3f55d8f961a112f5fbb539af |
| SHA256 | ae7548c38fdf14d79acd429c3bdbcff273bac953a04537b9755277d6decbca74 |
| SHA512 | a541781cbcd663335e7496bf68d59a86e3b36ce4e40d517c3697b94869cedb25516bddd5e08f929653c9791f1401a42d923d82deba41fc84284923b4913b6023 |
C:\Users\Admin\AppData\Local\Temp\anon.htm
| MD5 | 2d4c089e1981ada86a3f301d5f4c0d21 |
| SHA1 | e21c400bc5c0aeb36a308192d872c8940ab38b6c |
| SHA256 | 7e0b95bd41d040bacc1cf1a7d6e12e2ee5e74609c30c91fbcc35916aea47091b |
| SHA512 | c2d97c071161b144f36e9d1ad03aaae8f93b3d2b4178c52ce97905e73f09baf39a506f4f713c63397640e5018ee8bd63382133259cab0dca490d7517240606b4 |
memory/4784-67-0x0000000073420000-0x000000007359B000-memory.dmp
memory/4784-68-0x00007FF965490000-0x00007FF965685000-memory.dmp
memory/5056-113-0x0000000000A40000-0x0000000000ACE000-memory.dmp
memory/5056-118-0x0000000075750000-0x00000000758CB000-memory.dmp
memory/5056-119-0x00007FF965490000-0x00007FF965685000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msvcr80.dll
| MD5 | e4fece18310e23b1d8fee993e35e7a6f |
| SHA1 | 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564 |
| SHA256 | 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9 |
| SHA512 | 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc |
C:\Users\Admin\AppData\Local\Temp\msvcp80.dll
| MD5 | 4c8a880eabc0b4d462cc4b2472116ea1 |
| SHA1 | d0a27f553c0fe0e507c7df079485b601d5b592e6 |
| SHA256 | 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08 |
| SHA512 | 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c |
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.MFC.manifest
| MD5 | 97b859f11538bbe20f17dfb9c0979a1c |
| SHA1 | 2593ad721d7be3821fd0b40611a467db97be8547 |
| SHA256 | 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36 |
| SHA512 | 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541 |
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.CRT.manifest
| MD5 | 541423a06efdcd4e4554c719061f82cf |
| SHA1 | 2e12c6df7352c3ed3c61a45baf68eace1cc9546e |
| SHA256 | 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5 |
| SHA512 | 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6 |
memory/5056-120-0x0000000075750000-0x00000000758CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aec6277b
| MD5 | 4254cced798c64224e8ab0e5c96dedff |
| SHA1 | c6da495d2315435f2432cf12af9ea2ee40c1a7bc |
| SHA256 | e82fb9c16fe929c6421a953c2d4a84e77aed7cdc25dbef105b750d5fcc4c05f7 |
| SHA512 | 9ee9eed1faec49c5321fe1f45167349d5d59fdf63978615313946652df32157c112b96d3a18869c20194f4a5d655573887b8b0f817971f3682d5aa1a40c4214c |
memory/4540-123-0x00007FF965490000-0x00007FF965685000-memory.dmp
memory/4540-125-0x0000000075750000-0x00000000758CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
| MD5 | de0ea31558536ca7e3164c3cd4578bf5 |
| SHA1 | 5cc890c3ade653bb1ed1e53dabb0410602ee52df |
| SHA256 | 6e599490e164505af796569dce30e18218b179b2b791fe69764892b3ed3e7478 |
| SHA512 | c47299cd5f3b4961f423c2ca1fef5a33eb4b0f63dc232af70ef9da39f6f82270406061dd543461de7e47abd1244e26d6190de6035120211b27d4c23f97a25aba |
memory/3652-130-0x00007FF965490000-0x00007FF965685000-memory.dmp
memory/3652-131-0x0000000001000000-0x000000000174B000-memory.dmp
memory/3652-135-0x0000000001000000-0x000000000174B000-memory.dmp
memory/3652-137-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3652-148-0x0000000001000000-0x000000000174B000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240611-en
Max time kernel
134s
Max time network
133s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~00299a408.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20231129-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~05c32d390.js
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
98s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~05c32d390.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240508-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~32b5733f1.js
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240220-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4611591fd.js
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240508-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~074e593a7.js
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240611-en
Max time kernel
132s
Max time network
128s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~1e47f672e.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=1328 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.141.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~2dcc5aaf7.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~5303f55e9.js
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240508-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~13bdaad06.js
