Analysis Overview
SHA256
f588626ae93f8d280520dc8a46009d01c68129006b6786641a458963af97b5bc
Threat Level: Known bad
The file 476257ebcbb7ecfa831e625b1d110d6b was found to be: Known bad.
Malicious Activity Summary
Fabookie
GCleaner
Smokeloader family
Gcleaner family
RedLine payload
Fabookie family
RedLine
Detect Fabookie payload
Redline family
SmokeLoader
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Checks computer location settings
VMProtect packed file
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 05:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 05:56
Reported
2024-11-09 05:58
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SmokeLoader
Smokeloader family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dd948c8_bdbfe0e55.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-4F6QS.tmp\628e54e02a93b_c820032.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e90ed62_5334eb4d12.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e3a0747_ed24a9c5da.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-23TGH.tmp\628e54eb12f29_19a8386c8a.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4F6QS.tmp\628e54e02a93b_c820032.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9EI3F.tmp\628e54e02a93b_c820032.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4464 set thread context of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e7eb628_9d99fab57f.exe | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e7eb628_9d99fab57f.exe |
| PID 3960 set thread context of 4844 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dc06ca5_d13f73d.exe | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dc06ca5_d13f73d.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\myinstaller\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-9EI3F.tmp\628e54e02a93b_c820032.tmp | N/A |
| File created | C:\Program Files (x86)\myinstaller\is-NRC7J.tmp | C:\Users\Admin\AppData\Local\Temp\is-9EI3F.tmp\628e54e02a93b_c820032.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\myinstaller\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-9EI3F.tmp\628e54e02a93b_c820032.tmp | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dc06ca5_d13f73d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e108f5b_e0c250f52b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dd948c8_bdbfe0e55.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9EI3F.tmp\628e54e02a93b_c820032.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54db139b7_3622eb547b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e5260e5_73b5a3dba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-4F6QS.tmp\628e54e02a93b_c820032.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e7eb628_9d99fab57f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e3a0747_ed24a9c5da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dd948c8_bdbfe0e55.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e02a93b_c820032.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e90ed62_5334eb4d12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dc06ca5_d13f73d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e7eb628_9d99fab57f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e02a93b_c820032.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-23TGH.tmp\628e54eb12f29_19a8386c8a.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54eb12f29_19a8386c8a.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e108f5b_e0c250f52b.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e108f5b_e0c250f52b.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e108f5b_e0c250f52b.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e5260e5_73b5a3dba.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dc06ca5_d13f73d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54db139b7_3622eb547b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9EI3F.tmp\628e54e02a93b_c820032.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dd948c8_bdbfe0e55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dd948c8_bdbfe0e55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dd948c8_bdbfe0e55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dd948c8_bdbfe0e55.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8248E997\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54db139b7_3622eb547b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54dc06ca5_d13f73d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54dd948c8_bdbfe0e55.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e02a93b_c820032.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e108f5b_e0c250f52b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e3a0747_ed24a9c5da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e5260e5_73b5a3dba.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e6a6a3b_9dab9e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e7eb628_9d99fab57f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e90ed62_5334eb4d12.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54eb12f29_19a8386c8a.exe
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e108f5b_e0c250f52b.exe
628e54e108f5b_e0c250f52b.exe
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54db139b7_3622eb547b.exe
628e54db139b7_3622eb547b.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dd948c8_bdbfe0e55.exe
628e54dd948c8_bdbfe0e55.exe
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dc06ca5_d13f73d.exe
628e54dc06ca5_d13f73d.exe
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e5260e5_73b5a3dba.exe
628e54e5260e5_73b5a3dba.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e3a0747_ed24a9c5da.exe
628e54e3a0747_ed24a9c5da.exe
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e90ed62_5334eb4d12.exe
628e54e90ed62_5334eb4d12.exe
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e6a6a3b_9dab9e.exe
628e54e6a6a3b_9dab9e.exe
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54eb12f29_19a8386c8a.exe
628e54eb12f29_19a8386c8a.exe
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e7eb628_9d99fab57f.exe
628e54e7eb628_9d99fab57f.exe
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e02a93b_c820032.exe
628e54e02a93b_c820032.exe
C:\Users\Admin\AppData\Local\Temp\is-23TGH.tmp\628e54eb12f29_19a8386c8a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-23TGH.tmp\628e54eb12f29_19a8386c8a.tmp" /SL5="$801CE,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54eb12f29_19a8386c8a.exe"
C:\Users\Admin\AppData\Local\Temp\is-4F6QS.tmp\628e54e02a93b_c820032.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4F6QS.tmp\628e54e02a93b_c820032.tmp" /SL5="$60038,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e02a93b_c820032.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dc06ca5_d13f73d.exe
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dc06ca5_d13f73d.exe
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dd948c8_bdbfe0e55.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dd948c8_bdbfe0e55.exe" -h
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e7eb628_9d99fab57f.exe
628e54e7eb628_9d99fab57f.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2396 -ip 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1772 -ip 1772
