Malware Analysis Report

2024-11-13 16:52

Sample ID 241109-l1hvwsvpaj
Target f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8
SHA256 f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8
Tags
discovery gcleaner onlylogger loader smokeloader pub3 backdoor trojan redline v2user1 infostealer media17223 socelars spyware stealer pub5 aspackv2 privateloader fabookie nullmixer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

Threat Level: Known bad

The file f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8 was found to be: Known bad.

Malicious Activity Summary

discovery gcleaner onlylogger loader smokeloader pub3 backdoor trojan redline v2user1 infostealer media17223 socelars spyware stealer pub5 aspackv2 privateloader fabookie nullmixer upx

Socelars

Smokeloader family

Detect Fabookie payload

RedLine payload

Gcleaner family

Privateloader family

Fabookie family

SmokeLoader

Nullmixer family

RedLine

OnlyLogger

Redline family

GCleaner

Socelars family

Onlylogger family

Socelars payload

NirSoft WebBrowserPassView

OnlyLogger payload

Detected Nirsoft tools

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Deletes itself

ASPack v2.12-2.42

Loads dropped DLL

Checks installed software on the system

Drops Chrome extension

Looks up external IP address via web service

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 09:59

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie family

fabookie

Nullmixer family

nullmixer

Privateloader family

privateloader

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\G1V6MSEY.nr

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G1V6MSEY.nr

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/4220-5-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-6-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-7-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-8-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-9-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-10-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-11-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-12-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-13-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-14-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-15-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-16-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-17-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-18-0x0000000003210000-0x0000000004210000-memory.dmp

memory/4220-19-0x0000000003210000-0x0000000004210000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 784

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 744

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 147.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 195.108.222.173.in-addr.arpa udp

Files

memory/2040-0-0x00000000006A0000-0x00000000006CA000-memory.dmp

memory/2040-1-0x0000000000950000-0x000000000099C000-memory.dmp

memory/2040-2-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2040-5-0x0000000000950000-0x000000000099C000-memory.dmp

memory/2040-6-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2040-4-0x00000000006A0000-0x00000000006CA000-memory.dmp

memory/2040-3-0x0000000000400000-0x000000000046C000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4492 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4492 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 652

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 201.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4404-0-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4404-1-0x0000000064941000-0x000000006494F000-memory.dmp

memory/4404-4-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4404-5-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4404-3-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4404-2-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4404-7-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4404-9-0x000000006B440000-0x000000006B4CF000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4800 set thread context of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 219.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 195.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/4800-0-0x0000000000580000-0x0000000000589000-memory.dmp

memory/4800-1-0x0000000000590000-0x0000000000599000-memory.dmp

memory/2096-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4800-4-0x0000000000580000-0x0000000000589000-memory.dmp

memory/2096-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2096-5-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20241010-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 248

Network

N/A

Files

memory/1280-0-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1280-3-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1280-5-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1280-4-0x0000000064941000-0x000000006494F000-memory.dmp

memory/1280-1-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1280-2-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1280-6-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1280-7-0x000000006EB40000-0x000000006EB63000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5048 set thread context of 212 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5048 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 5048 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 5048 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 5048 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 5048 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 5048 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 5048 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 5048 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 5048 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 5048 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 5048 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 89.82.67.80.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp

Files

memory/5048-0-0x000000007468E000-0x000000007468F000-memory.dmp

memory/5048-1-0x0000000000DA0000-0x0000000000E2A000-memory.dmp

memory/5048-2-0x00000000057C0000-0x0000000005836000-memory.dmp

memory/5048-3-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/5048-4-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/5048-5-0x00000000057A0000-0x00000000057BE000-memory.dmp

memory/5048-6-0x0000000006210000-0x00000000067B4000-memory.dmp

memory/212-7-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61e7501c830d6_Tue23bdf4712a32.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/5048-12-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/212-14-0x0000000005420000-0x000000000552A000-memory.dmp

memory/212-13-0x00000000052B0000-0x00000000052C2000-memory.dmp

memory/212-11-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/212-10-0x00000000056D0000-0x0000000005CE8000-memory.dmp

memory/212-15-0x0000000005350000-0x000000000538C000-memory.dmp

memory/212-16-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/212-17-0x00000000053D0000-0x000000000541C000-memory.dmp

memory/212-18-0x0000000074680000-0x0000000074E30000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7502b8389b_Tue233252e9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 412 -ip 412

