Malware Analysis Report

2024-11-13 18:55

Sample ID 241107-km9wsa1rfm
Target 1384f5282e8bb65c9a3e75b7d9fce5b0
SHA256 f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8
Tags
discovery socelars spyware stealer smokeloader pub5 backdoor trojan gcleaner loader pub3 onlylogger redline v2user1 infostealer media17223 aspackv2 privateloader fabookie nullmixer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

Threat Level: Known bad

The file 1384f5282e8bb65c9a3e75b7d9fce5b0 was found to be: Known bad.

Malicious Activity Summary

discovery socelars spyware stealer smokeloader pub5 backdoor trojan gcleaner loader pub3 onlylogger redline v2user1 infostealer media17223 aspackv2 privateloader fabookie nullmixer upx

Socelars family

Socelars payload

RedLine payload

Nullmixer family

RedLine

Privateloader family

OnlyLogger

Detect Fabookie payload

GCleaner

Redline family

SmokeLoader

Smokeloader family

Onlylogger family

Fabookie family

Socelars

Gcleaner family

NirSoft WebBrowserPassView

Detected Nirsoft tools

OnlyLogger payload

Blocklisted process makes network request

ASPack v2.12-2.42

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Drops Chrome extension

Looks up geolocation information via web service

Checks installed software on the system

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

UPX packed file

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Kills process with taskkill

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 08:44

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie family

fabookie

Nullmixer family

nullmixer

Privateloader family

privateloader

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-6MPUT.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-6MPUT.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-B3N04.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-6MPUT.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 1464 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-6MPUT.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 1464 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-6MPUT.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2944 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\is-6MPUT.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2944 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\is-6MPUT.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2944 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\is-6MPUT.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 4488 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-B3N04.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 4488 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-B3N04.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 4488 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-B3N04.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\is-6MPUT.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6MPUT.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$A0050,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-B3N04.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-B3N04.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$5023A,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 noplayboy.com udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/1464-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1464-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-6MPUT.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2944-7-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HLU9M.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4488-20-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4488-22-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1464-29-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2944-26-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7OF7A.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1356-35-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4488-40-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1356-42-0x0000000000400000-0x00000000004BD000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FR 212.193.30.45:80 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 45.144.225.57:80 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

Signatures

Socelars

stealer socelars

Socelars family

socelars

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754426785872833" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4392 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4392 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1316 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1316 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5116 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 5032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4300 wrote to memory of 2668 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc542dcc40,0x7ffc542dcc4c,0x7ffc542dcc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2276 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4500 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3676,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3704 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5484,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5624 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4968,i,4455926952679446462,154757943744716610,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5612 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.listincode.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.187.234:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.187.234:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.14:443 google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp

Files

\??\pipe\crashpad_4300_HRVOLAFCOEQIQLMG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 1f92d8b5e04ed5383a64341ce79c2816
SHA1 51409cc01cc7ec1a86770226dc1d6a8a9fe52e93
SHA256 34b6dc62304ae77df147850bec73d6b2f497b66f06998203040aac7859b00718
SHA512 5ff264e9cafa34d228174c53db0609a2a7ee5092d19f3461c5390e472acfe6014ad316f90cc2fe3a37e347934edf3d310cac558a17a1e9db842082cac8bac5b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\scoped_dir4300_2081325151\14faef06-33ee-497f-9c5a-dca9f8916a03.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Temp\scoped_dir4300_2081325151\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 c10bcf53ef6152591cc28bb0eabd6e12
SHA1 3014c65608ca84fc4db1d0cc539872235e83ff77
SHA256 bccc7526761fa454b1774bb59bfd5600790ac367992691ad5cdd6093c2be8458
SHA512 e87ef5c039220d36817bf6e1994c318f37d26074ca1262931ea883cbd095597d23276968865490281ad42bde338330756135bdf0545829208d4e7050f3ebc3cf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1109f281db833e0c6f34914a0d7c5236
SHA1 4245566f4374246d692b6195973ebeb4a88d4895
SHA256 36f7853a658299ae23981e32cfa854e3f81caf4c7d5009fb9d5e8a7fef0d1d11
SHA512 95b592fc449fd330616d8826e61789c75502f1247cb76196631de9fa34c4a0973ec23cbe16f00b9954f4354638c9025f4ed79fe7eac2a72546037c69f4c92804

