Malware Analysis Report

2025-01-22 09:22

Sample ID 240705-xm6wcawbqb
Target https://www.mediafire.com/file/4t1o5c98va7jasb/Script.rar/file
Tags
redline @ljagyxa discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.mediafire.com/file/4t1o5c98va7jasb/Script.rar/file was found to be: Known bad.

Malicious Activity Summary

redline @ljagyxa discovery infostealer spyware stealer

RedLine

RedLine payload

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 18:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 18:59

Reported

2024-07-05 19:00

Platform

win10v2004-20240704-en

Max time kernel

85s

Max time network

94s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/4t1o5c98va7jasb/Script.rar/file

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5660 wrote to memory of 5800 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5660 wrote to memory of 5800 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5660 wrote to memory of 5800 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5660 wrote to memory of 5800 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5660 wrote to memory of 5800 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5660 wrote to memory of 5800 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5660 wrote to memory of 5800 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5660 wrote to memory of 5800 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5920 wrote to memory of 6048 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5920 wrote to memory of 6048 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5920 wrote to memory of 6048 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5920 wrote to memory of 6048 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5920 wrote to memory of 6048 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5920 wrote to memory of 6048 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5920 wrote to memory of 6048 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5920 wrote to memory of 6048 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5992 wrote to memory of 6100 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5992 wrote to memory of 6100 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5992 wrote to memory of 6100 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5992 wrote to memory of 6100 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5992 wrote to memory of 6100 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5992 wrote to memory of 6100 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5992 wrote to memory of 6100 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5992 wrote to memory of 6100 N/A C:\Users\Admin\Downloads\Script\Script.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5800 wrote to memory of 3736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\conhost.exe
PID 5800 wrote to memory of 3736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\conhost.exe
PID 5800 wrote to memory of 3736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\conhost.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/4t1o5c98va7jasb/Script.rar/file

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4716,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4816,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4764,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5524,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5536,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=5600 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6072,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5936,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=6180 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6068,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=6480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6036,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6772,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=6780 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6512,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=7120,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=7164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7432,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=7440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7776,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=7744 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7784,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=7816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=5156,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=8136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=8108,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=8064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7588,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=7952 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7176,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=8536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.87\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.87\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=7516,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=7788 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.87\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.87\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=7516,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=7788 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=7800,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=8124 /prefetch:1

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=7788,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=7496 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Script\" -spe -an -ai#7zMap18777:74:7zEvent15319

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=7876,i,18341222626402534844,12352985901844242237,262144 --variations-seed-version --mojo-platform-channel-handle=7852 /prefetch:1

C:\Users\Admin\Downloads\Script\Script.exe

"C:\Users\Admin\Downloads\Script\Script.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Downloads\Script\Script.exe

"C:\Users\Admin\Downloads\Script\Script.exe"

C:\Users\Admin\Downloads\Script\Script.exe

"C:\Users\Admin\Downloads\Script\Script.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\conhost.exe