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7502b8389b_Tue233252e9.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1936

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 myvideodonwload.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:80 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
RU 91.241.19.125:80 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 91.241.19.125:80 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 89.82.67.80.in-addr.arpa udp
US 172.67.74.161:80 iplogger.org tcp
US 8.8.8.8:53 myvideodonwload.com udp
US 172.67.74.161:80 iplogger.org tcp
US 8.8.8.8:53 youtube4kdowloader.club udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/412-0-0x0000000000580000-0x00000000005A0000-memory.dmp

memory/412-1-0x00000000005D0000-0x0000000000608000-memory.dmp

memory/412-2-0x0000000000400000-0x000000000043B000-memory.dmp

memory/412-3-0x0000000000580000-0x00000000005A0000-memory.dmp

memory/412-4-0x0000000000400000-0x0000000000462000-memory.dmp

memory/412-5-0x00000000005D0000-0x0000000000608000-memory.dmp

memory/412-9-0x0000000000400000-0x0000000000462000-memory.dmp

memory/412-10-0x0000000000400000-0x000000000043B000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4116 -ip 4116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1512

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 104.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4972 set thread context of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4972 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4972 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4972 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4972 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4972 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4972 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4972 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp

Files

memory/4972-0-0x000000007494E000-0x000000007494F000-memory.dmp

memory/4972-1-0x0000000000A40000-0x0000000000ACA000-memory.dmp

memory/4972-2-0x0000000005470000-0x00000000054E6000-memory.dmp

memory/4972-3-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/4972-4-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/4972-5-0x0000000005440000-0x000000000545E000-memory.dmp

memory/4972-6-0x0000000005DC0000-0x0000000006364000-memory.dmp

memory/3088-7-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3088-11-0x0000000005140000-0x0000000005152000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61e7501b7eabe_Tue2344597f.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/3088-14-0x0000000005270000-0x000000000537A000-memory.dmp

memory/4972-13-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/3088-12-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/3088-16-0x00000000051E0000-0x000000000521C000-memory.dmp

memory/3088-15-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/3088-10-0x00000000056A0000-0x0000000005CB8000-memory.dmp

memory/3088-17-0x0000000005220000-0x000000000526C000-memory.dmp

memory/3088-18-0x0000000074940000-0x00000000750F0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

Signatures

Socelars

stealer socelars

Socelars family

socelars

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.listincode.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
CH 80.67.82.104:80 crl.microsoft.com tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3708 -ip 3708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 352

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 249.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3708-0-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/3708-1-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/3708-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3708-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3708-4-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/3708-5-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/3708-6-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240903-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dpcapps.me udp

Files

memory/816-0-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/816-1-0x00000000003B0000-0x00000000003EB000-memory.dmp

memory/816-6-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/816-5-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/816-4-0x0000000000330000-0x0000000000331000-memory.dmp

memory/816-2-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/816-3-0x0000000000401000-0x0000000000444000-memory.dmp

memory/816-7-0x0000000000370000-0x0000000000388000-memory.dmp

memory/816-14-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/816-15-0x0000000000390000-0x000000000039A000-memory.dmp

memory/816-16-0x00000000003B0000-0x00000000003EB000-memory.dmp

memory/816-17-0x0000000000370000-0x0000000000388000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Network

Country Destination Domain Proto
FR 212.193.30.45:80 tcp
US 45.144.225.57:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 2.56.59.42:80 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