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e02a93b_c820032.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e02a93b_c820032.exe" /VERYSILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 460
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "628e54e90ed62_5334eb4d12.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e90ed62_5334eb4d12.exe" & exit
C:\Users\Admin\AppData\Local\Temp\is-9EI3F.tmp\628e54e02a93b_c820032.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9EI3F.tmp\628e54e02a93b_c820032.tmp" /SL5="$30212,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e02a93b_c820032.exe" /VERYSILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1796 -ip 1796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 1304
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /U SL5G26.S -S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2396 -ip 2396
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "628e54e90ed62_5334eb4d12.exe" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2396 -ip 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2396 -ip 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2396 -ip 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2396 -ip 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2396 -ip 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2396 -ip 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1284
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kaoru-hanayama.s3.pl-waw.scw.cloud | udp |
| US | 8.8.8.8:53 | glicefud.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | buyinvestment24.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| PL | 151.115.10.4:80 | kaoru-hanayama.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | best-boutique-clu2.xyz | udp |
| US | 8.8.8.8:53 | best-atel1er.com | udp |
| US | 8.8.8.8:53 | cristaline.s3.pl-waw.scw.cloud | udp |
| US | 8.8.8.8:53 | www.hhiuew33.com | udp |
| PL | 151.115.10.3:80 | cristaline.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.10.115.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | 3.10.115.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | multilow.com | udp |
| FR | 141.95.211.151:34846 | tcp | |
| US | 8.8.8.8:53 | buyinvestment24.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 74.215.36.107:8080 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| FR | 141.95.211.151:34846 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | sifddfks.mediagemslive.com | udp |
| US | 172.67.206.4:443 | sifddfks.mediagemslive.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 4.206.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| FR | 141.95.211.151:34846 | tcp | |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| FR | 141.95.211.151:34846 | tcp | |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| FR | 212.192.246.217:80 | tcp | |
| FR | 141.95.211.151:34846 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| FR | 212.192.246.217:80 | tcp | |
| FR | 141.95.211.151:34846 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\setup_install.exe
| MD5 | f4390b2aa142600086e06d96c6c6d43d |
| SHA1 | 2c7707b4e4237a7870b1fadc3316b67f3ba0e16e |
| SHA256 | 56e5578efb61f1624ddfd9f69ef677dfbd6b7e10e8dac20661c71b83ceebcb7d |
| SHA512 | 87a2ae4162a4ac4f37a8a9db0289e444b030099a7cb8841cc018ddf067f2360b40ea1960d82731aa5a46e1cfb10724442c4115d8ff6b565f3ea827b97f2d0b6a |
memory/1124-40-0x0000000064940000-0x0000000064959000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e6a6a3b_9dab9e.exe
| MD5 | aa361f61a27919a04dbc72eb8b0c1c56 |
| SHA1 | e1be1931ce09e9273c5d00a1b64d24245c240d82 |
| SHA256 | c7462edcc58099edbf6e4acc8e7e3b35e1bee5bb25b1ec535a56e8733f605854 |
| SHA512 | b8ab02c92479f808b50e01ff1f1db5eb5f51277741f1a2623a33b7e8155f2b8cfec521853af316c9b838f6156bc231401cbde3c83a78071d56e3dde135052872 |
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54eb12f29_19a8386c8a.exe
| MD5 | 739240f8376ccdfed36beda76bcab764 |
| SHA1 | be54ead2c06e3389743ac3356a2dfa936b43047b |
| SHA256 | 09e474b529d4ae7a5052a55b2c6b4c1a86f82ffa9d0ec836d15f98962311cd3a |
| SHA512 | ab5c516fad6e2993ddba82e2e81f6f2a6376999297d86f66d27c61354e1b12874e3fd9b5b880a20dc48f3ec1c9d28b5e92e1b5acd5fcc8e76cbd500db549013b |
memory/1124-54-0x0000000064940000-0x0000000064959000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e90ed62_5334eb4d12.exe
| MD5 | 24c5458c851184d7ea7f112380217a4f |
| SHA1 | 85d24abfd8060a3fc5d0a1701f173dcc531b4de5 |
| SHA256 | a1e01f75a4409528927fb37d743e9ed794e7206fa6a8f9478d48257f15b31d8b |
| SHA512 | 098dcd40271619191f8c0210dedbc120e4257f40c8d9ee39a0a0a4cf150b03a8d0e1fa8f2b7ae894371565cc70ad8266d45d3ea919abce22d85c7b4a82c89048 |
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e3a0747_ed24a9c5da.exe
| MD5 | 0b3797915ac9117308dbd3233bf2704e |
| SHA1 | 1b5ae1898b98ef37897c62cce18014ff004df48b |
| SHA256 | b994e608b7598669acb1a8b2a1bb38377db13866e2ae5f2176629996c70a3c57 |
| SHA512 | 051dd4a79e6b20f7fbb119415def8436e1d8d80c0ed77faa01b12c67ebbe99df868d5feeca475204a8789479de3795fe5e674e371d3e6b4d7c006cbf9224578f |
memory/1476-72-0x0000000004AE0000-0x0000000005108000-memory.dmp
memory/1416-66-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e5260e5_73b5a3dba.exe
| MD5 | bb56078ddaa0e5e1a98a0785c0ef766c |
| SHA1 | c42a1c57a5680a91a0958bad0181556149516daa |
| SHA256 | def799a3a3599ce27bacba2efce4460afc18d5d256dcc9988200a3399e3a44da |
| SHA512 | 84fdbc5d496e854250b895cb9f71eac19d6c233d356222aadcf9c49c6c8ff3925f480b2e6599764e7e49746770d98e13a9491bf8dcdeb83157035dbc530886d9 |
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dc06ca5_d13f73d.exe
| MD5 | 021818706fc0edce007e288a2c236108 |
| SHA1 | 47072ac86f0cb8165d7ac5eb129ba5ba0f6f3d2b |
| SHA256 | f6664bf6bd4eecb657d9bfcd055ef54730c66c8d440e7df37a4cf20554c168ee |
| SHA512 | 77ccd9604a03a351d2a28d748aaaaa121f1d68b29d0eaecaea19651b003f97ce07862487ddb9ff9638429f60918b55004f4b6a30540281a4d95ecaa67ed3c3b2 |
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54dd948c8_bdbfe0e55.exe
| MD5 | c502751e146757341de931736af21225 |
| SHA1 | 4e100575fd329b47d3b358bbf3313b8c656005fb |
| SHA256 | 48fca3228e955b485282b19fffaaa7657cecf99518965701e5918ac65d556a01 |
| SHA512 | 4a51fcf4ca57996a7d6bbad782bac3596f6983b6ed3e26ac7fd838269abb9dff9c0d35edd95a278edde81c2ba88efb10d6d106e9d914029ecf0c459444d6080a |
memory/1476-68-0x0000000004470000-0x00000000044A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e02a93b_c820032.exe
| MD5 | 43eaf2e2226cd28ba7142ddfdd47356e |
| SHA1 | 410c2586b4b181976a93534deefe6d46aa58bfd1 |
| SHA256 | a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65 |
| SHA512 | ab27255598f6eefe30912f1278741975b4449a41691138ccba660200356ea74a8df7f88bc9d682582850bdd4340079f0e6cc92843f192f4a848eaae0fe4601e8 |
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e7eb628_9d99fab57f.exe
| MD5 | ac65f2c596bea94c9b50a39925efd184 |
| SHA1 | 99266bed39b8888bb5454b433529641b441b0df4 |
| SHA256 | 05301420d5074271535fbd30b167031e32f537a2b9a623596f65583ccd61d99a |
| SHA512 | b424b2238197c51b72a5f06a4cf2117b30d83cd85ff31cc41c2c5f423b6bcd96b297c94145b0756a911a0acd31908fb1efd500bb13e5e23a09122618d66363fb |
memory/2648-57-0x0000000000010000-0x0000000000040000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54db139b7_3622eb547b.exe