"C:\Users\Admin\AppData\Local\Temp\conhost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p1404753551733818025492326517 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 104.16.113.74:443 www.mediafire.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:443 www.microsoft.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 74.113.16.104.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 92.123.140.42:443 bzib.nelreports.net tcp
US 8.8.8.8:53 the.gatekeeperconsent.com udp
US 8.8.8.8:53 the.gatekeeperconsent.com udp
US 172.67.199.186:443 the.gatekeeperconsent.com udp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 static.mediafire.com udp
US 8.8.8.8:53 static.mediafire.com udp
US 172.67.41.60:443 btloader.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 privacy.gatekeeperconsent.com udp
US 8.8.8.8:53 privacy.gatekeeperconsent.com udp
US 104.21.42.32:443 privacy.gatekeeperconsent.com udp
US 8.8.8.8:53 www.ezojs.com udp
US 8.8.8.8:53 www.ezojs.com udp
US 8.8.8.8:53 translate.google.com udp
US 8.8.8.8:53 translate.google.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
US 8.8.8.8:53 cdn.otnolatrnup.com udp
US 8.8.8.8:53 cdn.otnolatrnup.com udp
US 172.67.170.144:443 www.ezojs.com udp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
GB 18.154.84.84:443 cdn.amplitude.com tcp
GB 172.217.169.46:443 translate.google.com tcp
US 104.16.53.110:443 cdn.otnolatrnup.com udp
US 8.8.8.8:53 www.mediafiredls.com udp
US 8.8.8.8:53 www.mediafiredls.com udp
US 104.21.42.32:443 privacy.gatekeeperconsent.com udp
US 8.8.8.8:53 api.btloader.com udp
US 8.8.8.8:53 api.btloader.com udp
US 172.67.73.78:443 www.mediafiredls.com tcp
US 130.211.23.194:443 api.btloader.com tcp
US 130.211.23.194:443 api.btloader.com tcp
US 130.211.23.194:443 api.btloader.com tcp
US 8.8.8.8:53 ad-delivery.net udp
US 8.8.8.8:53 ad-delivery.net udp
US 172.67.69.19:443 ad-delivery.net tcp
US 172.67.69.19:443 ad-delivery.net tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 g.ezoic.net udp
US 8.8.8.8:53 g.ezoic.net udp
US 216.239.34.36:443 region1.analytics.google.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
FR 35.181.89.222:443 g.ezoic.net tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 95.101.143.182:443 www.bing.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 api.amplitude.com udp
US 8.8.8.8:53 api.amplitude.com udp
US 130.211.23.194:443 api.btloader.com udp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 translate.googleapis.com udp
US 8.8.8.8:53 translate.googleapis.com udp
US 8.8.8.8:53 go.ezodn.com udp
US 8.8.8.8:53 go.ezodn.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 172.67.199.186:443 privacy.gatekeeperconsent.com udp
US 44.240.159.208:443 api.amplitude.com tcp
BE 74.125.71.157:443 stats.g.doubleclick.net tcp
US 172.67.142.121:443 go.ezodn.com udp
GB 172.217.16.227:443 www.google.co.uk udp
GB 216.58.212.202:443 translate.googleapis.com tcp
BE 74.125.71.157:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 g.ezodn.com udp
US 8.8.8.8:53 g.ezodn.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
GB 172.217.169.34:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 144.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 42.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 186.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 72.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 32.42.21.104.in-addr.arpa udp
US 8.8.8.8:53 110.53.16.104.in-addr.arpa udp
US 8.8.8.8:53 144.170.67.172.in-addr.arpa udp
US 8.8.8.8:53 84.84.154.18.in-addr.arpa udp
US 8.8.8.8:53 73.79.16.104.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 78.73.67.172.in-addr.arpa udp
US 8.8.8.8:53 194.23.211.130.in-addr.arpa udp