Signatures

Socelars

stealer socelars

Socelars family

socelars

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756200144701004" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1392 wrote to memory of 312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1392 wrote to memory of 312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3312 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3312 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 1716 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 1716 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 1080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 1080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4872 wrote to memory of 944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdced6cc40,0x7ffdced6cc4c,0x7ffdced6cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2012,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2008 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1840,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3400 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4060,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5308 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5296,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5416,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5476 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5464,i,16404136664612555516,7233998280226216589,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.listincode.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.204.74:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 216.58.204.74:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 c4f4f10527515e350475234d38267351
SHA1 841f108a99e81d0055a2b87e01fffc5f21bf1b2e
SHA256 3c4e778a71453a50ccb43e8410953042685d2eedcf94c22f651b75e9d540819c
SHA512 d2532b4cc7f957837576a1cf47d4e6be1d1326ad8816e30bf2a4c1f57629eef22f8d80db4a08278e167bb6d89b8a2bdf1c765dbd55506e1a9f95a6ab6e5c0288

\??\pipe\crashpad_4872_FQLGIXVZZQBRHMNU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\scoped_dir4872_1543153755\8139a907-f58e-467c-bbc0-911177bd89cd.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Temp\scoped_dir4872_1543153755\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 133aaf6ed7c627afe809de98a1ba0a90
SHA1 e533f86f8842b76fb48cb4b3924c0eeb21f08bb9
SHA256 3f2a141348ba649cfeb911f8d93ed194403038e5261adbb7626cc5bb0bf2ff2a
SHA512 ed2ce4ebde18cd5552f72db626efbe8c71a979c21ece4047ccfc021202529dc03804d6d784635f5c8c0cfd4a914878d93302c0fafaaccebba9f85aaebacb3929

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 440b4a4635df7305201d3288a0bb227d
SHA1 a68c42916c53572b8d11cc7278b5afed562f9ec7
SHA256 bd0d62389556ba79abb3383d323dc3782287ccba6b7f15fb9726d4e71c18a3f3
SHA512 97809da40ee207c20de4e569edd94cc51fdcebafab3aa80c56c8e79f667ce743cc058164fa061003b8352595d0cccab1950b2abc0faf00086bc24172dfe7744d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 b0457dc2ea8640e29626e522cc7ac86a
SHA1 444d934546e8f0e2e60ce1daf186e214d2c61930
SHA256 5f8ff8257f4f77fec62d737567d16b5175894cb6184b0dfd7fefbaf157959e8d
SHA512 2ea678c819146f22556fc9e7075fe72b68dd9babe6547d0e310994678b2b2718c50b3f6f1b5f34195d07beebb9d5722f7868ed7ea60a3b860e17f79669ca805c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 935b922481ed677af0aa199a465dd34a
SHA1 1fc3cd55a65044b8b12d024081e9155d050bcf75
SHA256 54292a1ff5a42264894ed3c2e29c13097bff0c3aea238f1a9633b0da01f6ae9f
SHA512 a237699cffc57de39019f556d17814fa8564466995520c24842427a1e5ec4e18d3024284cba8cc72c97ea6e1db21cf5ec30bf90f85ce01b4d43447f7f0b71b95