| MD5 | 11bb40d70366b08049ba60475a966247 |
| SHA1 | 352319c07af069cd92c888053ef1a64da94afe3e |
| SHA256 | 18a55f728ec409bc3ef9fcc2f3b12214d2b263530d3931bdc6dcc00681d8976d |
| SHA512 | d9ed46eef62503aa26b3947da1826fe01f719ce8521b118e78241f568eb927287385b38d1ba46fd5133f102a1bb963919e0a47d03e16a1c03b9f3a650f722b0d |
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\628e54e108f5b_e0c250f52b.exe
| MD5 | 3c7723d13222b4958456a20d311cc8c4 |
| SHA1 | d31b6202a187f9718a6772c0895f43d71558da8c |
| SHA256 | 51003ca2a3efcc8bd9d6f0e1a0570450da6382f2a9dc5642e2738c77eec9021e |
| SHA512 | 5ba31d79c39e9053d95445305279aa728fa9921b4c8703a30bae3121000f1d37305869fa0a607495fd5cf8a71461315c9d29561f38b5a615a09d6a279feac288 |
memory/1124-52-0x0000000000400000-0x0000000000519000-memory.dmp
memory/3960-71-0x0000000000470000-0x00000000004EC000-memory.dmp
memory/1124-39-0x0000000064941000-0x000000006494F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8248E997\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2648-73-0x00000000047E0000-0x00000000047E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-23TGH.tmp\628e54eb12f29_19a8386c8a.tmp
| MD5 | a5ea5f8ae934ab6efe216fc1e4d1b6dc |
| SHA1 | cb52a9e2aa2aa0e6e82fa44879055003a91207d7 |
| SHA256 | be998499deb4ad2cbb87ff38e372f387baf4da3a15faf6d0a43c5cc137650d9e |
| SHA512 | f13280508fb43734809321f65741351aedd1613c3c989e978147dbb5a59efb02494349fbf6ee96b85de5ad049493d8382372993f3d54b80e84e36edf986e915c |
memory/4452-76-0x0000000140000000-0x0000000140615000-memory.dmp
memory/4944-75-0x0000000000400000-0x00000000004D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-UL500.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
C:\Users\Admin\AppData\Local\Temp\is-4F6QS.tmp\628e54e02a93b_c820032.tmp
| MD5 | 892965cf131bc5a238d8c7a190718c80 |
| SHA1 | dde8dde7d656a8ce413cb4cb8b6b46afe3a6eabb |
| SHA256 | 724b85f1f97ebaa793f4e0bba29337657cd4393c04948cfae1ddc8613a3e319e |
| SHA512 | 729996beead85b36acfe2172255559ef388c9a31303c3a1e4403be819d5c4b005e4cdae950ff04047d15f10fb8be8fb27f529a8c66bf29319e944068905a1954 |
memory/1476-102-0x0000000005440000-0x00000000054A6000-memory.dmp
memory/1476-101-0x00000000053D0000-0x0000000005436000-memory.dmp
memory/1476-100-0x0000000005330000-0x0000000005352000-memory.dmp
memory/1476-109-0x00000000054B0000-0x0000000005804000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-CQK0T.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jevjptq.npu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3048-122-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3048-115-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4380-126-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/4968-129-0x0000000000400000-0x000000000071A000-memory.dmp
memory/4944-135-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/1416-140-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3172-139-0x0000000000400000-0x0000000000516000-memory.dmp
memory/4844-149-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1476-134-0x0000000005E10000-0x0000000005E5C000-memory.dmp
memory/1476-130-0x0000000005AA0000-0x0000000005ABE000-memory.dmp
memory/4844-157-0x0000000005360000-0x0000000005372000-memory.dmp
memory/4844-158-0x0000000005490000-0x000000000559A000-memory.dmp
memory/460-162-0x0000000000400000-0x000000000071A000-memory.dmp
memory/4844-161-0x00000000053C0000-0x00000000053FC000-memory.dmp
memory/4844-156-0x0000000005940000-0x0000000005F58000-memory.dmp
memory/1772-163-0x0000000000400000-0x000000000048A000-memory.dmp
memory/4380-164-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/2484-168-0x0000000002CC0000-0x0000000003CC0000-memory.dmp
memory/1476-169-0x0000000006050000-0x0000000006082000-memory.dmp
memory/1476-180-0x0000000006030000-0x000000000604E000-memory.dmp
memory/1796-182-0x0000000000400000-0x0000000000495000-memory.dmp
memory/1476-181-0x0000000006C60000-0x0000000006D03000-memory.dmp
memory/1476-170-0x0000000070060000-0x00000000700AC000-memory.dmp
memory/1476-184-0x0000000006DB0000-0x0000000006DCA000-memory.dmp
memory/1476-183-0x0000000007400000-0x0000000007A7A000-memory.dmp
memory/1476-185-0x0000000006E30000-0x0000000006E3A000-memory.dmp
memory/1476-186-0x0000000007020000-0x00000000070B6000-memory.dmp
memory/2484-187-0x000000002E020000-0x000000002E0D4000-memory.dmp
memory/1476-188-0x0000000006FB0000-0x0000000006FC1000-memory.dmp
memory/2484-189-0x000000002E0E0000-0x000000002E180000-memory.dmp
memory/2484-192-0x000000002E0E0000-0x000000002E180000-memory.dmp
memory/1476-193-0x0000000006FE0000-0x0000000006FEE000-memory.dmp
memory/1476-194-0x0000000006FF0000-0x0000000007004000-memory.dmp
memory/1476-195-0x00000000070E0000-0x00000000070FA000-memory.dmp
memory/1476-196-0x00000000070D0000-0x00000000070D8000-memory.dmp
memory/2396-199-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2484-200-0x000000002E0E0000-0x000000002E180000-memory.dmp
memory/2484-202-0x000000002F340000-0x000000002F3D9000-memory.dmp
memory/2484-201-0x000000002E180000-0x000000002F338000-memory.dmp
memory/2484-203-0x000000002F3E0000-0x000000002F474000-memory.dmp
memory/2484-206-0x000000002F3E0000-0x000000002F474000-memory.dmp
memory/2484-207-0x000000002F3E0000-0x000000002F474000-memory.dmp
memory/2484-208-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/2484-209-0x0000000000DF0000-0x0000000000DF4000-memory.dmp
memory/2484-210-0x0000000002CC0000-0x0000000003CC0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 05:56
Reported
2024-11-09 05:58
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\setup_install.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\setup_install.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe
"C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54db139b7_3622eb547b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54dc06ca5_d13f73d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54dd948c8_bdbfe0e55.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e02a93b_c820032.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e108f5b_e0c250f52b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e3a0747_ed24a9c5da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e5260e5_73b5a3dba.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e6a6a3b_9dab9e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e7eb628_9d99fab57f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e90ed62_5334eb4d12.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54eb12f29_19a8386c8a.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
Network
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 62c031e5a7ff452d122856ceb0fab07d |
| SHA1 | d4ec184055acd1fa5cee0e9a0af478ce21c6921d |
| SHA256 | e2ccabb2928b7d5f92e55cc60a4ed9e9e0c67349b393adf6eb8072980f5ebefa |
| SHA512 | 019cebfbf9bb36c1a57494332e724aac6d3e8afd35a76ed01ee337191c0faf46822f339db883340132ec4d433fee31afd315620c3d705f989b6d0d8750d5c67c |
\Users\Admin\AppData\Local\Temp\7zS80BF5B56\setup_install.exe
| MD5 | f4390b2aa142600086e06d96c6c6d43d |
| SHA1 | 2c7707b4e4237a7870b1fadc3316b67f3ba0e16e |
| SHA256 | 56e5578efb61f1624ddfd9f69ef677dfbd6b7e10e8dac20661c71b83ceebcb7d |
| SHA512 | 87a2ae4162a4ac4f37a8a9db0289e444b030099a7cb8841cc018ddf067f2360b40ea1960d82731aa5a46e1cfb10724442c4115d8ff6b565f3ea827b97f2d0b6a |