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 b427c4334ef88464456ed283efaf24ff
SHA1 553687717cbec5ae9dbaa5092acdd079662e79b0
SHA256 e5445b3bb040866eb735ca8c0ca8a8490dd1da0aafad6883862e678e15916b33
SHA512 e4fcb76343c8dfc2f36e7846dd7cd10b5d928a7bdb987d0ef9ae37283b44798a9a68b2f3d48ebae4fff0ab4d82398e67822adba662f35dc6719925760d878b2a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5125ec8bbf5c9c9d0228761d0b8e8545
SHA1 788b5989b9c1fc23d6122d54aa93cab22cbaefe0
SHA256 9eb413c4f96380013b7d475f7a69fc94ecc24c7b2b709c1de59314640d744069
SHA512 79ed022a714d48d9e2f7b3abd8650ea5858c3708ecc66bfd8e42d4be58e92c4c828561e1f176b624c5d740c0b20985740604b3d83e2da82d48982aca2c89de0f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 eb39d30395c79b1d013f13358ada26db
SHA1 ae57b0832df671b08f3666ee835cd9c622b5874d
SHA256 24a3c24433c234e86aa305594788683b25c2607d697a6b38e2911a9a68b06bc2
SHA512 4f2e9824b9f45577aeab1396b4c4ceed588c4ff6e1314141342f6d410e4a4100f48adec32eba1fa13b480e5c8c80b739f228bc68925bb81ba64dd480127a005b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 245ef80859d188779ee89e73c15e5c68
SHA1 07a8f4ae9f5ff333c2ce226f4b5ec68eec73bc87
SHA256 9ccc2dfe4ee7e5a8adbe6a7134948d75c6f7b26d258bc4aeee90dbe98fbdd418
SHA512 df577c7f099507d5267401c7a4d6c85182e66bb98b1f7894cedf51a0dff2a6d96a7d9c6208c476a5741672e3fb3e12abe463504ea3c8272c081c2c2b4ef9f57a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a6764e78491ae43a78adefdfa2b54006
SHA1 4832e77e214d245fa7c1611c422d207780671d7d
SHA256 eb24d3e734e7308c5dff36292561f55b2797980e4904b649d2832cafdde573c8
SHA512 5261de17efa438ebbfc6915b13b7f277f050087393d7285efb8472fe4a052092ab77c4c3b4fd6f0ecce9533c43cbc81bf9cdcf45aad36d13f618007a1d8c547b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9d928e27417941ba195eff2b7e9f5e84
SHA1 cd3ba062b5468f7d32f73e67c7b57a42f5455508
SHA256 bd7f6fc1246e876cf2819b5e42ea7b8717d624ebdd5afe643378baa7d8a49064
SHA512 200bec74ee3429c2184b74eb8123105f75ff5ca439c32cbb10f3ed294c880b46d80242835ced2aa2373a0e2d88be284ab5130a6169aa37b792ce5bec97cb4ba9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c15720ed900a59917f27cd3879069dc9
SHA1 ea2e3fc5351801dfa6748e96e46a29a3fb8e4940
SHA256 c334415808dac2012e618e6652ee70f6f4c3821a840c5689fdc003345efac154
SHA512 45b9b6ea9c1db82f857b9a4b4f734f7a13492a36ebbec14951ea0205a5aec845773cedeef01056a7c99dbf339637d5d3bca4a91103646ac34f39cda17d82f08e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 de0d0d4e310094c7de09f7928ef54c0f
SHA1 0b4a36fff0dacede29afaff0cb6985989dc65b28
SHA256 abd7b46e89724dbeaaad721d03edd5027de6b0467b476b04f1fcc7a60cb40f1e
SHA512 c6786ed76af205c012a1a11c2badd5a63508bccee87b27a1d944d60ce67e0af2d734f86c2412329f2718e99782dd83a757b211092d1dd97e1a1f20f126b5756c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 472b72acd83ddf7a4038c24b911de687
SHA1 2bde3e5d3f0e1fb1ddce4812e5f0e2127e9c9e50
SHA256 105885b950d828202b515f144eb5f55459a5f243a5e5a3c3d663538117bc6461
SHA512 b560aa4e6d5a428c9ff2fbadbaa855f2730d3842876bc14151990e0be9bf64a5618cbaad6019d93da9c8e9471cc1805f2d7c60a781d11972159624000d65b7dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 636020fdbe6bd3c2a5c9d445a8d5340d
SHA1 7512f568bd52be6663a437cd2307af01e65f0325
SHA256 78e51ac06f78bf49dc56ba7417df2c86f3310796ac2d0cc8def0bc56a2ec83ed
SHA512 480ed0e11b3ebf0d4e2965f5eb205d9b550a3dfb9cbac5c202e26d0178c19919015a50ec217f36049de58c9e5be794f04e9b5a22b27061cf1225e52cefee8382