US 8.8.8.8:53 102.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 19.69.67.172.in-addr.arpa udp
US 8.8.8.8:53 222.89.181.35.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 121.142.67.172.in-addr.arpa udp
US 8.8.8.8:53 182.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 157.71.125.74.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 60.41.67.172.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 tags.crwdcntrl.net udp
US 8.8.8.8:53 tags.crwdcntrl.net udp
US 8.8.8.8:53 ad.crwdcntrl.net udp
US 8.8.8.8:53 ad.crwdcntrl.net udp
US 8.8.8.8:53 bcp.crwdcntrl.net udp
US 8.8.8.8:53 bcp.crwdcntrl.net udp
IE 52.16.78.59:443 bcp.crwdcntrl.net tcp
IE 108.128.111.241:443 bcp.crwdcntrl.net tcp
GB 18.245.143.58:443 tags.crwdcntrl.net tcp
US 8.8.8.8:53 translate-pa.googleapis.com udp
US 8.8.8.8:53 translate-pa.googleapis.com udp
GB 142.250.178.10:443 translate-pa.googleapis.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.187.194:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 bshr.ezodn.com udp
US 8.8.8.8:53 bshr.ezodn.com udp
US 172.67.142.121:443 bshr.ezodn.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
GB 172.217.169.46:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 208.159.240.44.in-addr.arpa udp
US 8.8.8.8:53 34.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 226.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 58.143.245.18.in-addr.arpa udp
US 8.8.8.8:53 241.111.128.108.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 194.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 216.58.212.202:443 translate.googleapis.com udp
FR 35.181.89.222:443 g.ezoic.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.mediafire.com udp
GB 142.250.180.2:443 googleads.g.doubleclick.net udp
GB 142.250.180.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 id5-sync.com udp
US 8.8.8.8:53 id5-sync.com udp
US 8.8.8.8:53 id.a-mx.com udp
US 8.8.8.8:53 id.a-mx.com udp
US 8.8.8.8:53 ups.analytics.yahoo.com udp
US 8.8.8.8:53 ups.analytics.yahoo.com udp
US 8.8.8.8:53 id.hadron.ad.gt udp
US 8.8.8.8:53 api.rlcdn.com udp
US 8.8.8.8:53 api.rlcdn.com udp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 cdn.id5-sync.com udp
US 8.8.8.8:53 cdn.id5-sync.com udp
US 8.8.8.8:53 oa.openxcdn.net udp
US 8.8.8.8:53 oa.openxcdn.net udp
US 8.8.8.8:53 static.criteo.net udp
US 8.8.8.8:53 static.criteo.net udp
US 8.8.8.8:53 cdn.prod.uidapi.com udp
US 8.8.8.8:53 cdn.prod.uidapi.com udp
US 8.8.8.8:53 invstatic101.creativecdn.com udp
US 8.8.8.8:53 invstatic101.creativecdn.com udp
US 8.8.8.8:53 cdn-ima.33across.com udp
US 8.8.8.8:53 cdn-ima.33across.com udp
GB 172.217.169.34:443 securepubads.g.doubleclick.net udp
GB 172.217.169.34:443 securepubads.g.doubleclick.net udp
US 3.33.220.150:443 match.adsrvr.org tcp
DE 141.95.98.65:443 id5-sync.com tcp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
DE 3.75.62.37:443 ups.analytics.yahoo.com tcp
US 34.102.146.192:443 oa.openxcdn.net tcp
US 172.67.23.234:443 id.hadron.ad.gt tcp
NL 178.250.1.3:443 static.criteo.net tcp
US 34.96.70.87:443 invstatic101.creativecdn.com tcp
NL 178.250.1.11:443 gum.criteo.com tcp
DE 79.127.216.47:443 id.a-mx.com tcp
US 172.64.152.89:443 cdn-ima.33across.com tcp
US 34.120.133.55:443 api.rlcdn.com tcp
GB 18.245.255.11:443 cdn.prod.uidapi.com tcp
US 172.67.38.106:443 cdn.id5-sync.com tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 8.8.8.8:53 oajs.openx.net udp
US 8.8.8.8:53 oajs.openx.net udp
US 8.8.8.8:53 c3.a-mo.net udp
US 8.8.8.8:53 c3.a-mo.net udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
DE 141.95.98.65:443 id5-sync.com tcp
US 8.8.8.8:53 lb.eu-1-id5-sync.com udp
US 8.8.8.8:53 lb.eu-1-id5-sync.com udp
US 34.120.107.143:443 oajs.openx.net tcp
DE 162.19.138.82:443 lb.eu-1-id5-sync.com tcp
