Malware Analysis Report

2024-11-16 13:50

Sample ID 240628-btt98stcpd
Target 6f130c92d80d32761afc569d500cd7f82aaaa753209cbb22773c79fdd72da663.zip
SHA256 6f130c92d80d32761afc569d500cd7f82aaaa753209cbb22773c79fdd72da663
Tags
execution stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f130c92d80d32761afc569d500cd7f82aaaa753209cbb22773c79fdd72da663

Threat Level: Known bad

The file 6f130c92d80d32761afc569d500cd7f82aaaa753209cbb22773c79fdd72da663.zip was found to be: Known bad.

Malicious Activity Summary

execution stealc vidar discovery spyware stealer

Vidar

Stealc

Detect Vidar Stealer

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads data files stored by FTP clients

Checks installed software on the system

Suspicious use of SetThreadContext

Command and Scripting Interpreter: JavaScript

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 01:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

98s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~32b5733f1.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~32b5733f1.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240611-en

Max time kernel

133s

Max time network

108s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~5303f55e9.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~5303f55e9.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~57063afaa.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~57063afaa.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240611-en

Max time kernel

119s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~114e7a4e2.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~114e7a4e2.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~114e7a4e2.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~114e7a4e2.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~2dcc5aaf7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~2dcc5aaf7.js

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240611-en

Max time kernel

120s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4bfd2d106.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4bfd2d106.js

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

59s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~643d02cb5.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~643d02cb5.js

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4bfd2d106.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4bfd2d106.js

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240508-en

Max time kernel

56s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Launcher32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Launcher32.exe N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5056 set thread context of 4540 N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Launcher32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Launcher32.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe
PID 4704 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe
PID 4704 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe
PID 4784 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe
PID 4784 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe
PID 4784 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe
PID 5056 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe C:\Windows\SysWOW64\more.com
PID 5056 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe C:\Windows\SysWOW64\more.com
PID 5056 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe C:\Windows\SysWOW64\more.com
PID 5056 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe C:\Windows\SysWOW64\more.com
PID 4540 wrote to memory of 3652 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 4540 wrote to memory of 3652 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 4540 wrote to memory of 3652 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 4540 wrote to memory of 3652 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 3652 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Launcher32.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Launcher32.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Launcher32.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2516 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2516 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe

"C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe"

C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe

C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\Launcher32.exe

C:\Users\Admin\AppData\Local\Temp\Launcher32.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Launcher32.exe" & rd /s /q "C:\ProgramData\DAKFCGIJKJKF" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe

MD5 3eea73ea32478100a260cf5acf952878
SHA1 f2713d8ccf6a63a9ee2848e635ca1a3484e7ceb4
SHA256 4c3ad8d00ff2a4fe6aec3dfaa605e9b8d3f4a35e3cfe01a4a96405d7b25551c2
SHA512 4cef804c065ae8ac017a1a3d5af94d87adbe40519068c5b5f19d071df054087b10259f655215553445566843a62246752eb3d6c6901ab9ed26aed33a25a6d502

C:\Users\Admin\AppData\Local\Temp\ImUtilsU.dll

MD5 a7eaba8bc12b2b7ec2a41a4d9e45008a
SHA1 6a96a18bb4f1cd6196517713ed634f37f6b0362b
SHA256 914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a
SHA512 0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8

C:\Users\Admin\AppData\Local\Temp\ImLookU.dll

MD5 3ea6d805a18715f7368363dea3cd3f4c
SHA1 30ffafc1dd447172fa91404f07038d759c412464
SHA256 a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d
SHA512 a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070

C:\Users\Admin\AppData\Local\Temp\wlessfp1.dll

MD5 5120c44f241a12a3d5a3e87856477c13
SHA1 cd8a6ef728c48e17d570c8dc582ec49e17104f6d
SHA256 fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c
SHA512 67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1

C:\Users\Admin\AppData\Local\Temp\ImWrappU.dll

MD5 cbf4827a5920a5f02c50f78ed46d0319
SHA1 b035770e9d9283c61f8f8bbc041e3add0197de7b
SHA256 7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce
SHA512 d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5

C:\Users\Admin\AppData\Local\Temp\mfc80u.dll

MD5 ccc2e312486ae6b80970211da472268b
SHA1 025b52ff11627760f7006510e9a521b554230fee
SHA256 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a
SHA512 d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

C:\Users\Admin\AppData\Local\Temp\IMHttpComm.dll

MD5 a70d91a9fd7b65baa0355ee559098bd8
SHA1 546127579c06ae0ae4f63f216da422065a859e2f
SHA256 96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a
SHA512 f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa

C:\Users\Admin\AppData\Local\Temp\SftTree_IX86_U_60.dll

MD5 57bf106e5ec51b703b83b69a402dc39f
SHA1 bd4cfab7c50318607326504cc877c0bc84ef56ef
SHA256 24f2399fc83198ab8d63ee6a1ad6ffbd1eda4d38048d3e809fecd2a3e0709671
SHA512 8bf60649ece6bbb66c7b94ed0d9214fbeab030d5813e1e7b5d6d2349ee1de9075b7dfbbbbeae5af0dc21b071a00eafce0771ca1804e6752e9a71e71e6b1447df

C:\Users\Admin\AppData\Local\Temp\ImNtUtilU.dll

MD5 bb326fe795e2c1c19cd79f320e169fd3
SHA1 1c1f2b8d98f01870455712e6eba26d77753adcac
SHA256 a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7
SHA512 a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1

C:\Users\Admin\AppData\Local\Temp\ImLookExU.dll

MD5 6f2b4c12ceb2557adf0f18a87078214f
SHA1 374dfbd3a6f3ec59757408c7485bd658a2b0776e
SHA256 89f13c536f8e99e845f58c5021372acb4b3003045f23648306740aabf966dfb4
SHA512 0c675a35ff6a1b6c7ffb86736ae12ee11b9f5a83c0c05a85a74aadac71a0def8df247514c0bc5f2a7613e19a7232cc9a64164c0a4121ae845b8d180f7dfe247b

memory/4784-63-0x0000000000A50000-0x0000000000ADE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\debug.xls

MD5 ec96543c55bbb31e048c4a4b226837a9
SHA1 d992f214a039756a3f55d8f961a112f5fbb539af
SHA256 ae7548c38fdf14d79acd429c3bdbcff273bac953a04537b9755277d6decbca74
SHA512 a541781cbcd663335e7496bf68d59a86e3b36ce4e40d517c3697b94869cedb25516bddd5e08f929653c9791f1401a42d923d82deba41fc84284923b4913b6023

C:\Users\Admin\AppData\Local\Temp\anon.htm

MD5 2d4c089e1981ada86a3f301d5f4c0d21
SHA1 e21c400bc5c0aeb36a308192d872c8940ab38b6c
SHA256 7e0b95bd41d040bacc1cf1a7d6e12e2ee5e74609c30c91fbcc35916aea47091b
SHA512 c2d97c071161b144f36e9d1ad03aaae8f93b3d2b4178c52ce97905e73f09baf39a506f4f713c63397640e5018ee8bd63382133259cab0dca490d7517240606b4

memory/4784-67-0x0000000073420000-0x000000007359B000-memory.dmp

memory/4784-68-0x00007FF965490000-0x00007FF965685000-memory.dmp

memory/5056-113-0x0000000000A40000-0x0000000000ACE000-memory.dmp

memory/5056-118-0x0000000075750000-0x00000000758CB000-memory.dmp

memory/5056-119-0x00007FF965490000-0x00007FF965685000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msvcr80.dll

MD5 e4fece18310e23b1d8fee993e35e7a6f
SHA1 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564
SHA256 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9
SHA512 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

C:\Users\Admin\AppData\Local\Temp\msvcp80.dll

MD5 4c8a880eabc0b4d462cc4b2472116ea1
SHA1 d0a27f553c0fe0e507c7df079485b601d5b592e6
SHA256 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08
SHA512 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.MFC.manifest

MD5 97b859f11538bbe20f17dfb9c0979a1c
SHA1 2593ad721d7be3821fd0b40611a467db97be8547
SHA256 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36
SHA512 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541

C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.CRT.manifest

MD5 541423a06efdcd4e4554c719061f82cf
SHA1 2e12c6df7352c3ed3c61a45baf68eace1cc9546e
SHA256 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5
SHA512 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6

memory/5056-120-0x0000000075750000-0x00000000758CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aec6277b

MD5 4254cced798c64224e8ab0e5c96dedff
SHA1 c6da495d2315435f2432cf12af9ea2ee40c1a7bc
SHA256 e82fb9c16fe929c6421a953c2d4a84e77aed7cdc25dbef105b750d5fcc4c05f7
SHA512 9ee9eed1faec49c5321fe1f45167349d5d59fdf63978615313946652df32157c112b96d3a18869c20194f4a5d655573887b8b0f817971f3682d5aa1a40c4214c

memory/4540-123-0x00007FF965490000-0x00007FF965685000-memory.dmp

memory/4540-125-0x0000000075750000-0x00000000758CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Launcher32.exe

