Analysis Overview
SHA256
4470d04e7ddfe73366faf06ccbf50904961fe2999f4c8c23be35b820b6036209
Threat Level: Known bad
The file 4470d04e7ddfe73366faf06ccbf50904961fe2999f4c8c23be35b820b6036209 was found to be: Known bad.
Malicious Activity Summary
Azorult family
Detect Fabookie payload
Pony,Fareit
Pony family
FFDroider
Azorult
Fabookie
Fabookie family
Ffdroider family
Detected Nirsoft tools
Reads data files stored by FTP clients
Checks computer location settings
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Accesses Microsoft Outlook accounts
Looks up external IP address via web service
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Enumerates connected drives
Drops Chrome extension
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Drops file in Program Files directory
Drops file in Windows directory
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Modifies system certificate store
Checks SCSI registry key(s)
outlook_win_path
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: CmdExeWriteProcessMemorySpam
Kills process with taskkill
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-06 13:27
Signatures
Azorult family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-06 13:27
Reported
2024-11-06 13:30
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wsfsd33sdfer.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-06 13:27
Reported
2024-11-06 13:30
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
Fabookie
Fabookie family
Ffdroider family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899694796.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899701905.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkgfcdgkbekamjjchhingmkangiakkgi\1.0.0.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2936 set thread context of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | C:\Program Files\Mozilla Firefox\firefox.exe |
| PID 2936 set thread context of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | C:\Program Files\Mozilla Firefox\firefox.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\gdiview\gdiview\GDIView.chm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\gdiview\gdiview\GDIView.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\gdiview\gdiview\readme.txt | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2A38.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58298e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58298c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e58298c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\1730899694796.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\1730899701905.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899694796.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899694796.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899701905.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899701905.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899694796.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899701905.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BB2CFA3284AF251FA76EB9F1C3B13590 C
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp1
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp1
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Roaming\1730899694796.exe
"C:\Users\Admin\AppData\Roaming\1730899694796.exe" /sjson "C:\Users\Admin\AppData\Roaming\1730899694796.txt"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Users\Admin\AppData\Roaming\1730899701905.exe
"C:\Users\Admin\AppData\Roaming\1730899701905.exe" /sjson "C:\Users\Admin\AppData\Roaming\1730899701905.txt"
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4960 -ip 4960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1492
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fae6d2a1ac2748db.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e85c5b0caef0cd16.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | d8b2d8b1562e74f4.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 62e4cb87e7e0fe29.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | afc7178613230274.xyz | udp |
| HK | 101.36.107.74:80 | tcp | |
| US | 8.8.8.8:53 | 62e4cb87e7e0fe29.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | afc7178613230274.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | d8b2d8b1562e74f4.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 17eb4bd0cf2216ad.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 167.205.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6d8b0272c433fd35.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | arganaif.org | udp |
| DE | 173.212.247.85:443 | arganaif.org | tcp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 85.247.212.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cryptobstar.xyz | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uehge4g6gh.2ihsfa.com | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 62e4cb87e7e0fe29.xyz | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | FAE6D2A1AC2748DB.xyz | udp |
| US | 162.249.67.147:80 | FAE6D2A1AC2748DB.xyz | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | edeb50f0b803732a581ab558bf87d968 |
| SHA1 | 35858ce564d4c8b080bae606bf67292f5b9b2201 |
| SHA256 | ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6 |
| SHA512 | 8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273 |
memory/4364-26-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/4364-27-0x0000000010000000-0x000000001033D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
| MD5 | 7cc103f6fd70c6f3a2d2b9fca0438182 |
| SHA1 | 699bd8924a27516b405ea9a686604b53b4e23372 |
| SHA256 | dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1 |
| SHA512 | 92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128 |
C:\Users\Admin\AppData\Local\Temp\MSIB91E.tmp
| MD5 | 84878b1a26f8544bda4e069320ad8e7d |
| SHA1 | 51c6ee244f5f2fa35b563bffb91e37da848a759c |
| SHA256 | 809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444 |
| SHA512 | 4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549 |
memory/2936-51-0x0000000003080000-0x000000000352F000-memory.dmp
memory/920-55-0x0000000003760000-0x0000000003C0F000-memory.dmp
memory/4364-59-0x0000000000400000-0x00000000005C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
| MD5 | 6f3b825f098993be0b5dbd0e42790b15 |
| SHA1 | cb6b13faf195f76f064c19d5b1a08b5d0633d3ea |
| SHA256 | c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e |
| SHA512 | bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c |