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 3d087765debb6ec18bf9514a735f40d2
SHA1 e94a9c7e50bfabbd25efc3ca74baedcd1f222cc3
SHA256 b5f444d0971eadd01859ae507d2fc5bee131ef275fcb636e486c3005a288d15a
SHA512 90781115765bf19f1456ddf1ac80724fe495caf840e1da392d0a4290c35a7044bb8b7517b43f9431d5a7c44efa0375562e5f94516428c6943c42c8ec72a353cf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 6c35f08421bd503855a67b5f27f02644
SHA1 b21fda90599047f8748195bfbabc4b542e92a6fc
SHA256 f10032ef46b99d825019c710aa1c88e373057ca1fcd7cb8dbe5ae4e7546f5c51
SHA512 7386aec6c1b26cbf6602afb9b8ff861ec38a152c1c9e327358cff7867bac403999f87678eaec1feb83d3a871e266ca870e527e9f4a8005e697a7d9eeca1604fb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a82c925f85918f00ac6e3e4bf0a8b08d
SHA1 a42399d0d8e7ff4ec7033316eec905aa4cb3b8cc
SHA256 be6340b9af7873816cba59ad598f227c96d914184c766d42f58dffc492bff824
SHA512 9f5d14e77b383b0b86388b3cf361ab6f68186162ddbab6d170ae0755a996e5cb7f6d22ef898bcbf5ee196b3fb74f64280d7a6f585324c25f425e0a66bec42b7a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 16f9e6e078d8dcf5bcf1abc1b7dfc38a
SHA1 7b6856f535e99bc0545410bff56cb61e76624774
SHA256 686716bc7699f3c143ea36807efed21bcd1a234708b4f107d5c58f15236dea71
SHA512 e4a7614af829e15ba70fd7e4b721cb3bcc40c518f67ce514c06947070866ff96ce747b9eb6d106dc88060f9daf3fbb72d7641080d2f74b685be7d9601774e1f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 23c129994d4ccba3904bf9ac6d0df5b0
SHA1 0f825b61b3b7a09da547acb840a322c153127541
SHA256 11ff2bbc92347f435128a9fe3ada9d03786a1f5b3348768705f408e0f35007c0
SHA512 a5f907a163ba4a29c73843a12e521f786fed0024b0ba4d562829e37844e81b8b47988202e03fc66a44e39e371b2c19f62ad0f839447bf2cc461e96e96cbadd58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 112764efe3a2057de0de02d051aad6ee
SHA1 9a091fb98d1352f75f0507aad22bf8f156fdf9d9
SHA256 5725ee7359f37982047a67b67f8660399530320f37a2aef97a50c0317fa4ac90
SHA512 7d8723cf405dfe57195a330886ba45dbb7c6620c3bbbf9b2751a9757c5810dd37fce9d9edb42f9409dc855a4dfe2659ef082fcd8875b776e7d13bf1dd59272f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 4b0cc5a559b661e80a4fa0e7dacae4d6
SHA1 1ea9300ffc39902e3ca67f45c82d08deb105d485
SHA256 045c34b7f1ab0afe2141bb645b32448d57e2299fe406fed1cec1b07227e6958b
SHA512 2be7733112b84355da6ce83b7bf039df38de96444fe5afd4aca5f8c5cbfc64156d6c1b44bca31c86fa2dc14e60c7c5e19411e2cdc1313edfd5989e0ca5ceead5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a85686886e63eb02c2873fa8479a2d67
SHA1 7c0164ec09f7783ad4ced032ea3bddc868827e8c
SHA256 cbd2556e303717c320d374cf803945c89c73cdbd554c579040a33fbcbd166a75
SHA512 36b717eb67510169b61d169dc107cecd35b0a34cd6b4cf00cddd99f7a0206daf10e5c402a8ecde006cc77a6d9c34385c4996fd3d1ab3f9887ed50c7466c3cafa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 70a197ca5db4110bbc9508139dc9bef7
SHA1 63ddd70ac847fc0ce2f911f7db279669062f8578
SHA256 78759e98512703627d1d10c9e16fb7ccd0e2f07880717d1e185e98fef7a22c26
SHA512 c7447b82178afa5256ad2e52f2105b3c9d08868d3b590a36258716db6bd76fc224510b5bac67dd6642173d1cfe0ce58c046d613d29eb20e1ae16ae07acf1a943

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1d93b83ce089b77068a3892b4c0fac59
SHA1 b4850677553e49efdbdbaeb69fad1804a3f42e61
SHA256 73120dfde78e687a500270981d14903330c153b0d5d4dd08232c259a351d8d76
SHA512 632271da4db7272b778d096654da38a5315ecf9d958aa24e28abc08b59e0b0c09d0db22ffd2e94612124e02614cfec90d0b4f80c26d5f6b1a995a1501fbdfe74

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ddf9be3ea61226cf9907697986f18bf1
SHA1 7d35fbb7df0572d73398f4582e8c3886ffbebc7f
SHA256 abd556127d97bc3ee1495df6767efe03b5541f43b47a55a50fed7d101e7a538e
SHA512 4070c5364814e095e09f28bf4fc0f4a721eb76f9909e8f19628a4683d416656211968e2714b7a7e934eb22ff08c66b764b69d20356898ccc0badb0d8d771b7e2