MD5 de0ea31558536ca7e3164c3cd4578bf5
SHA1 5cc890c3ade653bb1ed1e53dabb0410602ee52df
SHA256 6e599490e164505af796569dce30e18218b179b2b791fe69764892b3ed3e7478
SHA512 c47299cd5f3b4961f423c2ca1fef5a33eb4b0f63dc232af70ef9da39f6f82270406061dd543461de7e47abd1244e26d6190de6035120211b27d4c23f97a25aba

memory/3652-130-0x00007FF965490000-0x00007FF965685000-memory.dmp

memory/3652-131-0x0000000001000000-0x000000000174B000-memory.dmp

memory/3652-135-0x0000000001000000-0x000000000174B000-memory.dmp

memory/3652-137-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3652-148-0x0000000001000000-0x000000000174B000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240611-en

Max time kernel

134s

Max time network

133s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~00299a408.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~00299a408.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20231129-en

Max time kernel

118s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~05c32d390.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~05c32d390.js

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

98s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~05c32d390.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~05c32d390.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240508-en

Max time kernel

122s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~32b5733f1.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~32b5733f1.js

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240220-en

Max time kernel

119s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4611591fd.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4611591fd.js

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240508-en

Max time kernel

117s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~074e593a7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~074e593a7.js

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240611-en

Max time kernel

132s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~1e47f672e.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~1e47f672e.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=1328 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~2dcc5aaf7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~2dcc5aaf7.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~5303f55e9.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~5303f55e9.js

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~13bdaad06.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~13bdaad06.js

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~13bdaad06.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~13bdaad06.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:30

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

176s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~3fde5681b.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~3fde5681b.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 13.107.253.67:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240508-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~643d02cb5.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~643d02cb5.js

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2520 set thread context of 696 N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Launcher32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Launcher32.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe
PID 1668 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe
PID 1668 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe
PID 1668 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe
PID 2796 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe
PID 2796 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe
PID 2796 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe
PID 2796 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe
PID 2520 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe C:\Windows\SysWOW64\more.com
PID 2520 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe C:\Windows\SysWOW64\more.com
PID 2520 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe C:\Windows\SysWOW64\more.com
PID 2520 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe C:\Windows\SysWOW64\more.com
PID 2520 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe C:\Windows\SysWOW64\more.com
PID 696 wrote to memory of 1600 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 696 wrote to memory of 1600 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 696 wrote to memory of 1600 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 696 wrote to memory of 1600 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 696 wrote to memory of 1600 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 696 wrote to memory of 1600 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 696 wrote to memory of 1600 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 696 wrote to memory of 1600 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Launcher32.exe
PID 1600 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Launcher32.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Launcher32.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Launcher32.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Launcher32.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Launcher32.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Launcher32.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Launcher32.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1676 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1676 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1676 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1676 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1676 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1676 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe

"C:\Users\Admin\AppData\Local\Temp\ImNotfy.exe"

C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe

C:\Users\Admin\AppData\Roaming\pobug\ImNotfy.exe

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\Launcher32.exe

C:\Users\Admin\AppData\Local\Temp\Launcher32.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "" & rd /s /q "C:\ProgramData\BFHIJEBKEBGH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 aliszon.xyz udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 tea.arpdabl.org udp

Files

\Users\Admin\AppData\Local\Temp\ImNotfy.exe

MD5 3eea73ea32478100a260cf5acf952878
SHA1 f2713d8ccf6a63a9ee2848e635ca1a3484e7ceb4
SHA256 4c3ad8d00ff2a4fe6aec3dfaa605e9b8d3f4a35e3cfe01a4a96405d7b25551c2
SHA512 4cef804c065ae8ac017a1a3d5af94d87adbe40519068c5b5f19d071df054087b10259f655215553445566843a62246752eb3d6c6901ab9ed26aed33a25a6d502

C:\Users\Admin\AppData\Local\Temp\ImUtilsU.dll

MD5 a7eaba8bc12b2b7ec2a41a4d9e45008a
SHA1 6a96a18bb4f1cd6196517713ed634f37f6b0362b
SHA256 914b1e53451b8be2c362d62514f28bdef46a133535d959b13f3f4bf3bc63df3a
SHA512 0ae7fbdb2677d92c62337aa17b60a4887240a4a426ba638c7633587f4582adbcda2bde5ec824aab1a3f69acf2b391118763842acfab856d3d9764850961a2ac8