C:\Users\Admin\AppData\Roaming\1730899694796.exe
| MD5 | ef6f72358cb02551caebe720fbc55f95 |
| SHA1 | b5ee276e8d479c270eceb497606bd44ee09ff4b8 |
| SHA256 | 6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5 |
| SHA512 | ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90 |
C:\Users\Admin\AppData\Roaming\1730899694796.txt
| MD5 | 3ec0afa7e956abb96936eb57a6e0bfe7 |
| SHA1 | cdf3703e75d6452e6c9acd69161cba904a42b410 |
| SHA256 | 0591e510460fa7cbd1761cfa1bf73a409a90a0c9fca104c53afc85ff162f0bf8 |
| SHA512 | bec125317a7a4ac09b0e048306277de54424d4ac23b2d3690ab6b58405c7b116e12e603513de8c43d1f9f25ad20162d57465617757c3ff3f4ef856b399d4be7e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\43mkyhds.Admin\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite
| MD5 | 2eab03c24e521ee22c08a3e3bab16d7f |
| SHA1 | d8ea20c5d4e7866c66ef36201e27fce4e10ad12b |
| SHA256 | 5c1fffc1e126ebbc19e4ef0cff60d5a0278cc57868737157746827acf7248ba2 |
| SHA512 | 916cefe311d2b01d58062a022f5172880bd99c817b421f354a75a5c09e013676da7e2c16f333f1be121d62cb848b9739b0f2c4d2f45c56789574b93a97c7685b |
memory/920-150-0x0000000000400000-0x00000000005C8000-memory.dmp
C:\Users\Admin\AppData\Local\Login Data1730899701905
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Login Data1730899701905
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Cookies1730899701905
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Config.Msi\e58298d.rbs
| MD5 | 5f646b20b70fbb02f6f5c3cd09c10bea |
| SHA1 | 3dc234c0dfc97d81cb9a9c77c150114a23dcea5a |
| SHA256 | 3f1f72fb263e2498c076d22eaecacf6387b34461a2c7186fd9d1d659a38a940a |
| SHA512 | 1284291c371d3a62ee4305968b1ced6fe1435ff5b1e2513e6f764241fecebd94adef3514b641f9127e482bc07388892672ee28d6dcd60b5e3ca764448869d617 |
\??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{932be079-f81f-4b91-a751-da447939eefe}_OnDiskSnapshotProp
| MD5 | 11a5cd327c0c7d10f4294d605e4f3204 |
| SHA1 | 732ae109e754b65420d7241f262522476893c2a1 |
| SHA256 | d1431f9f911dc863c2886bb4165ee8e7aa30846e4bb19d16b5df9efc3e4b8cdd |
| SHA512 | 7db91a1b603bb8dd04ef721fe405f796d191222eac8df957f3e2b7594f8a8593501453f035ac8900fce42bcbe0192d8793126760950ddba6af75640262d4bc29 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | de31cd5a064c082f0149d027e0cc6c3f |
| SHA1 | 2867cfc5d14b42085af3ba95a7f8edc5fbeccbca |
| SHA256 | fc8374d28f8bbf704d03c1e9781c2fa035593860559372fee19f23de0f379541 |
| SHA512 | b6411f25d98ab7c4e5516af56919b8cb54ab2f421469d7639bbd707507991fb373422dfddf0d84a3978efe27166c33e5e7138be8ab452f93bc4d698355c9acc0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d
| MD5 | 8036d53d2f26d6c3b48708e4d38db0f4 |
| SHA1 | c6bee3c2428d744ce5061468d01c528e845987c1 |
| SHA256 | 63b3101afceec74ae43045de5c62841e82c701d342b6458f8f6b2d0e7dfe2b72 |
| SHA512 | a459386aa1fb343cbeda280001b608cebdaf89f9afc6cf81122f4f4e5f083411f004e52b65f6dc2b528c1c5e141aa5c87d611e11e998771d9b3de1fcec8949cb |
memory/4960-205-0x0000000003480000-0x0000000003490000-memory.dmp
memory/4960-211-0x00000000037E0000-0x00000000037F0000-memory.dmp
memory/4960-219-0x00000000040F0000-0x00000000040F8000-memory.dmp
memory/4960-218-0x00000000040D0000-0x00000000040D8000-memory.dmp
memory/4960-221-0x0000000004190000-0x0000000004198000-memory.dmp
memory/4960-224-0x00000000042D0000-0x00000000042D8000-memory.dmp
memory/4960-225-0x0000000004430000-0x0000000004438000-memory.dmp
memory/4960-226-0x00000000047D0000-0x00000000047D8000-memory.dmp
memory/4960-227-0x00000000046D0000-0x00000000046D8000-memory.dmp
memory/4960-228-0x0000000004540000-0x0000000004548000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 38940639f50b9e3de567814b2040f26e |
| SHA1 | cc5a3b7f54103972af70fb7b57a28b74048f084b |
| SHA256 | e0ce393069bbc09a0be72550be642537defb8c86f7b113968414f7d07f30298d |
| SHA512 | 3b414fdc5dcd860567af54a407135694dfb7ac7d9b022f8633f37c6fc1f9799a82855084d5d007aa9c9f8ec2f69f141a39e2acf32bf094fbf93b94297bd3e9ae |
memory/4960-241-0x00000000040F0000-0x00000000040F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 7027bf149d5ca62fa2db69ef3611bff0 |
| SHA1 | 858168a46f68c3566fc02693be25445a799dcd49 |
| SHA256 | cd84be32b6031c5d7491767160847b16de7e4e5bbc144d9bf1b189dfdaeec821 |
| SHA512 | 35b359b44936be8ac73a0e14ffc278de4a582e83f688dc84a67bb9eaceb081d7758dd409302c438007bf30d21ab84c095b4f6ee350bcfc49f4ff90a5f1090cca |
memory/4960-249-0x0000000004540000-0x0000000004548000-memory.dmp
memory/4960-251-0x0000000004670000-0x0000000004678000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 66103bb7f83ba4214089c9f99524a97b |
| SHA1 | 7b0ba53f114fc16d0f2b0ce6d4c1c7d2a11b7322 |
| SHA256 | e832aa48c2c94b3dc7286b19de56f7eb4dba3f4c18c279f85d38405e3574c1d0 |
| SHA512 | d83c29412ec204edfd7d50c14e2a2fd6db70195d7ed9f411084f768613329eadbedf364b3c1f6f73316155f94528791eff93c2f9eed5f06c0ad691a86829b5bd |
memory/4960-264-0x00000000040F0000-0x00000000040F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | f79fc1680be5525e2e6c2584cd8986f4 |
| SHA1 | d4ed39ddfa7a89540744e15f87592fe460847c61 |
| SHA256 | 68a5b3c42ea4862472b1764a701edba18a10f0da43c8bfad641a1503a681c753 |
| SHA512 | cc32d9fa4ca4f92c0b15f09964de0795049185bf24fca56abfeb673a1d7513b1d4ff1e40c66eb96358076bbd97d83606adf60c08c8c6d46ca5eac16e285dbed8 |
memory/4960-272-0x0000000004670000-0x0000000004678000-memory.dmp
memory/4960-274-0x0000000004540000-0x0000000004548000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | f03102d365d333d2e1bb848ef46e1c51 |
| SHA1 | 7045c9012edbafe876daf41ef2655c2e64f7eced |
| SHA256 | a2721202a9d98ff8b943629c4f6ce76c198804d916b7f88fb916fe48442cc782 |
| SHA512 | c5f3a16697a983fe2d4f2eb368eee3c19fad76cee7a07a25b971aa2f12eff6eb706093d1d36d6e3df4b6245dd0c9f23053c5aa714249b8c1a86ad5929ea4105d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
| MD5 | 26baf1dd4e0c44975cf943b6d5269b07 |
| SHA1 | 4648e9a79c7a4fd5be622128ddc5af68697f3121 |
| SHA256 | 9117de15747527123f93284c821ea2e681b574639112532e66ad37a8246d98c9 |
| SHA512 | 57adccbf3424849a19291e9e4ec018a4f3b1ca5fbdfedd16592fadae5c7664249eafcff85e916dd2342ab47b6440ac314af63360aaafba1a11c7356c0f27fcef |
memory/1564-306-0x00000000009C0000-0x00000000009CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
| MD5 | b2d8ce7b40730bc6615728b1b1795ce9 |
| SHA1 | 5cf7a63f3ecc2184e7b2894c78538d89f7063fe1 |
| SHA256 | ee4b58514316c6fc928e60245384560a24723e690a3311e8c2dd9e8efd5de7ca |
| SHA512 | cc79016627fb17a864ca3414f8bc598d52a9d17ec64ee1005b059a84597fe16493203879ff1c5a5ed46cf15a9e590098672a4b21a38852cace9bb02d8f1c531e |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