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f

Network

N/A

Files

memory/2356-0-0x0000000000220000-0x000000000024A000-memory.dmp

memory/2356-1-0x0000000000250000-0x000000000029C000-memory.dmp

memory/2356-2-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2356-6-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2356-5-0x0000000000250000-0x000000000029C000-memory.dmp

memory/2356-4-0x0000000000220000-0x000000000024A000-memory.dmp

memory/2356-3-0x0000000000400000-0x000000000046C000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240729-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2072 set thread context of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2072 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2072 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2072 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2072 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2072 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2072 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2072 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 2072 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Network

Country Destination Domain Proto
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp

Files

memory/2072-0-0x000000007485E000-0x000000007485F000-memory.dmp

memory/2072-1-0x00000000012F0000-0x000000000137A000-memory.dmp

memory/2072-2-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/2072-3-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/2324-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2324-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2324-10-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2324-8-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2324-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2324-14-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2324-19-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2072-20-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/2324-16-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2324-21-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/2324-22-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/2324-23-0x0000000074850000-0x0000000074F3E000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240903-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1060 set thread context of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 1060 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Network

Country Destination Domain Proto
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp

Files

memory/1060-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

memory/1060-1-0x0000000000AD0000-0x0000000000B5A000-memory.dmp

memory/1060-2-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/1060-3-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/3024-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3024-12-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3024-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3024-9-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3024-8-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3024-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3024-14-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3024-17-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3024-19-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/1060-18-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/3024-20-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/3024-21-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240729-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-5I6JP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5I6JP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2572 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2572 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2572 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2572 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2572 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2572 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2060 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2060 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2060 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2060 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2060 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2060 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2060 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 1688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-5I6JP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 1688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-5I6JP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 1688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-5I6JP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 1688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-5I6JP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 1688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-5I6JP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 1688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-5I6JP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 1688 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-5I6JP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$5014E,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-5I6JP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5I6JP.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$6014E,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

Network

Country Destination Domain Proto
US 8.8.8.8:53 noplayboy.com udp

Files

memory/2572-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2572-2-0x0000000000401000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-8GLKF.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2060-8-0x0000000000400000-0x00000000004BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-NVE8C.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-NVE8C.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2060-25-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1688-23-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2572-28-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1688-26-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1688-44-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2668-45-0x0000000000400000-0x00000000004BD000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2448 set thread context of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Network

N/A

Files

memory/2448-1-0x0000000000030000-0x0000000000039000-memory.dmp

memory/2448-0-0x0000000000020000-0x0000000000029000-memory.dmp

memory/316-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/316-8-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2448-5-0x0000000000020000-0x0000000000029000-memory.dmp

memory/316-4-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 136

Network

N/A

Files

memory/2700-1-0x0000000000030000-0x0000000000039000-memory.dmp

memory/2700-0-0x0000000000020000-0x0000000000028000-memory.dmp

memory/2700-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2700-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2700-7-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2700-6-0x0000000000020000-0x0000000000028000-memory.dmp

memory/2700-5-0x0000000000030000-0x0000000000039000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7502b8389b_Tue233252e9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7502b8389b_Tue233252e9.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 myvideodonwload.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:80 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
RU 91.241.19.125:80 tcp
RU 91.241.19.125:80 tcp
RU 91.241.19.125:80 tcp
RU 91.241.19.125:80 tcp
US 104.26.2.46:80 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:80 iplogger.org tcp
US 8.8.8.8:53 youtube4kdowloader.club udp