C:\Users\Admin\AppData\Local\Temp\ImNtUtilU.dll

MD5 bb326fe795e2c1c19cd79f320e169fd3
SHA1 1c1f2b8d98f01870455712e6eba26d77753adcac
SHA256 a8e1b0e676dce9556037d29fd96521ec814858404ba4cfdd0db0edbe22c87bc7
SHA512 a1ec894151baa14e4ac1ee9471e8606bf74edd39f7833d9a1a44eee74d403f6b52780c135e9718ff9564fa27d7128c22b8410b21f77e6d804f698cfb4eda65a1

C:\Users\Admin\AppData\Local\Temp\MFC80U.DLL

MD5 ccc2e312486ae6b80970211da472268b
SHA1 025b52ff11627760f7006510e9a521b554230fee
SHA256 18be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a
SHA512 d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff

\Users\Admin\AppData\Local\Temp\ImLookU.dll

MD5 3ea6d805a18715f7368363dea3cd3f4c
SHA1 30ffafc1dd447172fa91404f07038d759c412464
SHA256 a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d
SHA512 a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070

\Users\Admin\AppData\Local\Temp\IMHttpComm.dll

MD5 a70d91a9fd7b65baa0355ee559098bd8
SHA1 546127579c06ae0ae4f63f216da422065a859e2f
SHA256 96d6264b26decf6595ca6f0584a1b60589ec5dacdf03ddf5fbb6104a6afc9e7a
SHA512 f13b735a47090c7c6cc6c2bf9148408ee6db179c96ee6428270541f27e50ad12cff7486f3a6ffac2ba83fd2e6e8e49661e6258f5aee97eb0f48771cbbd22aefa

C:\Users\Admin\AppData\Local\Temp\wlessfp1.dll

MD5 5120c44f241a12a3d5a3e87856477c13
SHA1 cd8a6ef728c48e17d570c8dc582ec49e17104f6d
SHA256 fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c
SHA512 67c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1

\Users\Admin\AppData\Local\Temp\ImWrappU.dll

MD5 cbf4827a5920a5f02c50f78ed46d0319
SHA1 b035770e9d9283c61f8f8bbc041e3add0197de7b
SHA256 7187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce
SHA512 d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5

\Users\Admin\AppData\Local\Temp\ImLookExU.dll

MD5 6f2b4c12ceb2557adf0f18a87078214f
SHA1 374dfbd3a6f3ec59757408c7485bd658a2b0776e
SHA256 89f13c536f8e99e845f58c5021372acb4b3003045f23648306740aabf966dfb4
SHA512 0c675a35ff6a1b6c7ffb86736ae12ee11b9f5a83c0c05a85a74aadac71a0def8df247514c0bc5f2a7613e19a7232cc9a64164c0a4121ae845b8d180f7dfe247b

memory/2796-57-0x0000000000330000-0x00000000003BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\SftTree_IX86_U_60.dll

MD5 57bf106e5ec51b703b83b69a402dc39f
SHA1 bd4cfab7c50318607326504cc877c0bc84ef56ef
SHA256 24f2399fc83198ab8d63ee6a1ad6ffbd1eda4d38048d3e809fecd2a3e0709671
SHA512 8bf60649ece6bbb66c7b94ed0d9214fbeab030d5813e1e7b5d6d2349ee1de9075b7dfbbbbeae5af0dc21b071a00eafce0771ca1804e6752e9a71e71e6b1447df

memory/2796-49-0x0000000000250000-0x0000000000260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\anon.htm

MD5 2d4c089e1981ada86a3f301d5f4c0d21
SHA1 e21c400bc5c0aeb36a308192d872c8940ab38b6c
SHA256 7e0b95bd41d040bacc1cf1a7d6e12e2ee5e74609c30c91fbcc35916aea47091b
SHA512 c2d97c071161b144f36e9d1ad03aaae8f93b3d2b4178c52ce97905e73f09baf39a506f4f713c63397640e5018ee8bd63382133259cab0dca490d7517240606b4

C:\Users\Admin\AppData\Local\Temp\debug.xls

MD5 ec96543c55bbb31e048c4a4b226837a9
SHA1 d992f214a039756a3f55d8f961a112f5fbb539af
SHA256 ae7548c38fdf14d79acd429c3bdbcff273bac953a04537b9755277d6decbca74
SHA512 a541781cbcd663335e7496bf68d59a86e3b36ce4e40d517c3697b94869cedb25516bddd5e08f929653c9791f1401a42d923d82deba41fc84284923b4913b6023

memory/2796-61-0x0000000073E40000-0x0000000073FB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msvcp80.dll