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~13bdaad06.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:30
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
176s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~3fde5681b.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 13.107.253.67:443 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240508-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~643d02cb5.js
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240508-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2520 set thread context of 696 | N/A | C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe | C:\Windows\SysWOW64\more.com |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe
"C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe"
C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe
C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "" & rd /s /q "C:\ProgramData\BFHIJEBKEBGH" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | aliszon.xyz | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | tea.arpdabl.org | udp |
Files
\Users\Admin\AppData\Local\Temp\ImNotfy.exe
| MD5 | 3eea73ea32478100a260cf5acf952878 |
| SHA1 | f2713d8ccf6a63a9ee2848e635ca1a3484e7ceb4 |
| SHA256 | 4c3ad8d00ff2a4fe6aec3dfaa605e9b8d3f4a35e3cfe01a4a96405d7b25551c2 |
| SHA512 | 4cef804c065ae8ac017a1a3d5af94d87adbe40519068c5b5f19d071df054087b10259f655215553445566843a62246752eb3d6c6901ab9ed26aed33a25a6d502 |
C:\Users\Admin\AppData\Local\Temp\ImUtilsU.dll
| MD5 | a7eaba8bc12b2b7ec2a41a4d9e45008a |
| SHA1 | 6a96a18bb4f1cd6196517713ed634f37f6b0362b |
| SHA256 | 914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a |
| SHA512 | 0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8 |
C:\Users\Admin\AppData\Local\Temp\ImNtUtilU.dll
| MD5 | bb326fe795e2c1c19cd79f320e169fd3 |
| SHA1 | 1c1f2b8d98f01870455712e6eba26d77753adcac |
| SHA256 | a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7 |
| SHA512 | a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1 |
C:\Users\Admin\AppData\Local\Temp\MFC80U.DLL
| MD5 | ccc2e312486ae6b80970211da472268b |
| SHA1 | 025b52ff11627760f7006510e9a521b554230fee |
| SHA256 | 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a |
| SHA512 | d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff |
\Users\Admin\AppData\Local\Temp\ImLookU.dll
| MD5 | 3ea6d805a18715f7368363dea3cd3f4c |
| SHA1 | 30ffafc1dd447172fa91404f07038d759c412464 |
| SHA256 | a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d |
| SHA512 | a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070 |
\Users\Admin\AppData\Local\Temp\IMHttpComm.dll
| MD5 | a70d91a9fd7b65baa0355ee559098bd8 |
| SHA1 | 546127579c06ae0ae4f63f216da422065a859e2f |
| SHA256 | 96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a |
| SHA512 | f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa |
C:\Users\Admin\AppData\Local\Temp\wlessfp1.dll
| MD5 | 5120c44f241a12a3d5a3e87856477c13 |
| SHA1 | cd8a6ef728c48e17d570c8dc582ec49e17104f6d |
| SHA256 | fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c |
| SHA512 | 67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1 |
\Users\Admin\AppData\Local\Temp\ImWrappU.dll
| MD5 | cbf4827a5920a5f02c50f78ed46d0319 |
| SHA1 | b035770e9d9283c61f8f8bbc041e3add0197de7b |
| SHA256 | 7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce |
| SHA512 | d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5 |
\Users\Admin\AppData\Local\Temp\ImLookExU.dll
| MD5 | 6f2b4c12ceb2557adf0f18a87078214f |
| SHA1 | 374dfbd3a6f3ec59757408c7485bd658a2b0776e |
| SHA256 | 89f13c536f8e99e845f58c5021372acb4b3003045f23648306740aabf966dfb4 |
| SHA512 | 0c675a35ff6a1b6c7ffb86736ae12ee11b9f5a83c0c05a85a74aadac71a0def8df247514c0bc5f2a7613e19a7232cc9a64164c0a4121ae845b8d180f7dfe247b |
memory/2796-57-0x0000000000330000-0x00000000003BE000-memory.dmp
\Users\Admin\AppData\Local\Temp\SftTree_IX86_U_60.dll
| MD5 | 57bf106e5ec51b703b83b69a402dc39f |
| SHA1 | bd4cfab7c50318607326504cc877c0bc84ef56ef |
| SHA256 | 24f2399fc83198ab8d63ee6a1ad6ffbd1eda4d38048d3e809fecd2a3e0709671 |
| SHA512 | 8bf60649ece6bbb66c7b94ed0d9214fbeab030d5813e1e7b5d6d2349ee1de9075b7dfbbbbeae5af0dc21b071a00eafce0771ca1804e6752e9a71e71e6b1447df |
memory/2796-49-0x0000000000250000-0x0000000000260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\anon.htm
| MD5 | 2d4c089e1981ada86a3f301d5f4c0d21 |
| SHA1 | e21c400bc5c0aeb36a308192d872c8940ab38b6c |
| SHA256 | 7e0b95bd41d040bacc1cf1a7d6e12e2ee5e74609c30c91fbcc35916aea47091b |
| SHA512 | c2d97c071161b144f36e9d1ad03aaae8f93b3d2b4178c52ce97905e73f09baf39a506f4f713c63397640e5018ee8bd63382133259cab0dca490d7517240606b4 |