\Users\Admin\AppData\Local\Temp\7zS80BF5B56\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2668-70-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2668-69-0x0000000000400000-0x0000000000519000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\628e54eb12f29_19a8386c8a.exe
| MD5 | 739240f8376ccdfed36beda76bcab764 |
| SHA1 | be54ead2c06e3389743ac3356a2dfa936b43047b |
| SHA256 | 09e474b529d4ae7a5052a55b2c6b4c1a86f82ffa9d0ec836d15f98962311cd3a |
| SHA512 | ab5c516fad6e2993ddba82e2e81f6f2a6376999297d86f66d27c61354e1b12874e3fd9b5b880a20dc48f3ec1c9d28b5e92e1b5acd5fcc8e76cbd500db549013b |
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\628e54e7eb628_9d99fab57f.exe
| MD5 | ac65f2c596bea94c9b50a39925efd184 |
| SHA1 | 99266bed39b8888bb5454b433529641b441b0df4 |
| SHA256 | 05301420d5074271535fbd30b167031e32f537a2b9a623596f65583ccd61d99a |
| SHA512 | b424b2238197c51b72a5f06a4cf2117b30d83cd85ff31cc41c2c5f423b6bcd96b297c94145b0756a911a0acd31908fb1efd500bb13e5e23a09122618d66363fb |
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\628e54e5260e5_73b5a3dba.exe
| MD5 | bb56078ddaa0e5e1a98a0785c0ef766c |
| SHA1 | c42a1c57a5680a91a0958bad0181556149516daa |
| SHA256 | def799a3a3599ce27bacba2efce4460afc18d5d256dcc9988200a3399e3a44da |
| SHA512 | 84fdbc5d496e854250b895cb9f71eac19d6c233d356222aadcf9c49c6c8ff3925f480b2e6599764e7e49746770d98e13a9491bf8dcdeb83157035dbc530886d9 |
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\628e54e108f5b_e0c250f52b.exe
| MD5 | 3c7723d13222b4958456a20d311cc8c4 |
| SHA1 | d31b6202a187f9718a6772c0895f43d71558da8c |
| SHA256 | 51003ca2a3efcc8bd9d6f0e1a0570450da6382f2a9dc5642e2738c77eec9021e |
| SHA512 | 5ba31d79c39e9053d95445305279aa728fa9921b4c8703a30bae3121000f1d37305869fa0a607495fd5cf8a71461315c9d29561f38b5a615a09d6a279feac288 |
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\628e54dd948c8_bdbfe0e55.exe
| MD5 | c502751e146757341de931736af21225 |
| SHA1 | 4e100575fd329b47d3b358bbf3313b8c656005fb |
| SHA256 | 48fca3228e955b485282b19fffaaa7657cecf99518965701e5918ac65d556a01 |
| SHA512 | 4a51fcf4ca57996a7d6bbad782bac3596f6983b6ed3e26ac7fd838269abb9dff9c0d35edd95a278edde81c2ba88efb10d6d106e9d914029ecf0c459444d6080a |
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\628e54e90ed62_5334eb4d12.exe
| MD5 | 24c5458c851184d7ea7f112380217a4f |
| SHA1 | 85d24abfd8060a3fc5d0a1701f173dcc531b4de5 |
| SHA256 | a1e01f75a4409528927fb37d743e9ed794e7206fa6a8f9478d48257f15b31d8b |
| SHA512 | 098dcd40271619191f8c0210dedbc120e4257f40c8d9ee39a0a0a4cf150b03a8d0e1fa8f2b7ae894371565cc70ad8266d45d3ea919abce22d85c7b4a82c89048 |
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\628e54e6a6a3b_9dab9e.exe
| MD5 | aa361f61a27919a04dbc72eb8b0c1c56 |
| SHA1 | e1be1931ce09e9273c5d00a1b64d24245c240d82 |
| SHA256 | c7462edcc58099edbf6e4acc8e7e3b35e1bee5bb25b1ec535a56e8733f605854 |
| SHA512 | b8ab02c92479f808b50e01ff1f1db5eb5f51277741f1a2623a33b7e8155f2b8cfec521853af316c9b838f6156bc231401cbde3c83a78071d56e3dde135052872 |
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\628e54e3a0747_ed24a9c5da.exe
| MD5 | 0b3797915ac9117308dbd3233bf2704e |
| SHA1 | 1b5ae1898b98ef37897c62cce18014ff004df48b |
| SHA256 | b994e608b7598669acb1a8b2a1bb38377db13866e2ae5f2176629996c70a3c57 |
| SHA512 | 051dd4a79e6b20f7fbb119415def8436e1d8d80c0ed77faa01b12c67ebbe99df868d5feeca475204a8789479de3795fe5e674e371d3e6b4d7c006cbf9224578f |
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\628e54e02a93b_c820032.exe
| MD5 | 43eaf2e2226cd28ba7142ddfdd47356e |
| SHA1 | 410c2586b4b181976a93534deefe6d46aa58bfd1 |
| SHA256 | a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65 |
| SHA512 | ab27255598f6eefe30912f1278741975b4449a41691138ccba660200356ea74a8df7f88bc9d682582850bdd4340079f0e6cc92843f192f4a848eaae0fe4601e8 |
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\628e54dc06ca5_d13f73d.exe
| MD5 | 021818706fc0edce007e288a2c236108 |
| SHA1 | 47072ac86f0cb8165d7ac5eb129ba5ba0f6f3d2b |
| SHA256 | f6664bf6bd4eecb657d9bfcd055ef54730c66c8d440e7df37a4cf20554c168ee |
| SHA512 | 77ccd9604a03a351d2a28d748aaaaa121f1d68b29d0eaecaea19651b003f97ce07862487ddb9ff9638429f60918b55004f4b6a30540281a4d95ecaa67ed3c3b2 |
C:\Users\Admin\AppData\Local\Temp\7zS80BF5B56\628e54db139b7_3622eb547b.exe
| MD5 | 11bb40d70366b08049ba60475a966247 |
| SHA1 | 352319c07af069cd92c888053ef1a64da94afe3e |
| SHA256 | 18a55f728ec409bc3ef9fcc2f3b12214d2b263530d3931bdc6dcc00681d8976d |
| SHA512 | d9ed46eef62503aa26b3947da1826fe01f719ce8521b118e78241f568eb927287385b38d1ba46fd5133f102a1bb963919e0a47d03e16a1c03b9f3a650f722b0d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 05:56
Reported
2024-11-09 05:58
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
SmokeLoader
Smokeloader family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e90ed62_5334eb4d12.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e3a0747_ed24a9c5da.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dd948c8_bdbfe0e55.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-8BBSR.tmp\628e54e02a93b_c820032.tmp | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TUANL.tmp\628e54eb12f29_19a8386c8a.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8BBSR.tmp\628e54e02a93b_c820032.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JL32J.tmp\628e54e02a93b_c820032.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 724 set thread context of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e7eb628_9d99fab57f.exe | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e7eb628_9d99fab57f.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\myinstaller\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-JL32J.tmp\628e54e02a93b_c820032.tmp | N/A |
| File created | C:\Program Files (x86)\myinstaller\is-FSPP5.tmp | C:\Users\Admin\AppData\Local\Temp\is-JL32J.tmp\628e54e02a93b_c820032.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\myinstaller\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-JL32J.tmp\628e54e02a93b_c820032.tmp | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e3a0747_ed24a9c5da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dd948c8_bdbfe0e55.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-8BBSR.tmp\628e54e02a93b_c820032.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54eb12f29_19a8386c8a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e7eb628_9d99fab57f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e90ed62_5334eb4d12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e108f5b_e0c250f52b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dd948c8_bdbfe0e55.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e02a93b_c820032.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e5260e5_73b5a3dba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e02a93b_c820032.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-TUANL.tmp\628e54eb12f29_19a8386c8a.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-JL32J.tmp\628e54e02a93b_c820032.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e108f5b_e0c250f52b.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e108f5b_e0c250f52b.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e108f5b_e0c250f52b.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e5260e5_73b5a3dba.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JL32J.tmp\628e54e02a93b_c820032.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dd948c8_bdbfe0e55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dd948c8_bdbfe0e55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dd948c8_bdbfe0e55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dd948c8_bdbfe0e55.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe
"C:\Users\Admin\AppData\Local\Temp\476257ebcbb7ecfa831e625b1d110d6b.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS04689B67\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54db139b7_3622eb547b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54dc06ca5_d13f73d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54dd948c8_bdbfe0e55.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e02a93b_c820032.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e108f5b_e0c250f52b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e3a0747_ed24a9c5da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e5260e5_73b5a3dba.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e6a6a3b_9dab9e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e7eb628_9d99fab57f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e90ed62_5334eb4d12.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54eb12f29_19a8386c8a.exe
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dd948c8_bdbfe0e55.exe
628e54dd948c8_bdbfe0e55.exe
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e5260e5_73b5a3dba.exe
628e54e5260e5_73b5a3dba.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e02a93b_c820032.exe
628e54e02a93b_c820032.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e6a6a3b_9dab9e.exe
628e54e6a6a3b_9dab9e.exe
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54eb12f29_19a8386c8a.exe
628e54eb12f29_19a8386c8a.exe
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e108f5b_e0c250f52b.exe
628e54e108f5b_e0c250f52b.exe
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e3a0747_ed24a9c5da.exe
628e54e3a0747_ed24a9c5da.exe
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e7eb628_9d99fab57f.exe
628e54e7eb628_9d99fab57f.exe
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e90ed62_5334eb4d12.exe
628e54e90ed62_5334eb4d12.exe
C:\Users\Admin\AppData\Local\Temp\is-TUANL.tmp\628e54eb12f29_19a8386c8a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TUANL.tmp\628e54eb12f29_19a8386c8a.tmp" /SL5="$401C8,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54eb12f29_19a8386c8a.exe"
C:\Users\Admin\AppData\Local\Temp\is-8BBSR.tmp\628e54e02a93b_c820032.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8BBSR.tmp\628e54e02a93b_c820032.tmp" /SL5="$50232,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e02a93b_c820032.exe"
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dd948c8_bdbfe0e55.exe
"C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dd948c8_bdbfe0e55.exe" -h
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3624 -ip 3624
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e7eb628_9d99fab57f.exe
628e54e7eb628_9d99fab57f.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2276 -ip 2276
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e02a93b_c820032.exe
"C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e02a93b_c820032.exe" /VERYSILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 356
C:\Users\Admin\AppData\Local\Temp\is-JL32J.tmp\628e54e02a93b_c820032.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JL32J.tmp\628e54e02a93b_c820032.tmp" /SL5="$40236,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e02a93b_c820032.exe" /VERYSILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 460
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "628e54e90ed62_5334eb4d12.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e90ed62_5334eb4d12.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3916 -ip 3916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 1340
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "628e54e90ed62_5334eb4d12.exe" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3624 -ip 3624
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /U SL5G26.S -S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1028
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1284
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kaoru-hanayama.s3.pl-waw.scw.cloud | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| PL | 151.115.10.3:80 | kaoru-hanayama.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | www.hhiuew33.com | udp |
| US | 8.8.8.8:53 | cristaline.s3.pl-waw.scw.cloud | udp |
| US | 8.8.8.8:53 | glicefud.com | udp |
| PL | 151.115.10.3:80 | cristaline.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.10.115.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | multilow.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 74.215.36.107:8080 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | sifddfks.mediagemslive.com | udp |
| US | 104.21.61.46:443 | sifddfks.mediagemslive.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 46.61.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 62c031e5a7ff452d122856ceb0fab07d |
| SHA1 | d4ec184055acd1fa5cee0e9a0af478ce21c6921d |
| SHA256 | e2ccabb2928b7d5f92e55cc60a4ed9e9e0c67349b393adf6eb8072980f5ebefa |
| SHA512 | 019cebfbf9bb36c1a57494332e724aac6d3e8afd35a76ed01ee337191c0faf46822f339db883340132ec4d433fee31afd315620c3d705f989b6d0d8750d5c67c |
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\setup_install.exe
| MD5 | f4390b2aa142600086e06d96c6c6d43d |
| SHA1 | 2c7707b4e4237a7870b1fadc3316b67f3ba0e16e |
| SHA256 | 56e5578efb61f1624ddfd9f69ef677dfbd6b7e10e8dac20661c71b83ceebcb7d |
| SHA512 | 87a2ae4162a4ac4f37a8a9db0289e444b030099a7cb8841cc018ddf067f2360b40ea1960d82731aa5a46e1cfb10724442c4115d8ff6b565f3ea827b97f2d0b6a |
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/636-52-0x0000000064940000-0x0000000064959000-memory.dmp
memory/636-51-0x0000000064941000-0x000000006494F000-memory.dmp
memory/636-66-0x0000000064940000-0x0000000064959000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54eb12f29_19a8386c8a.exe
| MD5 | 739240f8376ccdfed36beda76bcab764 |
| SHA1 | be54ead2c06e3389743ac3356a2dfa936b43047b |
| SHA256 | 09e474b529d4ae7a5052a55b2c6b4c1a86f82ffa9d0ec836d15f98962311cd3a |
| SHA512 | ab5c516fad6e2993ddba82e2e81f6f2a6376999297d86f66d27c61354e1b12874e3fd9b5b880a20dc48f3ec1c9d28b5e92e1b5acd5fcc8e76cbd500db549013b |
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e90ed62_5334eb4d12.exe
| MD5 | 24c5458c851184d7ea7f112380217a4f |
| SHA1 | 85d24abfd8060a3fc5d0a1701f173dcc531b4de5 |
| SHA256 | a1e01f75a4409528927fb37d743e9ed794e7206fa6a8f9478d48257f15b31d8b |
| SHA512 | 098dcd40271619191f8c0210dedbc120e4257f40c8d9ee39a0a0a4cf150b03a8d0e1fa8f2b7ae894371565cc70ad8266d45d3ea919abce22d85c7b4a82c89048 |
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e7eb628_9d99fab57f.exe
| MD5 | ac65f2c596bea94c9b50a39925efd184 |
| SHA1 | 99266bed39b8888bb5454b433529641b441b0df4 |
| SHA256 | 05301420d5074271535fbd30b167031e32f537a2b9a623596f65583ccd61d99a |
| SHA512 | b424b2238197c51b72a5f06a4cf2117b30d83cd85ff31cc41c2c5f423b6bcd96b297c94145b0756a911a0acd31908fb1efd500bb13e5e23a09122618d66363fb |