| MD5 | 874d5bd8807cebd41fd65ea12f4f9252 |
| SHA1 | d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d |
| SHA256 | 2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985 |
| SHA512 | b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48 |
memory/2920-346-0x0000000000E00000-0x0000000000E32000-memory.dmp
memory/2920-347-0x00000000016D0000-0x00000000016D6000-memory.dmp
memory/2920-348-0x0000000002EA0000-0x0000000002EC6000-memory.dmp
memory/2920-349-0x00000000016E0000-0x00000000016E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe
| MD5 | 6a714c56525073f78181129ce52175db |
| SHA1 | eb7a9356e9cc40368e1774035c23b15b7c8d792b |
| SHA256 | 57c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4 |
| SHA512 | 04a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550 |
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
memory/4988-364-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4988-368-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
| MD5 | b7161c0845a64ff6d7345b67ff97f3b0 |
| SHA1 | d223f855da541fe8e4c1d5c50cb26da0a1deb5fc |
| SHA256 | fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66 |
| SHA512 | 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680 |
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | a6279ec92ff948760ce53bba817d6a77 |
| SHA1 | 5345505e12f9e4c6d569a226d50e71b5a572dce2 |
| SHA256 | 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181 |
| SHA512 | 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c |
memory/2544-373-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2544-380-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
| MD5 | e7d37715581ee577d52e0ae8c852cd71 |
| SHA1 | 0a4de4340cb2d5e97a13c094fb6e460d3195dfd0 |
| SHA256 | 837591148f2a6fc07b56265553f49a3d4faaf56258f4aa882a22111b47f7540a |
| SHA512 | ebcf61a94295361050b2e4e173e7c199fa2de8988e08ad588d3c7d3cd6e84901fb7ce3447910ce77ed7d95e595dbb65e64923edcce006523d90eac5d9b960b2a |
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
| MD5 | f0372ff8a6148498b19e04203dbb9e69 |
| SHA1 | 27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8 |
| SHA256 | 298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf |
| SHA512 | 65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865 |
memory/2936-408-0x0000000000400000-0x00000000005C8000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-06 13:27
Reported
2024-11-06 13:30
Platform
win7-20240729-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Azorult
Azorult family
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
Fabookie
Fabookie family
Ffdroider family
Pony family
Pony,Fareit
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eenkljkhpoeacjofglngodibakkdjajh\1.0.0.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2440 set thread context of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe |
| PID 2572 set thread context of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | C:\Program Files\Mozilla Firefox\firefox.exe |
| PID 2572 set thread context of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | C:\Program Files\Mozilla Firefox\firefox.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\gdiview\gdiview\GDIView.chm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\gdiview\gdiview\GDIView.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\gdiview\gdiview\readme.txt | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f773015.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f773015.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f773016.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI30F0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f773018.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f773016.ipi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
keygen-step-1.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
keygen-step-3.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
keygen-step-4.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe -txt -scanlocal -file:potato.dat
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 99B25CC105D063C176A415D9D01281F3 C
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp1
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp1
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E8" "00000000000005AC"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe" >> NUL
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe"
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wsfsd33sdfer.com | udp |
| US | 8.8.8.8:53 | fae6d2a1ac2748db.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | d8b2d8b1562e74f4.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 6d8b0272c433fd35.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | e85c5b0caef0cd16.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 4d928c61332a7a36.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| HK | 101.36.107.74:80 | tcp | |
| US | 8.8.8.8:53 | 584013404cfbb28e.xyz | udp |
| US | 8.8.8.8:53 | oldhorse.info | udp |
| US | 8.8.8.8:53 | 3b47af116e9c7975.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 80ca3a4c7b51e846.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | bf2614e472c0e137.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | afc7178613230274.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | arganaif.org | udp |
| DE | 173.212.247.85:443 | arganaif.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | cryptobstar.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | FAE6D2A1AC2748DB.xyz | udp |
| US | 162.249.67.147:80 | FAE6D2A1AC2748DB.xyz | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | uehge4g6gh.2ihsfa.com | udp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 76.223.54.146:80 | uehge4g6gh.2ihsfa.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
| MD5 | 51ef03c9257f2dd9b93bfdd74e96c017 |
| SHA1 | 3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34 |
| SHA256 | 82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf |
| SHA512 | 2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JOzWR.dat
| MD5 | 12476321a502e943933e60cfb4429970 |
| SHA1 | c71d293b84d03153a1bd13c560fca0f8857a95a7 |
| SHA256 | 14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29 |
| SHA512 | f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc |
\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
| MD5 | edeb50f0b803732a581ab558bf87d968 |
| SHA1 | 35858ce564d4c8b080bae606bf67292f5b9b2201 |
| SHA256 | ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6 |