Files

memory/2824-0-0x00000000002B0000-0x00000000002D0000-memory.dmp

memory/2824-1-0x00000000002D0000-0x0000000000308000-memory.dmp

memory/2824-2-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2824-3-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2824-4-0x00000000002B0000-0x00000000002D0000-memory.dmp

memory/2824-5-0x00000000002D0000-0x0000000000308000-memory.dmp

memory/2824-6-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2824-15-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2824-16-0x0000000000400000-0x000000000043B000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-7RN4M.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-TU829.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-7RN4M.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-7RN4M.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2092 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-7RN4M.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2092 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-7RN4M.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2796 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\is-7RN4M.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2796 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\is-7RN4M.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2796 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\is-7RN4M.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 4832 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-TU829.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 4832 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-TU829.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 4832 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-TU829.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\is-7RN4M.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7RN4M.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$901E6,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-TU829.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TU829.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$70264,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 noplayboy.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 89.82.67.80.in-addr.arpa udp
US 8.8.8.8:53 147.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2092-2-0x0000000000401000-0x000000000040B000-memory.dmp

memory/2092-0-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7RN4M.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2796-7-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4KNJT.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4832-22-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2796-24-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4832-20-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2092-26-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2788-34-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BH0DN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4832-40-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2788-42-0x0000000000400000-0x00000000004BD000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20241010-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a

Network

Country Destination Domain Proto
US 8.8.8.8:53 v.xyzgamev.com udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1420

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 crl.microsoft.com udp
CH 80.67.82.104:80 crl.microsoft.com tcp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 260

Network

N/A

Files

memory/2472-0-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2472-1-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2472-2-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2472-8-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2472-13-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2472-12-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2472-10-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2472-9-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2472-7-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2472-6-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2472-5-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2472-4-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2472-3-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2472-11-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2472-18-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2472-16-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2472-15-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2472-14-0x000000006B280000-0x000000006B2A6000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
FR 212.193.30.45:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 45.144.225.57:80 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 89.82.67.80.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 2.56.59.42:80 tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 147.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20241010-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 2084 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 2084 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 2084 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 2308 wrote to memory of 1972 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1972 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1972 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1972 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1972 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1972 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2308 wrote to memory of 1972 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 1972 wrote to memory of 2916 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 1972 wrote to memory of 2916 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 1972 wrote to memory of 2916 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 1972 wrote to memory of 2916 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 2916 wrote to memory of 2920 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2916 wrote to memory of 2920 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2916 wrote to memory of 2920 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2916 wrote to memory of 2920 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2916 wrote to memory of 2920 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2916 wrote to memory of 2920 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2916 wrote to memory of 2920 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\G1V6MSEY.nr

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G1V6MSEY.nr

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\G1V6MSEY.nr

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\G1V6MSEY.nr

Network

Country Destination Domain Proto
FR 78.112.80.48:8080 tcp
FR 78.112.80.48:8080 tcp