MD5 4c8a880eabc0b4d462cc4b2472116ea1
SHA1 d0a27f553c0fe0e507c7df079485b601d5b592e6
SHA256 2026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08
SHA512 6a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c

C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.MFC.manifest

MD5 97b859f11538bbe20f17dfb9c0979a1c
SHA1 2593ad721d7be3821fd0b40611a467db97be8547
SHA256 4ed3ba814de7fd08b4e4c6143d144e603536c343602e1071803b86e58391be36
SHA512 905c7879df47559ad271dc052ef8ae38555eac49e8ac516bc011624bf9a622eb10ee5c6a06fbd3e5c0fa956a0d38f03f6808c1c58ee57813818fe8b8319a3541

C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.CRT.manifest

MD5 541423a06efdcd4e4554c719061f82cf
SHA1 2e12c6df7352c3ed3c61a45baf68eace1cc9546e
SHA256 17ad1a64ba1c382abf89341b40950f9b31f95015c6b0d3e25925bfebc1b53eb5
SHA512 11cf735dcddba72babb9de8f59e0c180a9fec8268cbfca09d17d8535f1b92c17bf32acda86499e420cbe7763a96d6067feb67fa1ed745067ab326fd5b84188c6

C:\Users\Admin\AppData\Local\Temp\msvcr80.dll

MD5 e4fece18310e23b1d8fee993e35e7a6f
SHA1 9fd3a7f0522d36c2bf0e64fc510c6eea3603b564
SHA256 02bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9
SHA512 2fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc

memory/2796-62-0x0000000077260000-0x0000000077409000-memory.dmp

memory/2520-108-0x0000000000440000-0x00000000004CE000-memory.dmp

memory/2520-112-0x00000000744C0000-0x0000000074634000-memory.dmp

memory/2520-113-0x0000000077260000-0x0000000077409000-memory.dmp

memory/2520-114-0x00000000744C0000-0x0000000074634000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\af3fbd7e

MD5 22366692ccd09aee9e46a96ac0191647
SHA1 26f63237e96b77b22ab9bd376918408797a7516a
SHA256 acc7b9fc22996a5326548b127013fe7bd7bb362def68190d92d2011dfcbd2512
SHA512 8629aaa9bf0869cca5f7a17a0baf03f43e938cc72e523d0752a932676f0f5349bba07c845a531573ac83d089f37e86813e2944a330c236ad841c011551c68cf1

memory/696-117-0x0000000077260000-0x0000000077409000-memory.dmp

memory/696-119-0x00000000744C0000-0x0000000074634000-memory.dmp

\Users\Admin\AppData\Local\Temp\Launcher32.exe

MD5 de0ea31558536ca7e3164c3cd4578bf5
SHA1 5cc890c3ade653bb1ed1e53dabb0410602ee52df
SHA256 6e599490e164505af796569dce30e18218b179b2b791fe69764892b3ed3e7478
SHA512 c47299cd5f3b4961f423c2ca1fef5a33eb4b0f63dc232af70ef9da39f6f82270406061dd543461de7e47abd1244e26d6190de6035120211b27d4c23f97a25aba

memory/1600-126-0x0000000077260000-0x0000000077409000-memory.dmp

memory/1600-127-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/1600-129-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/1600-131-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/1600-132-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/1600-134-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1600-146-0x0000000000400000-0x0000000000B4B000-memory.dmp

memory/1600-147-0x0000000000400000-0x0000000000B4B000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240220-en

Max time kernel

120s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~11d764003.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~11d764003.js

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240221-en

Max time kernel

121s

Max time network

129s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~1e47f672e.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~1e47f672e.js

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20231129-en

Max time kernel

120s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~57063afaa.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~57063afaa.js

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240611-en

Max time kernel

129s

Max time network

130s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4611591fd.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~4611591fd.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240220-en

Max time kernel

121s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~00299a408.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~00299a408.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:30

Platform

win10v2004-20240226-en

Max time kernel

161s

Max time network

175s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~074e593a7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~074e593a7.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4220 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~11d764003.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~11d764003.js

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-28 01:26

Reported

2024-06-28 01:29

Platform

win7-20240611-en

Max time kernel

117s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~3fde5681b.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\#!~#0Pen_2025_P@$SW0RD!~!~\autocompletion\libraries\libraries~3fde5681b.js

Network

N/A

Files

N/A