| SHA512 | 8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273 |
memory/1964-38-0x0000000004280000-0x0000000004448000-memory.dmp
memory/1964-48-0x0000000004280000-0x0000000004448000-memory.dmp
memory/1048-50-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/2964-54-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-56-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-58-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-60-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-62-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-64-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1048-75-0x0000000010000000-0x000000001033D000-memory.dmp
memory/2964-66-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-73-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2964-82-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-84-0x0000000000400000-0x0000000000983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
| MD5 | 7cc103f6fd70c6f3a2d2b9fca0438182 |
| SHA1 | 699bd8924a27516b405ea9a686604b53b4e23372 |
| SHA256 | dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1 |
| SHA512 | 92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128 |
memory/2964-71-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-68-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-86-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-87-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-85-0x0000000000400000-0x0000000000983000-memory.dmp
\Users\Admin\AppData\Local\Temp\MSIDAE4.tmp
| MD5 | 84878b1a26f8544bda4e069320ad8e7d |
| SHA1 | 51c6ee244f5f2fa35b563bffb91e37da848a759c |
| SHA256 | 809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444 |
| SHA512 | 4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549 |
memory/2964-92-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-93-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2964-94-0x0000000000400000-0x0000000000983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\potato.dat
| MD5 | 75e60ef89ecc910055472854c6879be0 |
| SHA1 | 5c247e1ebfcdfabba35841f3a10c8e6f9259ac10 |
| SHA256 | 0b343170c8279aff7006ba6c0981128c66c9ed378446dc9f80796b9eac40c7cc |
| SHA512 | 4707eada759e3a55e3de70c4c7618e58454c33a56e0559ce99e71e1d1224ed106fcbc19ed5dae29536010c631505abbb75f0507061e2945f6e7f9ee578e98996 |
memory/1048-106-0x00000000038D0000-0x0000000003A98000-memory.dmp
memory/1532-108-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/2572-110-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/328-116-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1532-117-0x0000000003AE0000-0x0000000003F8F000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
| MD5 | 6f3b825f098993be0b5dbd0e42790b15 |
| SHA1 | cb6b13faf195f76f064c19d5b1a08b5d0633d3ea |
| SHA256 | c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e |
| SHA512 | bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c |
memory/2572-141-0x0000000003C40000-0x00000000040EF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.Admin\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite
| MD5 | 2eab03c24e521ee22c08a3e3bab16d7f |
| SHA1 | d8ea20c5d4e7866c66ef36201e27fce4e10ad12b |
| SHA256 | 5c1fffc1e126ebbc19e4ef0cff60d5a0278cc57868737157746827acf7248ba2 |
| SHA512 | 916cefe311d2b01d58062a022f5172880bd99c817b421f354a75a5c09e013676da7e2c16f333f1be121d62cb848b9739b0f2c4d2f45c56789574b93a97c7685b |
C:\Users\Admin\AppData\Local\Login Data1730899692224
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Program Files (x86)\gdiview\gdiview\GDIView.exe
| MD5 | 292ce5c1baa3da54f5bfd847bdd92fa1 |
| SHA1 | 4d98e3522790a9408e7e85d0e80c3b54a43318e1 |
| SHA256 | c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1 |
| SHA512 | 87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d |
C:\Config.Msi\f773017.rbs
| MD5 | 1f045165d66202b7effbe44454a1f55d |
| SHA1 | 1420be5e376e4a55d3113ef1270e3d085e157cac |
| SHA256 | dd9b9da116f11bf08d8708f80dfb0f40f9cfdcb6d8b3a4ebe6724fdfa57bcf8e |
| SHA512 | 42a245b86b8fae4196d71b60224eee5db6c67dc20ff20bf5a2cd0321ea1591dd52c58226178a299474de54d9be307e6784f8bfb129fc6b3f6a8331c33c590fc5 |
\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
| MD5 | 26baf1dd4e0c44975cf943b6d5269b07 |
| SHA1 | 4648e9a79c7a4fd5be622128ddc5af68697f3121 |
| SHA256 | 9117de15747527123f93284c821ea2e681b574639112532e66ad37a8246d98c9 |
| SHA512 | 57adccbf3424849a19291e9e4ec018a4f3b1ca5fbdfedd16592fadae5c7664249eafcff85e916dd2342ab47b6440ac314af63360aaafba1a11c7356c0f27fcef |
memory/2996-260-0x0000000000020000-0x000000000002D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4A3C.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar4ABB.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
| MD5 | b2d8ce7b40730bc6615728b1b1795ce9 |
| SHA1 | 5cf7a63f3ecc2184e7b2894c78538d89f7063fe1 |
| SHA256 | ee4b58514316c6fc928e60245384560a24723e690a3311e8c2dd9e8efd5de7ca |
| SHA512 | cc79016627fb17a864ca3414f8bc598d52a9d17ec64ee1005b059a84597fe16493203879ff1c5a5ed46cf15a9e590098672a4b21a38852cace9bb02d8f1c531e |
\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe
| MD5 | 874d5bd8807cebd41fd65ea12f4f9252 |
| SHA1 | d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d |
| SHA256 | 2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985 |
| SHA512 | b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48 |
memory/2588-352-0x0000000000B90000-0x0000000000BC2000-memory.dmp
memory/2588-353-0x00000000003B0000-0x00000000003B6000-memory.dmp
memory/2588-354-0x00000000003C0000-0x00000000003E6000-memory.dmp
memory/2588-355-0x0000000000450000-0x0000000000456000-memory.dmp
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
| MD5 | f0372ff8a6148498b19e04203dbb9e69 |
| SHA1 | 27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8 |
| SHA256 | 298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf |
| SHA512 | 65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865 |
\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe
| MD5 | 6a714c56525073f78181129ce52175db |
| SHA1 | eb7a9356e9cc40368e1774035c23b15b7c8d792b |
| SHA256 | 57c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4 |
| SHA512 | 04a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550 |
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
memory/2504-402-0x00000000003A0000-0x00000000003FB000-memory.dmp
memory/2028-410-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2504-448-0x00000000001B0000-0x00000000001D2000-memory.dmp
memory/2504-452-0x00000000001B0000-0x00000000001D2000-memory.dmp