GB 142.250.178.1:443 tpc.googlesyndication.com tcp
NL 79.127.227.46:443 c3.a-mo.net tcp
US 8.8.8.8:53 dnacdn.net udp
US 8.8.8.8:53 dnacdn.net udp
NL 178.250.1.11:443 dnacdn.net tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.mediafire.com udp
GB 142.250.178.1:443 tpc.googlesyndication.com tcp
GB 142.250.178.1:443 tpc.googlesyndication.com tcp
GB 142.250.180.4:443 www.google.com udp
US 34.120.107.143:443 oajs.openx.net udp
US 8.8.8.8:53 btlr.sharethrough.com udp
US 8.8.8.8:53 btlr.sharethrough.com udp
US 8.8.8.8:53 hbopenbid.pubmatic.com udp
US 8.8.8.8:53 hbopenbid.pubmatic.com udp
US 8.8.8.8:53 ghb.adtelligent.com udp
US 8.8.8.8:53 ghb.adtelligent.com udp
US 8.8.8.8:53 hb-api.omnitagjs.com udp
US 8.8.8.8:53 hb-api.omnitagjs.com udp
US 8.8.8.8:53 htlb.casalemedia.com udp
US 8.8.8.8:53 htlb.casalemedia.com udp
US 8.8.8.8:53 hb.yellowblue.io udp
US 8.8.8.8:53 hb.yellowblue.io udp
US 8.8.8.8:53 prebid.smilewanted.com udp
US 8.8.8.8:53 prebid.smilewanted.com udp
US 8.8.8.8:53 prebid.a-mo.net udp
US 8.8.8.8:53 prebid.a-mo.net udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 prebid.cootlogix.com udp
US 8.8.8.8:53 prebid.cootlogix.com udp
NL 185.64.189.112:443 hbopenbid.pubmatic.com tcp
US 104.18.36.155:443 htlb.casalemedia.com tcp
DE 18.194.204.163:443 btlr.sharethrough.com tcp
DE 18.194.204.163:443 btlr.sharethrough.com tcp
DE 18.194.204.163:443 btlr.sharethrough.com tcp
DE 18.194.204.163:443 btlr.sharethrough.com tcp
DE 18.194.204.163:443 btlr.sharethrough.com tcp
US 107.151.11.18:443 ghb.adtelligent.com tcp
DE 51.75.86.98:443 onetag-sys.com tcp
FR 185.255.84.150:443 hb-api.omnitagjs.com tcp
US 167.172.136.25:443 prebid.cootlogix.com tcp
US 167.172.136.25:443 prebid.cootlogix.com tcp
US 167.172.136.25:443 prebid.cootlogix.com tcp
US 167.172.136.25:443 prebid.cootlogix.com tcp
US 167.172.136.25:443 prebid.cootlogix.com tcp
GB 108.138.217.110:443 hb.yellowblue.io tcp
NL 145.40.97.66:443 prebid.a-mo.net tcp
US 104.22.30.209:443 prebid.smilewanted.com tcp
US 104.22.30.209:443 prebid.smilewanted.com tcp
US 104.22.30.209:443 prebid.smilewanted.com tcp
US 104.22.30.209:443 prebid.smilewanted.com tcp
US 104.22.30.209:443 prebid.smilewanted.com tcp
US 8.8.8.8:53 google-bidout-d.openx.net udp
US 8.8.8.8:53 google-bidout-d.openx.net udp
US 8.8.8.8:53 google-bidout-d.openx.net udp
US 8.8.8.8:53 www.mediafire.com udp
US 34.98.64.218:443 google-bidout-d.openx.net tcp
US 34.98.64.218:443 google-bidout-d.openx.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.178.1:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 150.220.33.3.in-addr.arpa udp
US 8.8.8.8:53 229.129.101.151.in-addr.arpa udp
US 8.8.8.8:53 192.146.102.34.in-addr.arpa udp
US 8.8.8.8:53 234.23.67.172.in-addr.arpa udp
US 8.8.8.8:53 87.70.96.34.in-addr.arpa udp
US 8.8.8.8:53 89.152.64.172.in-addr.arpa udp
US 8.8.8.8:53 55.133.120.34.in-addr.arpa udp
US 8.8.8.8:53 3.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 11.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 37.62.75.3.in-addr.arpa udp
US 8.8.8.8:53 65.98.95.141.in-addr.arpa udp
US 8.8.8.8:53 106.38.67.172.in-addr.arpa udp
US 8.8.8.8:53 11.255.245.18.in-addr.arpa udp
US 8.8.8.8:53 47.216.127.79.in-addr.arpa udp
US 8.8.8.8:53 143.107.120.34.in-addr.arpa udp
US 8.8.8.8:53 46.227.127.79.in-addr.arpa udp
US 8.8.8.8:53 82.138.19.162.in-addr.arpa udp
US 8.8.8.8:53 155.36.18.104.in-addr.arpa udp
US 8.8.8.8:53 112.189.64.185.in-addr.arpa udp
US 8.8.8.8:53 209.30.22.104.in-addr.arpa udp
US 8.8.8.8:53 110.217.138.108.in-addr.arpa udp
US 8.8.8.8:53 163.204.194.18.in-addr.arpa udp
US 8.8.8.8:53 98.86.75.51.in-addr.arpa udp
US 8.8.8.8:53 18.11.151.107.in-addr.arpa udp
US 8.8.8.8:53 218.64.98.34.in-addr.arpa udp