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4944 -ip 4944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 352

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4944-0-0x0000000000580000-0x0000000000588000-memory.dmp

memory/4944-1-0x0000000000590000-0x0000000000599000-memory.dmp

memory/4944-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4944-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4944-4-0x0000000000580000-0x0000000000588000-memory.dmp

memory/4944-5-0x0000000000590000-0x0000000000599000-memory.dmp

memory/4944-6-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:47

Platform

win7-20241010-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a

Network

Country Destination Domain Proto
US 8.8.8.8:53 v.xyzgamev.com udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

Signatures

Socelars

stealer socelars

Socelars family

socelars

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.listincode.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20240903-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 2828 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 2828 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 2828 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 2720 wrote to memory of 2248 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2720 wrote to memory of 2248 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2720 wrote to memory of 2248 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2720 wrote to memory of 2248 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2720 wrote to memory of 2248 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2720 wrote to memory of 2248 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2720 wrote to memory of 2248 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 1480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 2248 wrote to memory of 1480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 2248 wrote to memory of 1480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 2248 wrote to memory of 1480 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 1480 wrote to memory of 2916 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1480 wrote to memory of 2916 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1480 wrote to memory of 2916 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1480 wrote to memory of 2916 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1480 wrote to memory of 2916 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1480 wrote to memory of 2916 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1480 wrote to memory of 2916 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\G1V6MSEY.nr

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G1V6MSEY.nr

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\G1V6MSEY.nr

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\G1V6MSEY.nr

Network

Country Destination Domain Proto
FR 78.112.80.48:8080 tcp
FR 78.112.80.48:8080 tcp