memory/328-453-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | a6279ec92ff948760ce53bba817d6a77 |
| SHA1 | 5345505e12f9e4c6d569a226d50e71b5a572dce2 |
| SHA256 | 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181 |
| SHA512 | 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c |
memory/328-458-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2504-459-0x00000000003A0000-0x00000000003FB000-memory.dmp
memory/2504-460-0x00000000001B0000-0x00000000001D2000-memory.dmp
memory/2504-461-0x00000000001B0000-0x00000000001D2000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-06 13:27
Reported
2024-11-06 13:30
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Azorult
Azorult family
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
Fabookie
Fabookie family
Ffdroider family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899694706.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899701565.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpninbmhpmehoefpljadodpenldocmko\1.0.0.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5064 set thread context of 3592 | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | C:\Program Files\Mozilla Firefox\firefox.exe |
| PID 5064 set thread context of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | C:\Program Files\Mozilla Firefox\firefox.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\gdiview\gdiview\GDIView.chm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\gdiview\gdiview\GDIView.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\gdiview\gdiview\readme.txt | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI59.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57ff51.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57ff4f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57ff4f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831} | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\1730899701565.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\1730899694706.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899694706.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899694706.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899701565.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899701565.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899694706.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1730899701565.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
keygen-step-1.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
keygen-step-3.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
keygen-step-4.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FE04C6CB747C1F6FA10C5F771D755675 C
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp1
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp1
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Roaming\1730899694706.exe
"C:\Users\Admin\AppData\Roaming\1730899694706.exe" /sjson "C:\Users\Admin\AppData\Roaming\1730899694706.txt"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Users\Admin\AppData\Roaming\1730899701565.exe
"C:\Users\Admin\AppData\Roaming\1730899701565.exe" /sjson "C:\Users\Admin\AppData\Roaming\1730899701565.txt"
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2996 -ip 2996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1484
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\RarSFX2\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\installer.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wsfsd33sdfer.com | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fae6d2a1ac2748db.xyz | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 62e4cb87e7e0fe29.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | afc7178613230274.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | e85c5b0caef0cd16.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | bf2614e472c0e137.xyz | udp |
| US | 8.8.8.8:53 | 62e4cb87e7e0fe29.xyz | udp |
| HK | 101.36.107.74:80 | tcp | |
| US | 8.8.8.8:53 | e85c5b0caef0cd16.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | afc7178613230274.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | d8b2d8b1562e74f4.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 17eb4bd0cf2216ad.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 167.205.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6d8b0272c433fd35.xyz | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | arganaif.org | udp |
| DE | 173.212.247.85:443 | arganaif.org | tcp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.247.212.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | cryptobstar.xyz | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uehge4g6gh.2ihsfa.com | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 62e4cb87e7e0fe29.xyz | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | FAE6D2A1AC2748DB.xyz | udp |
| US | 162.249.67.147:80 | FAE6D2A1AC2748DB.xyz | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
Files
memory/1160-0-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
| MD5 | 51ef03c9257f2dd9b93bfdd74e96c017 |
| SHA1 | 3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34 |
| SHA256 | 82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf |
| SHA512 | 2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | edeb50f0b803732a581ab558bf87d968 |
| SHA1 | 35858ce564d4c8b080bae606bf67292f5b9b2201 |
| SHA256 | ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6 |
| SHA512 | 8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat
| MD5 | 12476321a502e943933e60cfb4429970 |
| SHA1 | c71d293b84d03153a1bd13c560fca0f8857a95a7 |
| SHA256 | 14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29 |
| SHA512 | f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc |
memory/1728-38-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/1728-40-0x0000000010000000-0x000000001033D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
| MD5 | 7cc103f6fd70c6f3a2d2b9fca0438182 |
| SHA1 | 699bd8924a27516b405ea9a686604b53b4e23372 |
| SHA256 | dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1 |
| SHA512 | 92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128 |
C:\Users\Admin\AppData\Local\Temp\MSI94BE.tmp
| MD5 | 84878b1a26f8544bda4e069320ad8e7d |
| SHA1 | 51c6ee244f5f2fa35b563bffb91e37da848a759c |
| SHA256 | 809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444 |
| SHA512 | 4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549 |