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e6a6a3b_9dab9e.exe
| MD5 | aa361f61a27919a04dbc72eb8b0c1c56 |
| SHA1 | e1be1931ce09e9273c5d00a1b64d24245c240d82 |
| SHA256 | c7462edcc58099edbf6e4acc8e7e3b35e1bee5bb25b1ec535a56e8733f605854 |
| SHA512 | b8ab02c92479f808b50e01ff1f1db5eb5f51277741f1a2623a33b7e8155f2b8cfec521853af316c9b838f6156bc231401cbde3c83a78071d56e3dde135052872 |
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e108f5b_e0c250f52b.exe
| MD5 | 3c7723d13222b4958456a20d311cc8c4 |
| SHA1 | d31b6202a187f9718a6772c0895f43d71558da8c |
| SHA256 | 51003ca2a3efcc8bd9d6f0e1a0570450da6382f2a9dc5642e2738c77eec9021e |
| SHA512 | 5ba31d79c39e9053d95445305279aa728fa9921b4c8703a30bae3121000f1d37305869fa0a607495fd5cf8a71461315c9d29561f38b5a615a09d6a279feac288 |
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e02a93b_c820032.exe
| MD5 | 43eaf2e2226cd28ba7142ddfdd47356e |
| SHA1 | 410c2586b4b181976a93534deefe6d46aa58bfd1 |
| SHA256 | a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65 |
| SHA512 | ab27255598f6eefe30912f1278741975b4449a41691138ccba660200356ea74a8df7f88bc9d682582850bdd4340079f0e6cc92843f192f4a848eaae0fe4601e8 |
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dd948c8_bdbfe0e55.exe
| MD5 | c502751e146757341de931736af21225 |
| SHA1 | 4e100575fd329b47d3b358bbf3313b8c656005fb |
| SHA256 | 48fca3228e955b485282b19fffaaa7657cecf99518965701e5918ac65d556a01 |
| SHA512 | 4a51fcf4ca57996a7d6bbad782bac3596f6983b6ed3e26ac7fd838269abb9dff9c0d35edd95a278edde81c2ba88efb10d6d106e9d914029ecf0c459444d6080a |
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e5260e5_73b5a3dba.exe
| MD5 | bb56078ddaa0e5e1a98a0785c0ef766c |
| SHA1 | c42a1c57a5680a91a0958bad0181556149516daa |
| SHA256 | def799a3a3599ce27bacba2efce4460afc18d5d256dcc9988200a3399e3a44da |
| SHA512 | 84fdbc5d496e854250b895cb9f71eac19d6c233d356222aadcf9c49c6c8ff3925f480b2e6599764e7e49746770d98e13a9491bf8dcdeb83157035dbc530886d9 |
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54e3a0747_ed24a9c5da.exe
| MD5 | 0b3797915ac9117308dbd3233bf2704e |
| SHA1 | 1b5ae1898b98ef37897c62cce18014ff004df48b |
| SHA256 | b994e608b7598669acb1a8b2a1bb38377db13866e2ae5f2176629996c70a3c57 |
| SHA512 | 051dd4a79e6b20f7fbb119415def8436e1d8d80c0ed77faa01b12c67ebbe99df868d5feeca475204a8789479de3795fe5e674e371d3e6b4d7c006cbf9224578f |
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54db139b7_3622eb547b.exe
| MD5 | 11bb40d70366b08049ba60475a966247 |
| SHA1 | 352319c07af069cd92c888053ef1a64da94afe3e |
| SHA256 | 18a55f728ec409bc3ef9fcc2f3b12214d2b263530d3931bdc6dcc00681d8976d |
| SHA512 | d9ed46eef62503aa26b3947da1826fe01f719ce8521b118e78241f568eb927287385b38d1ba46fd5133f102a1bb963919e0a47d03e16a1c03b9f3a650f722b0d |
memory/636-64-0x0000000000400000-0x0000000000519000-memory.dmp
memory/4604-75-0x0000000000400000-0x000000000046D000-memory.dmp
memory/732-82-0x0000000140000000-0x0000000140615000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-TUANL.tmp\628e54eb12f29_19a8386c8a.tmp
| MD5 | a5ea5f8ae934ab6efe216fc1e4d1b6dc |
| SHA1 | cb52a9e2aa2aa0e6e82fa44879055003a91207d7 |
| SHA256 | be998499deb4ad2cbb87ff38e372f387baf4da3a15faf6d0a43c5cc137650d9e |
| SHA512 | f13280508fb43734809321f65741351aedd1613c3c989e978147dbb5a59efb02494349fbf6ee96b85de5ad049493d8382372993f3d54b80e84e36edf986e915c |
C:\Users\Admin\AppData\Local\Temp\is-8BBSR.tmp\628e54e02a93b_c820032.tmp
| MD5 | 892965cf131bc5a238d8c7a190718c80 |
| SHA1 | dde8dde7d656a8ce413cb4cb8b6b46afe3a6eabb |
| SHA256 | 724b85f1f97ebaa793f4e0bba29337657cd4393c04948cfae1ddc8613a3e319e |
| SHA512 | 729996beead85b36acfe2172255559ef388c9a31303c3a1e4403be819d5c4b005e4cdae950ff04047d15f10fb8be8fb27f529a8c66bf29319e944068905a1954 |
memory/4068-91-0x00000000059F0000-0x0000000006018000-memory.dmp
memory/4068-88-0x00000000032C0000-0x00000000032F6000-memory.dmp
memory/2072-70-0x0000000000400000-0x00000000004D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS04689B67\628e54dc06ca5_d13f73d.exe
| MD5 | 021818706fc0edce007e288a2c236108 |
| SHA1 | 47072ac86f0cb8165d7ac5eb129ba5ba0f6f3d2b |
| SHA256 | f6664bf6bd4eecb657d9bfcd055ef54730c66c8d440e7df37a4cf20554c168ee |
| SHA512 | 77ccd9604a03a351d2a28d748aaaaa121f1d68b29d0eaecaea19651b003f97ce07862487ddb9ff9638429f60918b55004f4b6a30540281a4d95ecaa67ed3c3b2 |
C:\Users\Admin\AppData\Local\Temp\is-NHSM8.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/4068-110-0x00000000057B0000-0x00000000057D2000-memory.dmp
memory/4068-112-0x00000000058C0000-0x0000000005926000-memory.dmp
memory/4068-115-0x0000000006220000-0x0000000006574000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgp4pavl.btn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4344-113-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2060-128-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/4068-111-0x0000000005850000-0x00000000058B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-Q7KA9.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/2128-131-0x0000000000400000-0x000000000071A000-memory.dmp
memory/2072-135-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/3320-144-0x0000000000400000-0x0000000000516000-memory.dmp
memory/4604-146-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2276-147-0x0000000000400000-0x000000000048A000-memory.dmp
memory/4068-156-0x00000000068D0000-0x000000000691C000-memory.dmp
memory/4068-155-0x0000000006800000-0x000000000681E000-memory.dmp
memory/1180-154-0x0000000000400000-0x000000000071A000-memory.dmp
memory/2060-157-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/3916-160-0x0000000000400000-0x0000000000495000-memory.dmp
memory/384-164-0x00000000023D0000-0x00000000033D0000-memory.dmp
memory/4068-165-0x0000000006E70000-0x0000000006EA2000-memory.dmp
memory/4068-166-0x000000006F390000-0x000000006F3DC000-memory.dmp
memory/4068-176-0x0000000006E50000-0x0000000006E6E000-memory.dmp
memory/4068-177-0x0000000007890000-0x0000000007933000-memory.dmp
memory/4068-179-0x0000000008230000-0x00000000088AA000-memory.dmp
memory/4068-180-0x0000000007BE0000-0x0000000007BFA000-memory.dmp
memory/384-178-0x000000002D730000-0x000000002D7E4000-memory.dmp
memory/4068-181-0x0000000007C60000-0x0000000007C6A000-memory.dmp
memory/4068-182-0x0000000007E50000-0x0000000007EE6000-memory.dmp
memory/4068-185-0x0000000007DE0000-0x0000000007DF1000-memory.dmp
memory/384-183-0x000000002D7F0000-0x000000002D890000-memory.dmp
memory/384-187-0x000000002D7F0000-0x000000002D890000-memory.dmp
memory/4068-188-0x0000000007E10000-0x0000000007E1E000-memory.dmp
memory/4068-189-0x0000000007E20000-0x0000000007E34000-memory.dmp
memory/4068-190-0x0000000007F10000-0x0000000007F2A000-memory.dmp
memory/4068-191-0x0000000007F00000-0x0000000007F08000-memory.dmp
memory/3624-194-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/384-195-0x000000002D7F0000-0x000000002D890000-memory.dmp
memory/384-197-0x000000002EA50000-0x000000002EAE9000-memory.dmp
memory/384-196-0x000000002D890000-0x000000002EA48000-memory.dmp
memory/384-198-0x000000002EAF0000-0x000000002EB84000-memory.dmp
memory/384-200-0x000000002EAF0000-0x000000002EB84000-memory.dmp
memory/384-201-0x000000002EAF0000-0x000000002EB84000-memory.dmp
memory/384-202-0x0000000000510000-0x0000000000511000-memory.dmp