US 8.8.8.8:53 25.136.172.167.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 104.18.36.155:443 htlb.casalemedia.com udp
US 8.8.8.8:53 ghb1.adtelligent.com udp
US 8.8.8.8:53 ghb1.adtelligent.com udp
DE 51.75.86.98:443 onetag-sys.com udp
US 23.227.151.242:443 ghb1.adtelligent.com tcp
US 8.8.8.8:53 0f1e6c4a0ae586b25c95beab5fc58818.safeframe.googlesyndication.com udp
US 8.8.8.8:53 0f1e6c4a0ae586b25c95beab5fc58818.safeframe.googlesyndication.com udp
US 8.8.8.8:53 0f1e6c4a0ae586b25c95beab5fc58818.safeframe.googlesyndication.com udp
US 8.8.8.8:53 www.mediafire.com udp
GB 142.250.180.1:443 0f1e6c4a0ae586b25c95beab5fc58818.safeframe.googlesyndication.com tcp
GB 142.250.180.1:443 0f1e6c4a0ae586b25c95beab5fc58818.safeframe.googlesyndication.com tcp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 www.mediafire.com udp
NL 178.250.1.11:443 gum.criteo.com tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 8.8.8.8:53 dnacdn.net udp
US 8.8.8.8:53 dnacdn.net udp
US 8.8.8.8:53 ag.gbc.criteo.com udp
US 8.8.8.8:53 ag.gbc.criteo.com udp
US 8.8.8.8:53 gem.gbc.criteo.com udp
US 8.8.8.8:53 gem.gbc.criteo.com udp
FR 185.235.86.155:443 ag.gbc.criteo.com tcp
NL 185.235.87.164:443 gem.gbc.criteo.com tcp
FR 178.250.7.13:443 dnacdn.net tcp
US 172.67.142.121:443 bshr.ezodn.com udp
US 8.8.8.8:53 cdn.ampproject.org udp
US 8.8.8.8:53 cdn.ampproject.org udp
GB 142.250.178.1:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 download2300.mediafire.com udp
US 8.8.8.8:53 download2300.mediafire.com udp
GB 216.58.201.97:443 cdn.ampproject.org tcp
GB 216.58.201.97:443 cdn.ampproject.org tcp
GB 216.58.201.97:443 cdn.ampproject.org tcp
GB 216.58.201.97:443 cdn.ampproject.org tcp
GB 216.58.201.97:443 cdn.ampproject.org tcp
US 199.91.155.41:443 download2300.mediafire.com tcp
US 8.8.8.8:53 150.84.255.185.in-addr.arpa udp
US 8.8.8.8:53 226.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 242.151.227.23.in-addr.arpa udp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 155.86.235.185.in-addr.arpa udp
US 8.8.8.8:53 164.87.235.185.in-addr.arpa udp
US 8.8.8.8:53 13.7.250.178.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 216.239.34.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 download2300.mediafire.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 199.91.155.41:443 download2300.mediafire.com tcp
US 104.16.52.110:443 otnolatrnup.com udp
GB 142.250.178.1:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 dl-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 41.155.91.199.in-addr.arpa udp
US 8.8.8.8:53 110.52.16.104.in-addr.arpa udp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 woreppercomming.com udp
US 8.8.8.8:53 woreppercomming.com udp
GB 18.165.227.106:443 woreppercomming.com tcp
US 8.8.8.8:53 www.chancial.com udp
US 8.8.8.8:53 www.chancial.com udp
US 8.8.8.8:53 www.chancial.com udp
US 104.21.79.34:443 www.chancial.com udp
US 8.8.8.8:53 www.opera.com udp
US 8.8.8.8:53 www.opera.com udp
US 8.8.8.8:53 www.opera.com udp
DE 18.198.247.158:443 www.opera.com tcp
US 8.8.8.8:53 cdn-production-opera-website.operacdn.com udp
US 8.8.8.8:53 cdn-production-opera-website.operacdn.com udp
US 8.8.8.8:53 www.googleoptimize.com udp
US 8.8.8.8:53 www.googleoptimize.com udp
GB 2.22.132.239:443 cdn-production-opera-website.operacdn.com tcp
GB 2.22.132.239:443 cdn-production-opera-website.operacdn.com tcp
GB 2.22.132.239:443 cdn-production-opera-website.operacdn.com tcp
GB 2.22.132.239:443 cdn-production-opera-website.operacdn.com tcp
GB 2.22.132.239:443 cdn-production-opera-website.operacdn.com tcp
GB 2.22.132.239:443 cdn-production-opera-website.operacdn.com tcp
GB 172.217.169.46:443 www.googleoptimize.com tcp
US 8.8.8.8:53 106.227.165.18.in-addr.arpa udp