memory/5064-55-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/2400-57-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/5064-66-0x0000000002F50000-0x00000000033FF000-memory.dmp
memory/2400-70-0x0000000003820000-0x0000000003CCF000-memory.dmp
memory/1728-74-0x0000000000400000-0x00000000005C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
| MD5 | 6f3b825f098993be0b5dbd0e42790b15 |
| SHA1 | cb6b13faf195f76f064c19d5b1a08b5d0633d3ea |
| SHA256 | c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e |
| SHA512 | bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c |
C:\Users\Admin\AppData\Roaming\1730899694706.exe
| MD5 | ef6f72358cb02551caebe720fbc55f95 |
| SHA1 | b5ee276e8d479c270eceb497606bd44ee09ff4b8 |
| SHA256 | 6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5 |
| SHA512 | ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90 |
C:\Users\Admin\AppData\Roaming\1730899694706.txt
| MD5 | 7adc86846c35573146103e1f9e569e1f |
| SHA1 | d81525a7bc82135b74b3a80914ac11259839cff7 |
| SHA256 | febf9406635b80917d69ceccc90a791ebc2152f7c56224a8589fb2cee42e5aa1 |
| SHA512 | e97a075b31c23be17a38c144f995e76c7844d9f80b201d58d17c5df00fc5504341c3e461418755b27298163a830fb429e7f11d0e39214717546b6f6708afc4fe |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite
| MD5 | 2eab03c24e521ee22c08a3e3bab16d7f |
| SHA1 | d8ea20c5d4e7866c66ef36201e27fce4e10ad12b |
| SHA256 | 5c1fffc1e126ebbc19e4ef0cff60d5a0278cc57868737157746827acf7248ba2 |
| SHA512 | 916cefe311d2b01d58062a022f5172880bd99c817b421f354a75a5c09e013676da7e2c16f333f1be121d62cb848b9739b0f2c4d2f45c56789574b93a97c7685b |
C:\Users\Admin\AppData\Local\Login Data1730899701565
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Cookies1730899701565
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Login Data1730899701565
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Config.Msi\e57ff50.rbs
| MD5 | 00f53a844c5860a20f0a10c6d4bc242e |
| SHA1 | cb7c591b383784da6f3250053a1cac9e9e983c6e |
| SHA256 | 8c60b6257530f0455977aba3608b0a119e195e3a29d63b30c7f192191fbaacf5 |
| SHA512 | a6c0ec7f3df937c409ebeda9d66efb7a553df8193e0d0d8107bd4534d094e2bd9710a2308bee4decf2dac35c2748942ae69fb1188894bcf6a3126f98698c218d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d
| MD5 | b1d7e44e0fe68797a2a2d94d6150b2de |
| SHA1 | ce72fc08c7d422a22624b2c2f52109dab3f32c28 |
| SHA256 | d1adde1f76f85e439ddd2d9462dcba8a6ff2b8330325a02d3a389b7eb17ce0c7 |
| SHA512 | 83fb621854d7ff96d3948bdea1f75db1f9ab8e8c8ed453398e1106f7f14897b86a1d99854f361beb1997f09445e2aa2862624572a5114cef3af1faa9e21786e4 |
memory/2996-217-0x0000000003490000-0x00000000034A0000-memory.dmp
memory/2996-223-0x00000000035F0000-0x0000000003600000-memory.dmp
memory/2996-230-0x00000000040D0000-0x00000000040D8000-memory.dmp
memory/2996-231-0x00000000040F0000-0x00000000040F8000-memory.dmp
memory/2996-233-0x0000000004190000-0x0000000004198000-memory.dmp
memory/2996-236-0x00000000042D0000-0x00000000042D8000-memory.dmp
memory/2996-237-0x00000000042F0000-0x00000000042F8000-memory.dmp
memory/2996-238-0x00000000046A0000-0x00000000046A8000-memory.dmp
memory/2996-239-0x00000000046D0000-0x00000000046D8000-memory.dmp
memory/2996-240-0x0000000004980000-0x0000000004988000-memory.dmp
memory/2996-241-0x0000000004410000-0x0000000004418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | af8a81e910fef8048ac2b64715ecf949 |
| SHA1 | 0be12543a3878473296a75091b46f8b7607e3dbc |
| SHA256 | 99fb894af453b6c39ab13538ddbbe0e4fab21a8eb94b2f867fdfbe290715a412 |
| SHA512 | 697235f9206d5649b3de87541eb44ab6e4ce750463aa41b14d5d64146283e2f35e0cd827ae9d72a425d408d30c3991d3e9588f52d758513add36a3184e6ed43b |
memory/2996-254-0x00000000040F0000-0x00000000040F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | ad3fdc7327c73347d78ee945393f3c47 |
| SHA1 | f3903912d6d2fd59f0562c84dc1b69517291a13f |
| SHA256 | 1ef510b6b47fd41b60e67fd858e1f58657f2601b07c563180193cdf17d73d4f2 |
| SHA512 | 17fae479b1e9541bfeedd100f834f55e9936c387b4179aed42d4db68d27d48b5e9070125df1a4756d83ec3e684189cf125b27397a0a0fb1c9ec82bf202071b68 |
memory/2996-262-0x0000000004410000-0x0000000004418000-memory.dmp
memory/2996-264-0x0000000004540000-0x0000000004548000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 0198bc300fb72c5c811b6a69f67904cf |
| SHA1 | 43307c2284e8ba206c46f2637d7971f6eddf6381 |
| SHA256 | ad5a8aa27aed15d8d3a9a7fbb742feede411113f4d4e337d9599d52e4141e33a |
| SHA512 | 5830663142ce58f38a1747d3c9a762a355257de1a3c0fbfcf9a931276180d22664237f54bcd0b68ee7a6b5943be9acca6aea9b2a37d5ab32aabe7436f9e63393 |
memory/2996-277-0x00000000040F0000-0x00000000040F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 55b835e8d81ca1d30bd58064c6b6b64a |
| SHA1 | b53d406caee6c55c17a201aecc9db42db54f89ef |
| SHA256 | e2bfc5ee845a546e2b233cf00524c4a14987447d445909f63f186ea54b51194e |
| SHA512 | df87f952a82edcb53b26b1f669b28f202b547815ddcad73f14b75a8b1d32d4bd45abe5336b72ad7e18dc584c47e4ba336966d6e76bea92db9060e2d9af4468aa |
memory/2996-285-0x0000000004540000-0x0000000004548000-memory.dmp
memory/2996-287-0x0000000004410000-0x0000000004418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 01ab6d11925fa81d57ec655b22c21ff5 |
| SHA1 | 4b11e4a2204c0612e9f4a3832f6b3b5d3c852f57 |
| SHA256 | 1598f2c20f9f69c5b2df29ef54345b711ce45a59367b3858298994022fec0182 |
| SHA512 | ef1a70910522469fd22a6e26406f1db1f0207176aadf6c6e91edda22193fbcb52274f0598713dc08edeed8be33c025ffb0bc176e0a2c34e84a763dc73844220f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
| MD5 | 26baf1dd4e0c44975cf943b6d5269b07 |
| SHA1 | 4648e9a79c7a4fd5be622128ddc5af68697f3121 |
| SHA256 | 9117de15747527123f93284c821ea2e681b574639112532e66ad37a8246d98c9 |
| SHA512 | 57adccbf3424849a19291e9e4ec018a4f3b1ca5fbdfedd16592fadae5c7664249eafcff85e916dd2342ab47b6440ac314af63360aaafba1a11c7356c0f27fcef |
memory/3876-319-0x0000000000DC0000-0x0000000000DCD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
| MD5 | b2d8ce7b40730bc6615728b1b1795ce9 |
| SHA1 | 5cf7a63f3ecc2184e7b2894c78538d89f7063fe1 |
| SHA256 | ee4b58514316c6fc928e60245384560a24723e690a3311e8c2dd9e8efd5de7ca |
| SHA512 | cc79016627fb17a864ca3414f8bc598d52a9d17ec64ee1005b059a84597fe16493203879ff1c5a5ed46cf15a9e590098672a4b21a38852cace9bb02d8f1c531e |
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ea76bbf5-1d56-4c97-a50a-599cbdfdb353}_OnDiskSnapshotProp
| MD5 | 47644fafd30a0ba7cc468ee08164849e |
| SHA1 | b5a6332d647115e10522f1a7e363c978628402e9 |
| SHA256 | d94b3569b8b7a6b9b1a7503c08eb91c85a7a20fe739d6285d4bb1b8a1aec4255 |