Files

memory/2248-6-0x00000000025E0000-0x00000000035E0000-memory.dmp

memory/2248-7-0x000000002D430000-0x000000002D4E1000-memory.dmp

memory/2248-8-0x0000000000B30000-0x0000000000BCD000-memory.dmp

memory/2248-9-0x0000000000B30000-0x0000000000BCD000-memory.dmp

memory/2248-11-0x0000000000B30000-0x0000000000BCD000-memory.dmp

memory/2248-12-0x00000000025E0000-0x00000000035E0000-memory.dmp

memory/2248-16-0x0000000000B30000-0x0000000000BCD000-memory.dmp

memory/2248-18-0x000000002F2F0000-0x000000002F386000-memory.dmp

memory/2248-17-0x000000002D4F0000-0x000000002F2E2000-memory.dmp

memory/2248-19-0x0000000000D10000-0x0000000000DA0000-memory.dmp

memory/2916-25-0x00000000027B0000-0x00000000037B0000-memory.dmp

memory/2916-27-0x000000002D380000-0x000000002D431000-memory.dmp

memory/2916-29-0x000000002D440000-0x000000002D4DD000-memory.dmp

memory/2916-31-0x000000002D440000-0x000000002D4DD000-memory.dmp

memory/2916-32-0x00000000027B0000-0x00000000037B0000-memory.dmp

memory/2916-40-0x000000002D440000-0x000000002D4DD000-memory.dmp

memory/2916-41-0x000000002D4E0000-0x000000002F2D2000-memory.dmp

memory/2916-42-0x000000002F2E0000-0x000000002F376000-memory.dmp

memory/2916-44-0x00000000002D0000-0x0000000000360000-memory.dmp

memory/2916-47-0x00000000002D0000-0x0000000000360000-memory.dmp

memory/2916-48-0x0000000000090000-0x0000000000093000-memory.dmp

memory/2916-49-0x00000000000A0000-0x00000000000A5000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7502b8389b_Tue233252e9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 900 -ip 900

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7502b8389b_Tue233252e9.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 1724

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 myvideodonwload.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:80 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
RU 91.241.19.125:80 tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 91.241.19.125:80 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 172.67.74.161:80 iplogger.org tcp
US 8.8.8.8:53 myvideodonwload.com udp
US 172.67.74.161:80 iplogger.org tcp
US 8.8.8.8:53 youtube4kdowloader.club udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/900-0-0x00000000004B0000-0x00000000004D0000-memory.dmp

memory/900-1-0x00000000005D0000-0x0000000000608000-memory.dmp

memory/900-2-0x0000000000400000-0x000000000043B000-memory.dmp

memory/900-3-0x00000000004B0000-0x00000000004D0000-memory.dmp

memory/900-4-0x0000000000400000-0x0000000000462000-memory.dmp

memory/900-5-0x00000000005D0000-0x0000000000608000-memory.dmp

memory/900-9-0x0000000000400000-0x0000000000462000-memory.dmp

memory/900-10-0x0000000000400000-0x000000000043B000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20241010-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2724 set thread context of 2776 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Network

N/A

Files

memory/2724-0-0x0000000000020000-0x0000000000029000-memory.dmp

memory/2724-1-0x0000000000030000-0x0000000000039000-memory.dmp

memory/2776-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2776-7-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2724-6-0x0000000000020000-0x0000000000029000-memory.dmp

memory/2776-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2776-8-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\G1V6MSEY.nr

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G1V6MSEY.nr

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\G1V6MSEY.nr

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\G1V6MSEY.nr

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/1932-5-0x0000000002830000-0x0000000003830000-memory.dmp

memory/1932-6-0x0000000002830000-0x0000000003830000-memory.dmp

memory/1932-7-0x0000000002830000-0x0000000003830000-memory.dmp

memory/1932-8-0x0000000002830000-0x0000000003830000-memory.dmp

memory/1932-9-0x0000000002830000-0x0000000003830000-memory.dmp

memory/1932-10-0x0000000002830000-0x0000000003830000-memory.dmp

memory/1932-11-0x0000000002830000-0x0000000003830000-memory.dmp

memory/1932-12-0x0000000002830000-0x0000000003830000-memory.dmp

memory/1932-13-0x0000000002830000-0x0000000003830000-memory.dmp

memory/1932-14-0x0000000002830000-0x0000000003830000-memory.dmp

memory/1932-15-0x000000002D880000-0x000000002D931000-memory.dmp

memory/1932-16-0x000000002D940000-0x000000002D9DD000-memory.dmp

memory/1932-17-0x000000002D940000-0x000000002D9DD000-memory.dmp

memory/1932-19-0x000000002D940000-0x000000002D9DD000-memory.dmp

memory/1932-20-0x0000000002830000-0x0000000003830000-memory.dmp

memory/1932-24-0x000000002D940000-0x000000002D9DD000-memory.dmp

memory/1932-25-0x000000002D9E0000-0x000000002F7D2000-memory.dmp

memory/1932-26-0x000000002F7E0000-0x000000002F876000-memory.dmp

memory/1932-27-0x000000002F880000-0x000000002F910000-memory.dmp

memory/2032-32-0x00000000031E0000-0x00000000041E0000-memory.dmp

memory/2032-34-0x00000000031E0000-0x00000000041E0000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f