US 8.8.8.8:53 34.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 158.247.198.18.in-addr.arpa udp
US 8.8.8.8:53 www-static.operacdn.com udp
US 8.8.8.8:53 www-static.operacdn.com udp
GB 2.22.132.239:443 cdn-production-opera-website.operacdn.com tcp
US 8.8.8.8:53 www-static.operacdn.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
DE 18.198.247.158:443 www.opera.com tcp
US 8.8.8.8:53 woreppercomming.com udp
US 8.8.8.8:53 woreppercomming.com udp
US 8.8.8.8:53 www.chancial.com udp
US 8.8.8.8:53 www.chancial.com udp
GB 172.217.169.46:443 www.googleoptimize.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
GB 18.165.227.80:443 woreppercomming.com tcp
US 104.16.52.110:443 otnolatrnup.com udp
US 172.67.141.135:443 www.chancial.com udp
US 8.8.8.8:53 239.132.22.2.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 135.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 80.227.165.18.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
DE 18.194.204.163:443 btlr.sharethrough.com tcp
FR 185.255.84.150:443 hb-api.omnitagjs.com tcp
US 107.151.11.18:443 ghb1.adtelligent.com tcp
US 23.227.151.242:443 ghb1.adtelligent.com tcp
US 8.8.8.8:53 ghb2.adtelligent.com udp
US 23.227.151.242:443 ghb2.adtelligent.com tcp
GB 172.217.169.34:443 googleads.g.doubleclick.net udp
US 172.67.142.121:443 bshr.ezodn.com udp
GB 142.250.178.1:443 tpc.googlesyndication.com udp
GB 142.250.178.1:443 tpc.googlesyndication.com udp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.1:443 0f1e6c4a0ae586b25c95beab5fc58818.safeframe.googlesyndication.com udp
US 8.8.8.8:53 0f1e6c4a0ae586b25c95beab5fc58818.safeframe.googlesyndication.com udp
US 8.8.8.8:53 www.mediafire.com udp
GB 142.250.180.1:443 0f1e6c4a0ae586b25c95beab5fc58818.safeframe.googlesyndication.com udp
GB 142.250.187.194:443 googleads.g.doubleclick.net udp
GB 142.250.180.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 0f1e6c4a0ae586b25c95beab5fc58818.safeframe.googlesyndication.com udp
US 8.8.8.8:53 s0.2mdn.net udp
US 8.8.8.8:53 s0.2mdn.net udp
GB 142.250.180.2:443 googleads.g.doubleclick.net udp
GB 142.250.178.1:443 tpc.googlesyndication.com udp
GB 142.250.187.230:443 s0.2mdn.net tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 0f1e6c4a0ae586b25c95beab5fc58818.safeframe.googlesyndication.com udp
GB 142.250.178.1:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 s0.2mdn.net udp
US 8.8.8.8:53 0f1e6c4a0ae586b25c95beab5fc58818.safeframe.googlesyndication.com udp
GB 142.250.187.230:443 s0.2mdn.net udp
US 8.8.8.8:53 bucket.cdnwebcloud.com udp
US 8.8.8.8:53 bucket.cdnwebcloud.com udp
GB 142.250.187.230:443 s0.2mdn.net udp
GB 13.224.245.120:443 bucket.cdnwebcloud.com tcp
US 8.8.8.8:53 neural40.cdnwebcloud.com udp
US 8.8.8.8:53 neural40.cdnwebcloud.com udp
IE 54.77.129.199:443 neural40.cdnwebcloud.com tcp
IE 54.77.129.199:443 neural40.cdnwebcloud.com tcp
US 8.8.8.8:53 230.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 120.245.224.13.in-addr.arpa udp
US 8.8.8.8:53 199.129.77.54.in-addr.arpa udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 216.239.34.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 g.ezoic.net udp
US 8.8.8.8:53 g.ezoic.net udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 ade.googlesyndication.com udp
US 8.8.8.8:53 ade.googlesyndication.com udp
GB 216.58.204.66:443 ade.googlesyndication.com tcp
US 8.8.8.8:53 66.204.58.216.in-addr.arpa udp
NL 94.228.166.68:80 tcp
GB 88.221.135.25:443 www.bing.com udp
US 8.8.8.8:53 68.166.228.94.in-addr.arpa udp
US 8.8.8.8:53 25.135.221.88.in-addr.arpa udp
NL 94.228.166.68:80 tcp
NL 94.228.166.68:80 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 104.26.12.31:443 api.ip.sb tcp
US 104.26.12.31:443 api.ip.sb tcp
DE 147.45.47.81:80 147.45.47.81 tcp
US 8.8.8.8:53 81.47.45.147.in-addr.arpa udp