| SHA512 | c9bc39a7e0298e8ed86bce8b61879b567c934cd3e1416e9af8e6e244181259c640e5b8bdca224037cf6718dcb8bbcb0fede0045f5b4496ff0be2497f8a5db5a5 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 6fe6a5f6148c31782925728dc616fca7 |
| SHA1 | a3bf90bcb1baa254bb07528446d6a6363de561b8 |
| SHA256 | 203d7bb3c1b862708013553e4a4f1498db2ee9bcf066345a61fe60bf2c2d5c8e |
| SHA512 | 01e46a0d0f4e34e4430a319588036a6d70b4ce5e2d3e1202ce30449fd9c0b1224e6c12e9b72ce67aaebca142a4e33d00133db8649c2bcf3ac0bc7160eb575526 |
C:\Users\Admin\AppData\Local\Temp\RarSFX2\installer.exe
| MD5 | 874d5bd8807cebd41fd65ea12f4f9252 |
| SHA1 | d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d |
| SHA256 | 2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985 |
| SHA512 | b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48 |
memory/2232-361-0x00000000002A0000-0x00000000002D2000-memory.dmp
memory/2232-362-0x0000000000870000-0x0000000000876000-memory.dmp
memory/2232-363-0x0000000000A80000-0x0000000000AA6000-memory.dmp
memory/2232-364-0x0000000000B10000-0x0000000000B16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe
| MD5 | 6a714c56525073f78181129ce52175db |
| SHA1 | eb7a9356e9cc40368e1774035c23b15b7c8d792b |
| SHA256 | 57c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4 |
| SHA512 | 04a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550 |
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
memory/3332-379-0x0000000000400000-0x000000000045B000-memory.dmp
memory/3332-383-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
| MD5 | b7161c0845a64ff6d7345b67ff97f3b0 |
| SHA1 | d223f855da541fe8e4c1d5c50cb26da0a1deb5fc |
| SHA256 | fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66 |
| SHA512 | 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680 |
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | a6279ec92ff948760ce53bba817d6a77 |
| SHA1 | 5345505e12f9e4c6d569a226d50e71b5a572dce2 |
| SHA256 | 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181 |
| SHA512 | 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c |
memory/936-388-0x0000000000400000-0x0000000000422000-memory.dmp
memory/936-395-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
| MD5 | 06680d729ca33819353c8c53fcb50854 |
| SHA1 | bd35a8607fd8bedbbe23866d27251b9f507dd155 |
| SHA256 | 8795e75c1ede9a99b198eb042dce466f5d26be12fac5589d11f65f49c65f82f5 |
| SHA512 | bd400b8f34cda056839c0725cbca0ee1314265660a511a111d91ac0324ebef12d440f39e349236f969f16cd4bd4fbb6e8c1f4e3ce2c58a9c6c592f5ee5e1351e |
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
| MD5 | f0372ff8a6148498b19e04203dbb9e69 |
| SHA1 | 27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8 |
| SHA256 | 298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf |
| SHA512 | 65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865 |
memory/5064-423-0x0000000000400000-0x00000000005C8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 13:27
Reported
2024-11-06 13:30
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 13:27
Reported
2024-11-06 13:30
Platform
win7-20240708-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-06 13:27
Reported
2024-11-06 13:30
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Azorult
Azorult family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
Files
memory/292-0-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-06 13:27
Reported
2024-11-06 13:30
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
146s
Command Line
Signatures
Azorult
Azorult family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4440-0-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-06 13:27
Reported
2024-11-06 13:30
Platform
win7-20241010-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wsfsd33sdfer.com | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-06 13:27
Reported
2024-11-06 13:30
Platform
win7-20240903-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
Fabookie
Fabookie family
Ffdroider family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bocopbdbcpnoplhedfdmmjhedbhgdman\1.0.0.0_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 976 set thread context of 408 | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | C:\Program Files\Mozilla Firefox\firefox.exe |
| PID 976 set thread context of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | C:\Program Files\Mozilla Firefox\firefox.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\gdiview\gdiview\GDIView.chm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\gdiview\gdiview\GDIView.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\gdiview\gdiview\readme.txt | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6B03.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77697e.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77697d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f77697e.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f776980.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f77697d.msi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 99B6AD8E38F322291751F0899FC78603 C
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp1
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp1
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "000000000000056C"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe"
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe"
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fae6d2a1ac2748db.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 62e4cb87e7e0fe29.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | afc7178613230274.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | e85c5b0caef0cd16.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | bf2614e472c0e137.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| HK | 101.36.107.74:80 | tcp | |
| US | 8.8.8.8:53 | 584013404cfbb28e.xyz | udp |
| US | 8.8.8.8:53 | 3b47af116e9c7975.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 80ca3a4c7b51e846.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | 4d928c61332a7a36.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.212.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | arganaif.org | udp |
| DE | 173.212.247.85:443 | arganaif.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | cryptobstar.xyz | udp |
| US | 162.249.67.147:80 | fae6d2a1ac2748db.xyz | tcp |
| US | 8.8.8.8:53 | d8b2d8b1562e74f4.xyz | udp |
| US | 8.8.8.8:53 | FAE6D2A1AC2748DB.xyz | udp |
| US | 162.249.67.147:80 | FAE6D2A1AC2748DB.xyz | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | uehge4g6gh.2ihsfa.com | udp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | uehge4g6gh.2ihsfa.com | tcp |
| US | 13.248.169.48:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | edeb50f0b803732a581ab558bf87d968 |
| SHA1 | 35858ce564d4c8b080bae606bf67292f5b9b2201 |
| SHA256 | ee9743026ad49017735e58c3d9ee9198db87eb6a3ab77242aa9d15155a9504b6 |
| SHA512 | 8c47a7964791452fc499046d60b08b99f7a986b3827cddeba88b20e91c0ff69475314f17662c33286f421d433fb507a9c673bcce75f0c5bb333ca6e58b219273 |
memory/1624-19-0x00000000037F0000-0x00000000039B8000-memory.dmp
memory/1624-29-0x00000000037F0000-0x00000000039B8000-memory.dmp
memory/2652-32-0x0000000010000000-0x000000001033D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
| MD5 | 7cc103f6fd70c6f3a2d2b9fca0438182 |
| SHA1 | 699bd8924a27516b405ea9a686604b53b4e23372 |
| SHA256 | dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1 |
| SHA512 | 92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128 |
C:\Users\Admin\AppData\Local\Temp\MSI944.tmp
| MD5 | 84878b1a26f8544bda4e069320ad8e7d |
| SHA1 | 51c6ee244f5f2fa35b563bffb91e37da848a759c |
| SHA256 | 809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444 |
| SHA512 | 4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549 |
memory/2652-50-0x00000000037E0000-0x00000000039A8000-memory.dmp
memory/2652-49-0x00000000037E0000-0x00000000039A8000-memory.dmp
memory/2476-52-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/976-54-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/2476-60-0x0000000003900000-0x0000000003DAF000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
| MD5 | 6f3b825f098993be0b5dbd0e42790b15 |
| SHA1 | cb6b13faf195f76f064c19d5b1a08b5d0633d3ea |
| SHA256 | c6ee0d49bdb6580c6a972e1b087ba4973984843c94832082cb0454e17386ab2e |
| SHA512 | bff72b5587ce20201e08919456726872aa253eceb7836884995f2807aaf1d6dc9ebd681c3aa6e34a56be18f1f3369bea4876df6836329dd43202103db7b7d34c |
memory/976-84-0x00000000039C0000-0x0000000003E6F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.Admin\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite
| MD5 | 2eab03c24e521ee22c08a3e3bab16d7f |
| SHA1 | d8ea20c5d4e7866c66ef36201e27fce4e10ad12b |
| SHA256 | 5c1fffc1e126ebbc19e4ef0cff60d5a0278cc57868737157746827acf7248ba2 |
| SHA512 | 916cefe311d2b01d58062a022f5172880bd99c817b421f354a75a5c09e013676da7e2c16f333f1be121d62cb848b9739b0f2c4d2f45c56789574b93a97c7685b |
C:\Users\Admin\AppData\Local\Login Data1730899691996
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
\Program Files (x86)\gdiview\gdiview\GDIView.exe
| MD5 | 292ce5c1baa3da54f5bfd847bdd92fa1 |
| SHA1 | 4d98e3522790a9408e7e85d0e80c3b54a43318e1 |
| SHA256 | c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1 |
| SHA512 | 87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d |
C:\Config.Msi\f77697f.rbs
| MD5 | 8fc44989f844df7e988c775fdb1ec82b |
| SHA1 | 7eca140831251ee00b8951d80ea7922eb2e69ee9 |
| SHA256 | 78952a41ff52d0b3a65af6eb6cdc3506def18d6302c1d52b1cee0c4ca1eb216d |
| SHA512 | 268c6fb06872167d0eb1782fd1888b559a99d5370ddfe4b2204f529844bb15677c1c8df61f711b60aacb0415fec88ab64f558d76b099062f5cdd13306d994da5 |
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
| MD5 | 26baf1dd4e0c44975cf943b6d5269b07 |
| SHA1 | 4648e9a79c7a4fd5be622128ddc5af68697f3121 |
| SHA256 | 9117de15747527123f93284c821ea2e681b574639112532e66ad37a8246d98c9 |
| SHA512 | 57adccbf3424849a19291e9e4ec018a4f3b1ca5fbdfedd16592fadae5c7664249eafcff85e916dd2342ab47b6440ac314af63360aaafba1a11c7356c0f27fcef |
memory/1336-202-0x0000000000020000-0x000000000002D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7E75.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar7EE5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
| MD5 | b2d8ce7b40730bc6615728b1b1795ce9 |
| SHA1 | 5cf7a63f3ecc2184e7b2894c78538d89f7063fe1 |
| SHA256 | ee4b58514316c6fc928e60245384560a24723e690a3311e8c2dd9e8efd5de7ca |
| SHA512 | cc79016627fb17a864ca3414f8bc598d52a9d17ec64ee1005b059a84597fe16493203879ff1c5a5ed46cf15a9e590098672a4b21a38852cace9bb02d8f1c531e |
\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
| MD5 | 874d5bd8807cebd41fd65ea12f4f9252 |
| SHA1 | d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d |
| SHA256 | 2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985 |
| SHA512 | b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48 |
memory/2864-299-0x0000000000920000-0x0000000000952000-memory.dmp
memory/2864-300-0x0000000000540000-0x0000000000546000-memory.dmp
memory/2864-301-0x0000000000550000-0x0000000000576000-memory.dmp
memory/2864-302-0x0000000000910000-0x0000000000916000-memory.dmp
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
| MD5 | f0372ff8a6148498b19e04203dbb9e69 |
| SHA1 | 27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8 |
| SHA256 | 298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf |
| SHA512 | 65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865 |
\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe
| MD5 | 6a714c56525073f78181129ce52175db |
| SHA1 | eb7a9356e9cc40368e1774035c23b15b7c8d792b |
| SHA256 | 57c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4 |
| SHA512 | 04a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550 |
memory/2300-352-0x00000000001F0000-0x000000000024B000-memory.dmp
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
memory/2300-350-0x00000000001F0000-0x000000000024B000-memory.dmp
memory/1084-357-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1084-360-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
| MD5 | b7161c0845a64ff6d7345b67ff97f3b0 |
| SHA1 | d223f855da541fe8e4c1d5c50cb26da0a1deb5fc |
| SHA256 | fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66 |
| SHA512 | 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2968655833bf8b086be583d58fa7d5ea |
| SHA1 | dea52db3540e7c75bff3805abe7f555d67dfbec8 |
| SHA256 | bf2d74fe8cea96de6cd0ffcb91d3e3fe10c3ae37a69db614d32c96e65dadc54e |
| SHA512 | 1f7e1b6b6374500a345d354e4164428877ac471a6301bc734ce2a66ec59c1be72d726be708bd4fa889ce5d5176c9db762aa667b8a71bfe8c96b632d01a688d84 |
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | a6279ec92ff948760ce53bba817d6a77 |
| SHA1 | 5345505e12f9e4c6d569a226d50e71b5a572dce2 |
| SHA256 | 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181 |
| SHA512 | 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c |
memory/2300-401-0x00000000001F0000-0x0000000000212000-memory.dmp
memory/2468-413-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2300-415-0x00000000001F0000-0x000000000024B000-memory.dmp
memory/2300-416-0x00000000001F0000-0x0000000000212000-memory.dmp