Network

N/A

Files

memory/2688-0-0x0000000000220000-0x000000000024A000-memory.dmp

memory/2688-1-0x0000000000250000-0x000000000029C000-memory.dmp

memory/2688-2-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2688-3-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2688-5-0x0000000000250000-0x000000000029C000-memory.dmp

memory/2688-4-0x0000000000220000-0x000000000024A000-memory.dmp

memory/2688-6-0x0000000000400000-0x0000000000450000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20240903-en

Max time kernel

134s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1388 set thread context of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1388 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1388 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1388 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1388 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1388 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1388 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1388 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1388 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Network

Country Destination Domain Proto
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp

Files

memory/1388-0-0x000000007479E000-0x000000007479F000-memory.dmp

memory/1388-1-0x0000000000D50000-0x0000000000DDA000-memory.dmp

memory/1388-2-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/1388-3-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/2748-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2748-7-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2748-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2748-5-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2748-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2748-10-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1388-16-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/2748-15-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2748-17-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/2748-12-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2748-18-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/2748-19-0x0000000074790000-0x0000000074E7E000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 100 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 100 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 100 wrote to memory of 1372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1372 -ip 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 664

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp

Files

memory/1372-0-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1372-1-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1372-12-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1372-11-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1372-9-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1372-10-0x000000006494A000-0x000000006494F000-memory.dmp

memory/1372-13-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1372-8-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1372-6-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1372-5-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1372-4-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1372-2-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1372-7-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1372-3-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1372-16-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1372-20-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1372-19-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1372-21-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4964 set thread context of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4964 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4964 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4964 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4964 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4964 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4964 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4964 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4964 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp

Files

memory/4964-0-0x000000007506E000-0x000000007506F000-memory.dmp

memory/4964-1-0x00000000005E0000-0x000000000066A000-memory.dmp

memory/4964-2-0x0000000004EF0000-0x0000000004F66000-memory.dmp

memory/4964-3-0x0000000075060000-0x0000000075810000-memory.dmp

memory/4964-4-0x0000000075060000-0x0000000075810000-memory.dmp

memory/4964-5-0x0000000004EA0000-0x0000000004EBE000-memory.dmp

memory/4964-6-0x0000000005820000-0x0000000005DC4000-memory.dmp

memory/1140-7-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61e7501b7eabe_Tue2344597f.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/1140-12-0x00000000056C0000-0x00000000056D2000-memory.dmp

memory/4964-13-0x0000000075060000-0x0000000075810000-memory.dmp

memory/1140-11-0x0000000005CC0000-0x00000000062D8000-memory.dmp

memory/1140-10-0x0000000075060000-0x0000000075810000-memory.dmp

memory/1140-14-0x0000000005830000-0x000000000593A000-memory.dmp

memory/1140-16-0x0000000075060000-0x0000000075810000-memory.dmp

memory/1140-15-0x0000000005760000-0x000000000579C000-memory.dmp

memory/1140-17-0x00000000057A0000-0x00000000057EC000-memory.dmp

memory/1140-18-0x0000000075060000-0x0000000075810000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4976 set thread context of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 4976 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 4976 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 4976 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 4976 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 4976 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 4976 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 4976 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/4976-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/4976-1-0x0000000000BC0000-0x0000000000C4A000-memory.dmp

memory/4976-2-0x00000000055E0000-0x0000000005656000-memory.dmp

memory/4976-3-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/4976-4-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/4976-5-0x00000000055C0000-0x00000000055DE000-memory.dmp

memory/4976-6-0x0000000006030000-0x00000000065D4000-memory.dmp

memory/3112-7-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61e7501c830d6_Tue23bdf4712a32.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/4976-12-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/3112-13-0x0000000005020000-0x0000000005032000-memory.dmp

memory/3112-11-0x0000000005580000-0x0000000005B98000-memory.dmp

memory/3112-10-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/3112-14-0x0000000005150000-0x000000000525A000-memory.dmp

memory/3112-15-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/3112-16-0x0000000005080000-0x00000000050BC000-memory.dmp

memory/3112-17-0x00000000050C0000-0x000000000510C000-memory.dmp

memory/3112-18-0x0000000074D90000-0x0000000075540000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:47

Platform

win7-20241010-en

Max time kernel

143s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-EO4PP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EO4PP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2160 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2160 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2160 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2160 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2160 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2160 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2160 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2496 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-EO4PP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2496 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-EO4PP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2496 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-EO4PP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2496 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-EO4PP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2496 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-EO4PP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2496 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-EO4PP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2496 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-EO4PP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$60154,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-EO4PP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EO4PP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$70154,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

Network

Country Destination Domain Proto
US 8.8.8.8:53 noplayboy.com udp

Files

memory/2600-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2600-2-0x0000000000401000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-9G587.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2160-8-0x0000000000400000-0x00000000004BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-OOB42.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-OOB42.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2496-23-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2160-25-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2600-28-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2496-26-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2496-44-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2944-45-0x0000000000400000-0x00000000004BD000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:47

Platform

win7-20241010-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 136

Network

N/A

Files

memory/1728-1-0x0000000000030000-0x0000000000039000-memory.dmp

memory/1728-0-0x0000000000020000-0x0000000000028000-memory.dmp

memory/1728-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1728-4-0x0000000000030000-0x0000000000039000-memory.dmp

memory/1728-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1728-5-0x0000000000020000-0x0000000000028000-memory.dmp

memory/1728-3-0x0000000000400000-0x000000000044A000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20240729-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2500 set thread context of 2248 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2500 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2500 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2500 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2500 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2500 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2500 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2500 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2500 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Network

Country Destination Domain Proto
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp

Files

memory/2500-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/2500-1-0x0000000000300000-0x000000000038A000-memory.dmp

memory/2500-2-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2500-3-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2248-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2248-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2248-11-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2248-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2248-8-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2248-7-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2248-13-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2248-16-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2248-18-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2500-17-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2248-19-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2248-20-0x0000000074A00000-0x00000000750EE000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7502b8389b_Tue233252e9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7502b8389b_Tue233252e9.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 myvideodonwload.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:80 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
RU 91.241.19.125:80 tcp
RU 91.241.19.125:80 tcp
RU 91.241.19.125:80 tcp
RU 91.241.19.125:80 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:80 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:80 iplogger.org tcp
US 8.8.8.8:53 youtube4kdowloader.club udp

Files

memory/1292-0-0x0000000000020000-0x0000000000040000-memory.dmp

memory/1292-1-0x0000000000260000-0x0000000000298000-memory.dmp

memory/1292-2-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1292-3-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1292-4-0x0000000000020000-0x0000000000040000-memory.dmp

memory/1292-5-0x0000000000260000-0x0000000000298000-memory.dmp

memory/1292-6-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1292-16-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1292-15-0x0000000000400000-0x0000000000462000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 dpcapps.me udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

memory/3344-0-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/3344-5-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/3344-4-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/3344-3-0x0000000000401000-0x0000000000444000-memory.dmp

memory/3344-2-0x0000000002730000-0x000000000276B000-memory.dmp

memory/3344-1-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/3344-6-0x0000000000820000-0x0000000000838000-memory.dmp

memory/3344-13-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/3344-14-0x0000000000A10000-0x0000000000A1A000-memory.dmp

memory/3344-15-0x0000000005110000-0x00000000056B4000-memory.dmp

memory/3344-16-0x0000000002AF0000-0x0000000002B82000-memory.dmp

memory/3344-20-0x0000000002730000-0x000000000276B000-memory.dmp

memory/3344-18-0x0000000000820000-0x0000000000838000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:47

Platform

win7-20241010-en

Max time kernel

33s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1436

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 signaturebusinesspark.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/948-3-0x0000000000400000-0x0000000000480000-memory.dmp

memory/948-6-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 d0527733abcc5c58735e11d43061b431
SHA1 28de9d191826192721e325787b8a50a84328cffd
SHA256 b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA512 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

memory/4964-11-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4964-17-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 30188d66149fba77523414f45f7b03ff
SHA1 6c7be340f942984c5003bc37aaf64925a6f4fc3f
SHA256 b2229fb8531832fe5cf163921798e3828f07ef77f26d372a594254c9651c2929
SHA512 3ab25089b7a65c55b6f674d637731d180d55209b0246d385c79fde511572e6c06a834b2d0fbd12cc9cfd4a29264f374f23e0396c47eeb51128c5d5d8def73e85