memory/384-203-0x0000000000520000-0x0000000000524000-memory.dmp
memory/4344-204-0x0000000000400000-0x0000000000409000-memory.dmp
memory/384-205-0x00000000023D0000-0x00000000033D0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 05:56
Reported
2024-11-09 05:58
Platform
win7-20240708-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
SmokeLoader
Smokeloader family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1964 set thread context of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e7eb628_9d99fab57f.exe | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e7eb628_9d99fab57f.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\myinstaller\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-OAFTH.tmp\628e54e02a93b_c820032.tmp | N/A |
| File created | C:\Program Files (x86)\myinstaller\is-96EKI.tmp | C:\Users\Admin\AppData\Local\Temp\is-OAFTH.tmp\628e54e02a93b_c820032.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\myinstaller\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-OAFTH.tmp\628e54e02a93b_c820032.tmp | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54dd948c8_bdbfe0e55.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e02a93b_c820032.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-2FUOB.tmp\628e54eb12f29_19a8386c8a.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e90ed62_5334eb4d12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-DMUJ5.tmp\628e54e02a93b_c820032.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e02a93b_c820032.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54eb12f29_19a8386c8a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54dd948c8_bdbfe0e55.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e108f5b_e0c250f52b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e3a0747_ed24a9c5da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-OAFTH.tmp\628e54e02a93b_c820032.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e7eb628_9d99fab57f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e7eb628_9d99fab57f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e5260e5_73b5a3dba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e5260e5_73b5a3dba.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OAFTH.tmp\628e54e02a93b_c820032.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54dd948c8_bdbfe0e55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54dd948c8_bdbfe0e55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54dd948c8_bdbfe0e55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54dd948c8_bdbfe0e55.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54db139b7_3622eb547b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54dc06ca5_d13f73d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54dd948c8_bdbfe0e55.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e02a93b_c820032.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e108f5b_e0c250f52b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e3a0747_ed24a9c5da.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e5260e5_73b5a3dba.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e6a6a3b_9dab9e.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e7eb628_9d99fab57f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54e90ed62_5334eb4d12.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 628e54eb12f29_19a8386c8a.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54dd948c8_bdbfe0e55.exe
628e54dd948c8_bdbfe0e55.exe
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e90ed62_5334eb4d12.exe
628e54e90ed62_5334eb4d12.exe
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e02a93b_c820032.exe
628e54e02a93b_c820032.exe
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54eb12f29_19a8386c8a.exe
628e54eb12f29_19a8386c8a.exe
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e3a0747_ed24a9c5da.exe
628e54e3a0747_ed24a9c5da.exe
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54dd948c8_bdbfe0e55.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54dd948c8_bdbfe0e55.exe" -h
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e108f5b_e0c250f52b.exe
628e54e108f5b_e0c250f52b.exe
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e5260e5_73b5a3dba.exe
628e54e5260e5_73b5a3dba.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e6a6a3b_9dab9e.exe
628e54e6a6a3b_9dab9e.exe
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e7eb628_9d99fab57f.exe
628e54e7eb628_9d99fab57f.exe
C:\Users\Admin\AppData\Local\Temp\is-2FUOB.tmp\628e54eb12f29_19a8386c8a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2FUOB.tmp\628e54eb12f29_19a8386c8a.tmp" /SL5="$60158,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54eb12f29_19a8386c8a.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 272
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e7eb628_9d99fab57f.exe
628e54e7eb628_9d99fab57f.exe
C:\Users\Admin\AppData\Local\Temp\is-DMUJ5.tmp\628e54e02a93b_c820032.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DMUJ5.tmp\628e54e02a93b_c820032.tmp" /SL5="$401F2,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e02a93b_c820032.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e02a93b_c820032.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e02a93b_c820032.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\is-OAFTH.tmp\628e54e02a93b_c820032.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OAFTH.tmp\628e54e02a93b_c820032.tmp" /SL5="$A01AE,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e02a93b_c820032.exe" /VERYSILENT
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /U SL5G26.S -S
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1928 -s 480
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "628e54e90ed62_5334eb4d12.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e90ed62_5334eb4d12.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "628e54e90ed62_5334eb4d12.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | glicefud.com | udp |
| US | 8.8.8.8:53 | kaoru-hanayama.s3.pl-waw.scw.cloud | udp |
| PL | 151.115.10.4:80 | kaoru-hanayama.s3.pl-waw.scw.cloud | tcp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | cristaline.s3.pl-waw.scw.cloud | udp |
| PL | 151.115.10.3:80 | cristaline.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | multilow.com | udp |
| US | 8.8.8.8:53 | www.hhiuew33.com | udp |
| US | 74.215.36.107:8080 | tcp | |
| FR | 212.192.246.217:80 | tcp | |
| US | 74.215.36.107:8080 | tcp | |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | sifddfks.mediagemslive.com | udp |
| US | 172.67.206.4:443 | sifddfks.mediagemslive.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
| FR | 212.192.246.217:80 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
| FR | 212.192.246.217:80 | tcp | |
| FR | 212.192.246.217:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS0AB76496\setup_install.exe
| MD5 | f4390b2aa142600086e06d96c6c6d43d |
| SHA1 | 2c7707b4e4237a7870b1fadc3316b67f3ba0e16e |
| SHA256 | 56e5578efb61f1624ddfd9f69ef677dfbd6b7e10e8dac20661c71b83ceebcb7d |
| SHA512 | 87a2ae4162a4ac4f37a8a9db0289e444b030099a7cb8841cc018ddf067f2360b40ea1960d82731aa5a46e1cfb10724442c4115d8ff6b565f3ea827b97f2d0b6a |
\Users\Admin\AppData\Local\Temp\7zS0AB76496\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2332-48-0x0000000064940000-0x0000000064959000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54dc06ca5_d13f73d.exe
| MD5 | 021818706fc0edce007e288a2c236108 |
| SHA1 | 47072ac86f0cb8165d7ac5eb129ba5ba0f6f3d2b |
| SHA256 | f6664bf6bd4eecb657d9bfcd055ef54730c66c8d440e7df37a4cf20554c168ee |
| SHA512 | 77ccd9604a03a351d2a28d748aaaaa121f1d68b29d0eaecaea19651b003f97ce07862487ddb9ff9638429f60918b55004f4b6a30540281a4d95ecaa67ed3c3b2 |
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54dd948c8_bdbfe0e55.exe
| MD5 | c502751e146757341de931736af21225 |
| SHA1 | 4e100575fd329b47d3b358bbf3313b8c656005fb |
| SHA256 | 48fca3228e955b485282b19fffaaa7657cecf99518965701e5918ac65d556a01 |
| SHA512 | 4a51fcf4ca57996a7d6bbad782bac3596f6983b6ed3e26ac7fd838269abb9dff9c0d35edd95a278edde81c2ba88efb10d6d106e9d914029ecf0c459444d6080a |
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54db139b7_3622eb547b.exe
| MD5 | 11bb40d70366b08049ba60475a966247 |
| SHA1 | 352319c07af069cd92c888053ef1a64da94afe3e |
| SHA256 | 18a55f728ec409bc3ef9fcc2f3b12214d2b263530d3931bdc6dcc00681d8976d |
| SHA512 | d9ed46eef62503aa26b3947da1826fe01f719ce8521b118e78241f568eb927287385b38d1ba46fd5133f102a1bb963919e0a47d03e16a1c03b9f3a650f722b0d |
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e02a93b_c820032.exe
| MD5 | 43eaf2e2226cd28ba7142ddfdd47356e |
| SHA1 | 410c2586b4b181976a93534deefe6d46aa58bfd1 |
| SHA256 | a072b6112f5ea82e5914c1f3314aafc92b234f5a252eda19f889581adb4e6a65 |
| SHA512 | ab27255598f6eefe30912f1278741975b4449a41691138ccba660200356ea74a8df7f88bc9d682582850bdd4340079f0e6cc92843f192f4a848eaae0fe4601e8 |
memory/2332-47-0x0000000064941000-0x000000006494F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54eb12f29_19a8386c8a.exe
| MD5 | 739240f8376ccdfed36beda76bcab764 |
| SHA1 | be54ead2c06e3389743ac3356a2dfa936b43047b |
| SHA256 | 09e474b529d4ae7a5052a55b2c6b4c1a86f82ffa9d0ec836d15f98962311cd3a |
| SHA512 | ab5c516fad6e2993ddba82e2e81f6f2a6376999297d86f66d27c61354e1b12874e3fd9b5b880a20dc48f3ec1c9d28b5e92e1b5acd5fcc8e76cbd500db549013b |
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e7eb628_9d99fab57f.exe
| MD5 | ac65f2c596bea94c9b50a39925efd184 |
| SHA1 | 99266bed39b8888bb5454b433529641b441b0df4 |
| SHA256 | 05301420d5074271535fbd30b167031e32f537a2b9a623596f65583ccd61d99a |
| SHA512 | b424b2238197c51b72a5f06a4cf2117b30d83cd85ff31cc41c2c5f423b6bcd96b297c94145b0756a911a0acd31908fb1efd500bb13e5e23a09122618d66363fb |
memory/2332-60-0x0000000000400000-0x0000000000519000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e90ed62_5334eb4d12.exe
| MD5 | 24c5458c851184d7ea7f112380217a4f |
| SHA1 | 85d24abfd8060a3fc5d0a1701f173dcc531b4de5 |
| SHA256 | a1e01f75a4409528927fb37d743e9ed794e7206fa6a8f9478d48257f15b31d8b |
| SHA512 | 098dcd40271619191f8c0210dedbc120e4257f40c8d9ee39a0a0a4cf150b03a8d0e1fa8f2b7ae894371565cc70ad8266d45d3ea919abce22d85c7b4a82c89048 |
memory/2332-62-0x0000000064940000-0x0000000064959000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e6a6a3b_9dab9e.exe
| MD5 | aa361f61a27919a04dbc72eb8b0c1c56 |
| SHA1 | e1be1931ce09e9273c5d00a1b64d24245c240d82 |
| SHA256 | c7462edcc58099edbf6e4acc8e7e3b35e1bee5bb25b1ec535a56e8733f605854 |
| SHA512 | b8ab02c92479f808b50e01ff1f1db5eb5f51277741f1a2623a33b7e8155f2b8cfec521853af316c9b838f6156bc231401cbde3c83a78071d56e3dde135052872 |
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e3a0747_ed24a9c5da.exe
| MD5 | 0b3797915ac9117308dbd3233bf2704e |
| SHA1 | 1b5ae1898b98ef37897c62cce18014ff004df48b |
| SHA256 | b994e608b7598669acb1a8b2a1bb38377db13866e2ae5f2176629996c70a3c57 |
| SHA512 | 051dd4a79e6b20f7fbb119415def8436e1d8d80c0ed77faa01b12c67ebbe99df868d5feeca475204a8789479de3795fe5e674e371d3e6b4d7c006cbf9224578f |
C:\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e108f5b_e0c250f52b.exe
| MD5 | 3c7723d13222b4958456a20d311cc8c4 |
| SHA1 | d31b6202a187f9718a6772c0895f43d71558da8c |
| SHA256 | 51003ca2a3efcc8bd9d6f0e1a0570450da6382f2a9dc5642e2738c77eec9021e |
| SHA512 | 5ba31d79c39e9053d95445305279aa728fa9921b4c8703a30bae3121000f1d37305869fa0a607495fd5cf8a71461315c9d29561f38b5a615a09d6a279feac288 |
\Users\Admin\AppData\Local\Temp\is-2FUOB.tmp\628e54eb12f29_19a8386c8a.tmp
| MD5 | a5ea5f8ae934ab6efe216fc1e4d1b6dc |
| SHA1 | cb52a9e2aa2aa0e6e82fa44879055003a91207d7 |
| SHA256 | be998499deb4ad2cbb87ff38e372f387baf4da3a15faf6d0a43c5cc137650d9e |
| SHA512 | f13280508fb43734809321f65741351aedd1613c3c989e978147dbb5a59efb02494349fbf6ee96b85de5ad049493d8382372993f3d54b80e84e36edf986e915c |
\Users\Admin\AppData\Local\Temp\7zS0AB76496\628e54e5260e5_73b5a3dba.exe
| MD5 | bb56078ddaa0e5e1a98a0785c0ef766c |
| SHA1 | c42a1c57a5680a91a0958bad0181556149516daa |
| SHA256 | def799a3a3599ce27bacba2efce4460afc18d5d256dcc9988200a3399e3a44da |
| SHA512 | 84fdbc5d496e854250b895cb9f71eac19d6c233d356222aadcf9c49c6c8ff3925f480b2e6599764e7e49746770d98e13a9491bf8dcdeb83157035dbc530886d9 |
memory/2276-134-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2276-132-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2276-131-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1928-121-0x0000000140000000-0x0000000140615000-memory.dmp
memory/2816-83-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/2572-77-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2640-144-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/1708-143-0x0000000000400000-0x000000000071A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-OAFTH.tmp\628e54e02a93b_c820032.tmp
| MD5 | 892965cf131bc5a238d8c7a190718c80 |
| SHA1 | dde8dde7d656a8ce413cb4cb8b6b46afe3a6eabb |
| SHA256 | 724b85f1f97ebaa793f4e0bba29337657cd4393c04948cfae1ddc8613a3e319e |
| SHA512 | 729996beead85b36acfe2172255559ef388c9a31303c3a1e4403be819d5c4b005e4cdae950ff04047d15f10fb8be8fb27f529a8c66bf29319e944068905a1954 |
C:\Users\Admin\AppData\Local\Temp\is-HMMIN.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/2816-153-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/768-156-0x0000000002520000-0x0000000003520000-memory.dmp
memory/1724-160-0x0000000000400000-0x0000000000516000-memory.dmp
memory/2572-161-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1824-162-0x0000000000400000-0x000000000048A000-memory.dmp
memory/768-163-0x000000002DD20000-0x000000002DDD4000-memory.dmp
memory/768-165-0x000000002DDE0000-0x000000002DE80000-memory.dmp
memory/768-167-0x000000002DDE0000-0x000000002DE80000-memory.dmp
memory/2608-168-0x0000000000400000-0x0000000000495000-memory.dmp
memory/2640-175-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/948-174-0x0000000000400000-0x000000000071A000-memory.dmp
memory/768-176-0x000000002DDE0000-0x000000002DE80000-memory.dmp
memory/768-178-0x000000002F040000-0x000000002F0D9000-memory.dmp
memory/768-177-0x000000002DE80000-0x000000002F038000-memory.dmp
memory/768-179-0x000000002F0E0000-0x000000002F174000-memory.dmp
memory/768-181-0x000000002F0E0000-0x000000002F174000-memory.dmp
memory/768-182-0x000000002F0E0000-0x000000002F174000-memory.dmp
memory/1136-183-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/768-184-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/768-185-0x00000000000C0000-0x00000000000C4000-memory.dmp
memory/768-186-0x0000000002520000-0x0000000003520000-memory.dmp