Analysis Overview
SHA256
1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de
Threat Level: Known bad
The file 1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Vidar
Stealc
Lumma Stealer
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Unsigned PE
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 09:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 09:51
Reported
2024-07-09 09:53
Platform
win10v2004-20240704-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Stealc
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\HDGCGHIJKE.exe | N/A |
| N/A | N/A | C:\ProgramData\IDHCGDAFBK.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4376 set thread context of 2588 | N/A | C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 2624 set thread context of 1936 | N/A | C:\ProgramData\HDGCGHIJKE.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1340 set thread context of 2432 | N/A | C:\ProgramData\IDHCGDAFBK.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe
"C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\ProgramData\HDGCGHIJKE.exe
"C:\ProgramData\HDGCGHIJKE.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\IDHCGDAFBK.exe
"C:\ProgramData\IDHCGDAFBK.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIDGDAKFHIEH" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.131.75:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 75.131.82.104.in-addr.arpa | udp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | 167.27.217.95.in-addr.arpa | udp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 77.105.132.27:80 | 77.105.132.27 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | stationacutwo.shop | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 8.8.8.8:53 | 27.132.105.77.in-addr.arpa | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 8.8.8.8:53 | 239.172.67.172.in-addr.arpa | udp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | tea.arpdabl.org | udp |
| NL | 185.107.56.204:80 | tea.arpdabl.org | tcp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.226:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | 204.56.107.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.131.75:443 | steamcommunity.com | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4376-0-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/4376-1-0x0000000000210000-0x00000000005B8000-memory.dmp
memory/4376-2-0x0000000004FF0000-0x000000000508C000-memory.dmp
memory/4376-3-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/4376-4-0x0000000005090000-0x00000000051EA000-memory.dmp
memory/4376-5-0x0000000002900000-0x000000000291C000-memory.dmp
memory/4376-9-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-25-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-65-0x0000000002900000-0x0000000002915000-memory.dmp
memory/2588-68-0x0000000000400000-0x0000000000648000-memory.dmp
memory/4376-70-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2588-66-0x0000000000400000-0x0000000000648000-memory.dmp
memory/4376-63-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-61-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-59-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-57-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-55-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-53-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-51-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-49-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-47-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-45-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-43-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-41-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-39-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-37-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-35-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-33-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-31-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-29-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-27-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-23-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-21-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-19-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-17-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-15-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-11-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-7-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-13-0x0000000002900000-0x0000000002915000-memory.dmp
memory/4376-6-0x0000000002900000-0x0000000002915000-memory.dmp
memory/2588-71-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2588-76-0x0000000000400000-0x0000000000648000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\HDGCGHIJKE.exe
| MD5 | 5dcb471423fbb62d7c218760aee4936d |
| SHA1 | 7d72a2295639a8702ecdb77cc020b7a9eef48b04 |
| SHA256 | 837340da10b33b25bca1c15db3b273bfde18110b46949e8c545f31756e7b44bd |
| SHA512 | d8febe1cc91bbacd1b0298eb88d0d25f7789ee962f4d4717cb74ca1d1081ecab78a4062923b31386bcae141900ee99c182836e52bbb4b9f362cd8bdf687dc736 |
memory/1936-153-0x0000000000400000-0x000000000044F000-memory.dmp
C:\ProgramData\IDHCGDAFBK.exe
| MD5 | 0b4cc01ce62da8ed72b98a896c11c1dd |
| SHA1 | eb87a11df4f7a0066389094ee9ba8a4e189794ad |
| SHA256 | 6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc |
| SHA512 | b24fb55140210cc3c8d5f2dec84f36314a93397351a7109701b05dcb47cfbaf437c74fcafb551d8a96e845ea656a5c618b4a229c6acba8c2d0ed3849ccc48b8d |
memory/1936-169-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2588-170-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2588-171-0x0000000000400000-0x0000000000648000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C5RYTORX\76561199735694209[1].htm
| MD5 | 3663d83e2a8a6008e803cca081c7f08d |
| SHA1 | 378fc2af8721ed91ef481210328de91386b02cae |
| SHA256 | cf679dcf825af4a9e53f841a7455465e97353add952bc8142e723574e70b5f00 |
| SHA512 | b405d96567bfe1d63043cd3e88490bcc49ad20075601db3cf654237427569c5dc91259ebc9dd9e22088adf742d0dd46cd4deec8ad0decc366f2210c9a7466290 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
| MD5 | 1b7c0ea7d201f8667e748ab9e61a66e1 |
| SHA1 | c300e62c242ac5509cf5e65db9d0d11bb802859a |
| SHA256 | 8e31308f11e17652b3f36ae2e41f6cf30c4e324e530f78eaba08a7cf02832658 |
| SHA512 | 546e4548b239cbc64ee0aacd9548aedae464d09b4b4751da27db64a50f9b257f6e0b80eb98cfc96cdb1d65e7c7ce7fd58fb30121f01f67354932b1a8054586a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
| MD5 | 1305873efa734e66700f192fa3ba5a71 |
| SHA1 | 89057c196af68b84ca883d9bad0b032f1aa02250 |
| SHA256 | db9a3ea3f1c769d9a03f663b39f11532c57eaa5a63cd9703dea1ff3c78627f80 |