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20241023-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dpcapps.me udp

Files

memory/2884-0-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/2884-1-0x00000000003C0000-0x00000000003FB000-memory.dmp

memory/2884-3-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2884-5-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/2884-4-0x0000000000401000-0x0000000000444000-memory.dmp

memory/2884-2-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/2884-6-0x0000000000380000-0x0000000000398000-memory.dmp

memory/2884-13-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/2884-14-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/2884-15-0x00000000003C0000-0x00000000003FB000-memory.dmp

memory/2884-16-0x0000000000380000-0x0000000000398000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 248

Network

N/A

Files

memory/2276-4-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2276-7-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2276-6-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2276-5-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2276-3-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2276-2-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2276-1-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2276-0-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2276-9-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2276-8-0x000000006B440000-0x000000006B4CF000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4724 wrote to memory of 1112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4724 wrote to memory of 1112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4724 wrote to memory of 1112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1112 -ip 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1112-3-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1112-5-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1112-4-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1112-2-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1112-1-0x0000000064941000-0x000000006494F000-memory.dmp

memory/1112-0-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1112-6-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1112-7-0x000000006EB40000-0x000000006EB63000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 260

Network

N/A

Files

memory/2644-0-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2644-1-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2644-3-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2644-7-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2644-13-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2644-12-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2644-11-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2644-10-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2644-9-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2644-8-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2644-5-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2644-4-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2644-2-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2644-6-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2644-18-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2644-16-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2644-15-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2644-14-0x000000006B280000-0x000000006B2A6000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3768 set thread context of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3768-0-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/3768-1-0x00000000001D0000-0x00000000001D9000-memory.dmp

memory/2144-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2144-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2144-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3768-5-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/2144-6-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Network

Country Destination Domain Proto
FR 212.193.30.45:80 tcp
US 45.144.225.57:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 2.56.59.42:80 tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 668 -ip 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 668 -ip 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 668 -ip 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 668 -ip 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 668 -ip 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 668 -ip 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 956

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 668 -ip 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 980

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/668-0-0x0000000000580000-0x00000000005AA000-memory.dmp

memory/668-1-0x00000000006D0000-0x000000000071C000-memory.dmp

memory/668-2-0x0000000000400000-0x0000000000450000-memory.dmp

memory/668-4-0x00000000006D0000-0x000000000071C000-memory.dmp

memory/668-3-0x0000000000400000-0x000000000046C000-memory.dmp

memory/668-6-0x0000000000400000-0x0000000000450000-memory.dmp

memory/668-5-0x0000000000580000-0x00000000005AA000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 1204 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 1204 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 1204 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 1204 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 1204 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 1204 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 1204 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 1204 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Windows\system32\WerFault.exe
PID 1204 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Windows\system32\WerFault.exe
PID 1204 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1204 -s 476

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.hhiuew33.com udp

Files

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/2708-6-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2708-8-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

memory/2260-17-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 d0527733abcc5c58735e11d43061b431
SHA1 28de9d191826192721e325787b8a50a84328cffd
SHA256 b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA512 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

memory/2260-23-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 46183ada973d3bfaab7be726c800e96e
SHA1 7fcb7272b04d8b1caaf1343ec720461ca79f45c2
SHA256 0cba483c4b5eeb5d275d2a54db9f7c3c213615628b4ac79044980347930e7a1f
SHA512 338c4ccf7cde74e3aa5c9bb27672797ab8b4c8aa6e99fbcf61a2dc8caecdd871b747e4bcc654391479bc4df5a1e72257da9957f9768c67b2846dd9435b950926

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-07 08:44

Reported

2024-11-07 08:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1456 -ip 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1836

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A