Files

C:\Users\Admin\Downloads\Script\Script.exe

MD5 acef41f59469ec3aedb9c8123b7e9e2b
SHA1 d6df782c7f27ffaa3cc9b2085e59e57876d0c997
SHA256 b6b3ea6ac987b1cb9c6d66e29a6ef03533676f363a4b6859b54c7827856b6987
SHA512 03e8b9f2b4b79ba65bb52f97789324521ffee204ee79aa857b0992b0f163c7de811b339f779e49411cb9cd6120efbb5dd430ecabfac5c3f0adcaeef74ae95069

memory/5800-4-0x0000000000400000-0x0000000000450000-memory.dmp

memory/5800-5-0x0000000005EF0000-0x0000000006494000-memory.dmp

memory/5800-6-0x0000000005940000-0x00000000059D2000-memory.dmp

memory/5800-7-0x00000000058D0000-0x00000000058DA000-memory.dmp

memory/5800-8-0x0000000006DC0000-0x00000000073D8000-memory.dmp

memory/5800-9-0x0000000008750000-0x000000000885A000-memory.dmp

memory/5800-10-0x0000000008640000-0x0000000008652000-memory.dmp

memory/5800-11-0x00000000086A0000-0x00000000086DC000-memory.dmp

memory/5800-12-0x00000000086E0000-0x000000000872C000-memory.dmp

memory/5800-17-0x00000000092B0000-0x0000000009316000-memory.dmp

memory/5800-18-0x0000000009A10000-0x0000000009BD2000-memory.dmp

memory/5800-19-0x000000000A110000-0x000000000A63C000-memory.dmp

memory/5800-20-0x0000000009BE0000-0x0000000009C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\conhost.exe

MD5 b2e6a3d0bf3320b759c464ae6fa5b735
SHA1 cc9f5de7742b9c11f7c0c0e3f9d39b0c16b38cc1
SHA256 771b76ba28496c56d1d9c0fe67fdf7688a2f1b12a9eb428050551338945337a3
SHA512 bf2f09aebf6d4b07ec06ce37617361e149b26d7fc2f5c0715a5e479747eb5b1f8fc615c90d1e4d8d751e05dd566819facfef8a00cfb7acb61ec588b0c23b022a

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 893874465a8d9f68f0684fd61e9f1d3c
SHA1 866a58255ebab05d4ee2f2ed8383a6555ac1df03
SHA256 e0855b82ec99b14bdfa38dacf90dadb2071e0d413c6559c752e0b2c6e8cd08c0
SHA512 1cc878a3236a5ce4f3a89fae580b4d16a7842fd03dfe0a2c7d1d5da5be822528ea3826f659a70de727c9307fb15997f56b7204582043dc7efcc6c818f7aa2bd7