C:\Users\Admin\AppData\Local\Temp\debug.xls
| MD5 | ec96543c55bbb31e048c4a4b226837a9 |
| SHA1 | d992f214a039756a3f55d8f961a112f5fbb539af |
| SHA256 | ae7548c38fdf14d79acd429c3bdbcff273bac953a04537b9755277d6decbca74 |
| SHA512 | a541781cbcd663335e7496bf68d59a86e3b36ce4e40d517c3697b94869cedb25516bddd5e08f929653c9791f1401a42d923d82deba41fc84284923b4913b6023 |
memory/2796-61-0x0000000073E40000-0x0000000073FB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msvcp80.dll
| MD5 | 4c8a880eabc0b4d462cc4b2472116ea1 |
| SHA1 | d0a27f553c0fe0e507c7df079485b601d5b592e6 |
| SHA256 | 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08 |
| SHA512 | 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c |
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.MFC.manifest
| MD5 | 97b859f11538bbe20f17dfb9c0979a1c |
| SHA1 | 2593ad721d7be3821fd0b40611a467db97be8547 |
| SHA256 | 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36 |
| SHA512 | 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541 |
C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.CRT.manifest
| MD5 | 541423a06efdcd4e4554c719061f82cf |
| SHA1 | 2e12c6df7352c3ed3c61a45baf68eace1cc9546e |
| SHA256 | 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5 |
| SHA512 | 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6 |
C:\Users\Admin\AppData\Local\Temp\msvcr80.dll
| MD5 | e4fece18310e23b1d8fee993e35e7a6f |
| SHA1 | 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564 |
| SHA256 | 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9 |
| SHA512 | 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc |
memory/2796-62-0x0000000077260000-0x0000000077409000-memory.dmp
memory/2520-108-0x0000000000440000-0x00000000004CE000-memory.dmp
memory/2520-112-0x00000000744C0000-0x0000000074634000-memory.dmp
memory/2520-113-0x0000000077260000-0x0000000077409000-memory.dmp
memory/2520-114-0x00000000744C0000-0x0000000074634000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\af3fbd7e
| MD5 | 22366692ccd09aee9e46a96ac0191647 |
| SHA1 | 26f63237e96b77b22ab9bd376918408797a7516a |
| SHA256 | acc7b9fc22996a5326548b127013fe7bd7bb362def68190d92d2011dfcbd2512 |
| SHA512 | 8629aaa9bf0869cca5f7a17a0baf03f43e938cc72e523d0752a932676f0f5349bba07c845a531573ac83d089f37e86813e2944a330c236ad841c011551c68cf1 |
memory/696-117-0x0000000077260000-0x0000000077409000-memory.dmp
memory/696-119-0x00000000744C0000-0x0000000074634000-memory.dmp
\Users\Admin\AppData\Local\Temp\Launcher32.exe
| MD5 | de0ea31558536ca7e3164c3cd4578bf5 |
| SHA1 | 5cc890c3ade653bb1ed1e53dabb0410602ee52df |
| SHA256 | 6e599490e164505af796569dce30e18218b179b2b791fe69764892b3ed3e7478 |
| SHA512 | c47299cd5f3b4961f423c2ca1fef5a33eb4b0f63dc232af70ef9da39f6f82270406061dd543461de7e47abd1244e26d6190de6035120211b27d4c23f97a25aba |
memory/1600-126-0x0000000077260000-0x0000000077409000-memory.dmp
memory/1600-127-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/1600-129-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/1600-131-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/1600-132-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/1600-134-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1600-146-0x0000000000400000-0x0000000000B4B000-memory.dmp
memory/1600-147-0x0000000000400000-0x0000000000B4B000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240220-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~11d764003.js
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240221-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~1e47f672e.js
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20231129-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~57063afaa.js
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240611-en
Max time kernel
129s
Max time network
130s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4611591fd.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240220-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~00299a408.js
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:30
Platform
win10v2004-20240226-en
Max time kernel
161s
Max time network
175s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~074e593a7.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4220 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.180.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.141.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
54s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~11d764003.js
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-28 01:26
Reported
2024-06-28 01:29
Platform
win7-20240611-en
Max time kernel
117s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~3fde5681b.js