Files

memory/1972-6-0x0000000002570000-0x0000000003570000-memory.dmp

memory/1972-7-0x000000002D0C0000-0x000000002D171000-memory.dmp

memory/1972-8-0x00000000002B0000-0x000000000034D000-memory.dmp

memory/1972-9-0x00000000002B0000-0x000000000034D000-memory.dmp

memory/1972-11-0x00000000002B0000-0x000000000034D000-memory.dmp

memory/1972-12-0x0000000002570000-0x0000000003570000-memory.dmp

memory/1972-16-0x00000000002B0000-0x000000000034D000-memory.dmp

memory/1972-18-0x000000002F2E0000-0x000000002F376000-memory.dmp

memory/1972-17-0x000000002D4E0000-0x000000002F2D2000-memory.dmp

memory/1972-19-0x0000000000360000-0x00000000003F0000-memory.dmp

memory/2920-25-0x00000000025D0000-0x00000000035D0000-memory.dmp

memory/2920-27-0x000000002D420000-0x000000002D4D1000-memory.dmp

memory/2920-31-0x00000000025D0000-0x00000000035D0000-memory.dmp

memory/2920-32-0x0000000000340000-0x00000000003DD000-memory.dmp

memory/2920-29-0x0000000000340000-0x00000000003DD000-memory.dmp

memory/2920-40-0x0000000000340000-0x00000000003DD000-memory.dmp

memory/2920-42-0x0000000002220000-0x00000000022B6000-memory.dmp

memory/2920-41-0x000000002D4E0000-0x000000002F2D2000-memory.dmp

memory/2920-46-0x00000000002A0000-0x0000000000330000-memory.dmp

memory/2920-43-0x00000000002A0000-0x0000000000330000-memory.dmp

memory/2920-49-0x0000000000190000-0x0000000000193000-memory.dmp

memory/2920-50-0x00000000001A0000-0x00000000001A5000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win7-20241010-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2880 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2880 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2880 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2880 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2880 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Windows\system32\WerFault.exe
PID 2880 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Windows\system32\WerFault.exe
PID 2880 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2880 -s 480

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.hhiuew33.com udp

Files

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/2788-6-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2788-8-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 1ef27bf34ef1987482af62a2d850f112
SHA1 72056e1c9480c09d07231459ed1c80bd89f64025
SHA256 af4e46c53f5055bbb9f91e53c3832e778d275a738f5db5aea35f26d77ca1fecf
SHA512 b5af1a9d4721a912ef9c30ecaa70cbad9531b927e01076dc97c0485b3be4541aebdf1bb8a7c50e83132e4f1cdf60b4f13e67baa4654be197fe16e3b50134a559

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 d0527733abcc5c58735e11d43061b431
SHA1 28de9d191826192721e325787b8a50a84328cffd
SHA256 b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA512 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

memory/2752-17-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2752-23-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 46183ada973d3bfaab7be726c800e96e
SHA1 7fcb7272b04d8b1caaf1343ec720461ca79f45c2
SHA256 0cba483c4b5eeb5d275d2a54db9f7c3c213615628b4ac79044980347930e7a1f
SHA512 338c4ccf7cde74e3aa5c9bb27672797ab8b4c8aa6e99fbcf61a2dc8caecdd871b747e4bcc654391479bc4df5a1e72257da9957f9768c67b2846dd9435b950926

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 193.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 249.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
SE 192.229.221.95:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/220-3-0x0000000000400000-0x0000000000480000-memory.dmp

memory/220-6-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 d0527733abcc5c58735e11d43061b431
SHA1 28de9d191826192721e325787b8a50a84328cffd
SHA256 b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA512 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

memory/1756-11-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1756-17-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 0de1c1adcd260760fd221bccc3ebc1ef
SHA1 eb8d37e4a2757e00e63ec4698e641cbed1f94680
SHA256 a43e057329c848cc5f7af90197f0e4cc03ca001157739c73ef42024ce1b41db7
SHA512 14de67bf24b7e7a802dfb6846b4dec2c5afd2713d001e72e2878157e71c866a118fc8e359c98db797ce5445a05c547765a10afca5ba86e55f67da16c93cd2913

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dpcapps.me udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 89.82.67.80.in-addr.arpa udp
US 8.8.8.8:53 243.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp

Files

memory/4264-0-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/4264-4-0x0000000000444000-0x0000000000445000-memory.dmp

memory/4264-3-0x0000000000830000-0x000000000086B000-memory.dmp

memory/4264-6-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/4264-5-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/4264-1-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/4264-2-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/4264-7-0x00000000007F0000-0x0000000000808000-memory.dmp

memory/4264-14-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/4264-15-0x00000000008A0000-0x00000000008AA000-memory.dmp

memory/4264-16-0x0000000004FC0000-0x0000000005564000-memory.dmp

memory/4264-17-0x0000000001000000-0x0000000001092000-memory.dmp

memory/4264-21-0x0000000000830000-0x000000000086B000-memory.dmp

memory/4264-19-0x00000000007F0000-0x0000000000808000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3920 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3920 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2052 -ip 2052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 664

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2052-0-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2052-1-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2052-5-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2052-8-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2052-11-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2052-10-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2052-13-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2052-7-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2052-6-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2052-12-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2052-9-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2052-4-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2052-3-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2052-2-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2052-16-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2052-20-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2052-19-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2052-14-0x000000006B280000-0x000000006B2A6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 09:59

Reported

2024-11-09 10:02

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 147.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 udp

Files

N/A