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 716459a6ceac7d310d4227ea3e9ddb59
SHA1 fa27addf18c197bf5fc054bfb5ae57de1caf3382
SHA256 ba5270891d3eef832fe34f9d67fbbb30ceb3873552ea859139914a6a783b0aa1
SHA512 3857cc099edd99f1c20d4c4456ec4577478afcbdb6073852c6df10775a4e6de0316ab68c6dacb7212d27f49057312ba1aeb0c35e695d84832f3e9f8d61f7d8c1

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 0afd29b928418e48de93ad4cd299d9e9
SHA1 464949aeb08839bbc5c9bba1e65bcaf18e1763ea
SHA256 29680de75e55d9b01e021bb387065d3085d0ee422d8ad2d53cd38074b98276c8
SHA512 a2b9683cc2450449874617fcc36af6779fe3e8bcdffa7c1f31be0189dbaeb1597330a5996dfd40a46e54dd6fe1ec162fe37160858941d41b518b7325e0ac212f

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

MD5 a62944686498212b290eae637729a151
SHA1 2053660850d3f578f7b31e5ced16069d6f9c4ee0
SHA256 0bb07f0caab7e5539e7efeca5bee359d9f6b49237e0c908981d9168680fe2b3e
SHA512 ae6abd482552445cbf8c308948519227b0d1a82c1b3adb4800f8c9ac32c519c8d0aee8f3b4caada26d1976b63b032aad72d95e574adf205b947dada23a5b8ad3

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 1310403ffe43ed3e856c98ce92e1cc09
SHA1 36e6bed614c5891bbc20bbfc4f03f83c366a81ad
SHA256 23512f9a6823909c039e587c420bff18709338636269eaf2c07791c1e690d3ab
SHA512 fa1b71882a6dc9fe9f050f053d4c782567d6bc622c8ed35b69d2f9760b713b8a7ee1e342559ef4e3e0d861b2387a22160e3efce0c8e9e25598c8da8770c50c34

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 870a5535c79edcf782551514f48d89ab
SHA1 333d814d65753cdc4c4e8fb587c09af6960110d1
SHA256 814a92267e0d8867932afd625f2f8e55b04b88b2cfc31e91b6e45e473f1b057d
SHA512 f8743ca2f1ef2433b41adc41adf6a5836c1901bda70d5d76301cb06b471796b360544efa591c49b3a7d09eee12cef7ba20e79571f50d891d4729598210772b06

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 5d13fe3a66b58adae3d768e51be9cdd1
SHA1 cef7decf8b2737330d5a7f44f54cdd470b0ca023
SHA256 fae79425097ca0e9308eb431030946a5624df51d4aedcf79ef5ee01742a474e4
SHA512 58b897ed1c318f8016b2e662f30682558587910da5a05a435e256f44997f5d5cbff26241c5ca913d781b6702f8f65b805d0a8f9ab97cdb4be13de42c2b237ca3

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 6f7f4f7ed739e3ac5eee8d0876ff76d4
SHA1 9a65d52885624dc47f342b5a9875d7720540c755
SHA256 b61a321a8a1f4ca1d8c52a1ad0464ac5882073ac8da7c5585f04ce2330b78acc
SHA512 35cad901c3f77c58803372a2f230701469d99fb9d8b16d82b59416a62d215614ab044dcae123473cc5d9a4a09e23f2edaac53ef82bbd5b3556b9b187cff50021

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 4a5f569872c858ede1c0c67500cfdd6d
SHA1 cdcac69d89b45a7903198467c2d2d32126c31661
SHA256 88b2d9a82c911ad61f3570aa31b360ae1649b117f6495459698d724f0c9638dc
SHA512 d9c6776829def517a253e9c60d0316dbc03092f850383305089dc1110b1abd19668ae47dca8188e96c6f12b66a8e5b5a783901f2115cadd5c1accf019c3bdb40

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 fc079584957dece22f9829623f6af454
SHA1 0ae58805c8cd6acd06b803f44b407f9eaea557fc
SHA256 da7de5763efe705e09a3ef6d948cfba76eca389da8edb9881c2050eff3b1fa92
SHA512 201a6bb2eb2b74ca8c76f5fd93d365cead61cffad5b3574df4ed115a71c603a7ee87deeb275ea63efd6effdfda38d699b26ab4611bd9c59a4235e7671327c502