| SHA512 | 6bd0cf4ec9e1cb3d8b03a0edfd39ab0401ef9fb671b9cd9bc59accec55eed1833dfe1a399274da51918e99624529ad3d38c0f101bc2e1ce2d9296bb631162ccf |
C:\ProgramData\DHCGIDHDAKJE\HDGCGH
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 09:51
Reported
2024-07-09 09:54
Platform
win11-20240704-en
Max time kernel
91s
Max time network
126s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\KFCFIEHCFI.exe | N/A |
| N/A | N/A | C:\ProgramData\KKKEBKJJDG.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3832 set thread context of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 3336 set thread context of 1356 | N/A | C:\ProgramData\KFCFIEHCFI.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3040 set thread context of 3092 | N/A | C:\ProgramData\KKKEBKJJDG.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe
"C:\Users\Admin\AppData\Local\Temp\1b233f8e414b10c0abf1c928d519bbaf2cada53d9fb0d38304f00132e3c511de.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\ProgramData\KFCFIEHCFI.exe
"C:\ProgramData\KFCFIEHCFI.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\KKKEBKJJDG.exe
"C:\ProgramData\KKKEBKJJDG.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IEHDBAAFIDGD" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.131.75:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.131.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 77.105.132.27:80 | 77.105.132.27 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 104.21.30.130:443 | stationacutwo.shop | tcp |
| US | 104.21.30.130:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 104.21.30.130:443 | stationacutwo.shop | tcp |
| US | 104.21.30.130:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 104.21.30.130:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 104.21.30.130:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| NL | 185.107.56.204:80 | tea.arpdabl.org | tcp |
| US | 199.59.243.226:80 | survey-smiles.com | tcp |
| GB | 104.82.131.75:443 | steamcommunity.com | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
Files
memory/3832-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/3832-1-0x00000000002E0000-0x0000000000688000-memory.dmp
memory/3832-2-0x0000000005160000-0x00000000051FC000-memory.dmp
memory/3832-3-0x0000000074B20000-0x00000000752D1000-memory.dmp
memory/3832-4-0x0000000005200000-0x000000000535A000-memory.dmp
memory/3832-5-0x00000000050F0000-0x000000000510C000-memory.dmp
memory/3832-64-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-65-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/2716-67-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2716-69-0x0000000000400000-0x0000000000648000-memory.dmp
memory/3832-66-0x0000000074B20000-0x00000000752D1000-memory.dmp
memory/3832-61-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-59-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-53-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-57-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-55-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-51-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-49-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-47-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-45-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-43-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-41-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-39-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-37-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-35-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-33-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-31-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-29-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-27-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-25-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-23-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-21-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-19-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-17-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-15-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-13-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-11-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-9-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-7-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/3832-6-0x00000000050F0000-0x0000000005105000-memory.dmp
memory/2716-71-0x0000000000400000-0x0000000000648000-memory.dmp
memory/3832-72-0x0000000074B20000-0x00000000752D1000-memory.dmp
memory/2716-79-0x0000000000400000-0x0000000000648000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\KFCFIEHCFI.exe
| MD5 | 5dcb471423fbb62d7c218760aee4936d |
| SHA1 | 7d72a2295639a8702ecdb77cc020b7a9eef48b04 |
| SHA256 | 837340da10b33b25bca1c15db3b273bfde18110b46949e8c545f31756e7b44bd |
| SHA512 | d8febe1cc91bbacd1b0298eb88d0d25f7789ee962f4d4717cb74ca1d1081ecab78a4062923b31386bcae141900ee99c182836e52bbb4b9f362cd8bdf687dc736 |
memory/1356-156-0x0000000000400000-0x000000000044F000-memory.dmp
C:\ProgramData\KKKEBKJJDG.exe
| MD5 | 0b4cc01ce62da8ed72b98a896c11c1dd |
| SHA1 | eb87a11df4f7a0066389094ee9ba8a4e189794ad |
| SHA256 | 6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc |
| SHA512 | b24fb55140210cc3c8d5f2dec84f36314a93397351a7109701b05dcb47cfbaf437c74fcafb551d8a96e845ea656a5c618b4a229c6acba8c2d0ed3849ccc48b8d |
memory/2716-170-0x0000000000400000-0x0000000000648000-memory.dmp
memory/1356-173-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2716-174-0x0000000000400000-0x0000000000648000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1AJ0H6J4\76561199735694209[1].htm
| MD5 | 8bbdb28aa0dc8ef45adf5982693f6e8c |
| SHA1 | 03791d7f3aa3b042836332e63b4352fa5118a68f |
| SHA256 | afb75f8f59df4226d109c17b9c40b026c953d9c86916006911e8896db2b86495 |
| SHA512 | 8cdcf86d301c69c5e8b731cac7493abb29ac8eda2b63294aea204f681c97ee5e23fc0f2f22cac9aeb65bc08347f3600406d3147cfb61048ea0c381029c795e28 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
| MD5 | 2e4476d23c0f28ac074f2de7ca10b209 |
| SHA1 | 3134ce5e89705c6e2c4593b4da5ff2db4559345c |
| SHA256 | 18fe36d3918db86dc44641b5a6979d0411f0dc4f3a07a97fc92bd576641353c5 |
| SHA512 | 0a8a770e16d93fec52beef7f8e2100b011b5534fe13ea0298fb9b2cb46781b48f5ffc2e173beb1b8f5b12454cd9a4cca8f99d9340fcbc84e96724212f674041b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
| MD5 | 1305873efa734e66700f192fa3ba5a71 |
| SHA1 | 89057c196af68b84ca883d9bad0b032f1aa02250 |
| SHA256 | db9a3ea3f1c769d9a03f663b39f11532c57eaa5a63cd9703dea1ff3c78627f80 |
| SHA512 | 6bd0cf4ec9e1cb3d8b03a0edfd39ab0401ef9fb671b9cd9bc59accec55eed1833dfe1a399274da51918e99624529ad3d38c0f101bc2e1ce2d9296bb631162ccf |
C:\ProgramData\HJDBFBKKJDHJ\DAAAFB
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |