Malware Analysis Report

2024-11-15 09:03

Sample ID 241111-g88dastnfz
Target 16d60806f4c35b942db7e2b9ff0004d4771db020
SHA256 f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8
Tags
discovery smokeloader pub5 backdoor trojan spyware stealer upx gcleaner onlylogger loader aspackv2 privateloader socelars fabookie nullmixer pub3 redline media17223 infostealer v2user1
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

Threat Level: Known bad

The file 16d60806f4c35b942db7e2b9ff0004d4771db020 was found to be: Known bad.

Malicious Activity Summary

discovery smokeloader pub5 backdoor trojan spyware stealer upx gcleaner onlylogger loader aspackv2 privateloader socelars fabookie nullmixer pub3 redline media17223 infostealer v2user1

OnlyLogger

Fabookie family

RedLine payload

RedLine

GCleaner

Socelars family

Detect Fabookie payload

Nullmixer family

Onlylogger family

Socelars

SmokeLoader

Redline family

Gcleaner family

Socelars payload

Smokeloader family

Privateloader family

OnlyLogger payload

Detected Nirsoft tools

NirSoft WebBrowserPassView

Blocklisted process makes network request

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

ASPack v2.12-2.42

Checks computer location settings

Deletes itself

Drops Chrome extension

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Looks up external IP address via web service

Suspicious use of SetThreadContext

UPX packed file

Enumerates physical storage devices

Program crash

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Kills process with taskkill

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:29

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie family

fabookie

Nullmixer family

nullmixer

Privateloader family

privateloader

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Network

Country Destination Domain Proto
FR 212.193.30.45:80 tcp
US 45.144.225.57:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 2.56.59.42:80 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20241023-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 136

Network

N/A

Files

memory/2380-1-0x0000000000030000-0x0000000000039000-memory.dmp

memory/2380-0-0x0000000000020000-0x0000000000028000-memory.dmp

memory/2380-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2380-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2380-6-0x0000000000030000-0x0000000000039000-memory.dmp

memory/2380-5-0x0000000000020000-0x0000000000028000-memory.dmp

memory/2380-7-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.hhiuew33.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/3660-3-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3660-6-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 d0527733abcc5c58735e11d43061b431
SHA1 28de9d191826192721e325787b8a50a84328cffd
SHA256 b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA512 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

memory/2052-11-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2052-17-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 0de1c1adcd260760fd221bccc3ebc1ef
SHA1 eb8d37e4a2757e00e63ec4698e641cbed1f94680
SHA256 a43e057329c848cc5f7af90197f0e4cc03ca001157739c73ef42024ce1b41db7
SHA512 14de67bf24b7e7a802dfb6846b4dec2c5afd2713d001e72e2878157e71c866a118fc8e359c98db797ce5445a05c547765a10afca5ba86e55f67da16c93cd2913

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f

Network

N/A

Files

memory/1796-0-0x0000000000220000-0x000000000024A000-memory.dmp

memory/1796-1-0x00000000002F0000-0x000000000033C000-memory.dmp

memory/1796-2-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1796-3-0x0000000000400000-0x000000000046C000-memory.dmp

memory/1796-5-0x00000000002F0000-0x000000000033C000-memory.dmp

memory/1796-4-0x0000000000220000-0x000000000024A000-memory.dmp

memory/1796-6-0x0000000000400000-0x0000000000450000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20240729-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7502b8389b_Tue233252e9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7502b8389b_Tue233252e9.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 myvideodonwload.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:80 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
RU 91.241.19.125:80 tcp
RU 91.241.19.125:80 tcp
RU 91.241.19.125:80 tcp
RU 91.241.19.125:80 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:80 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:80 iplogger.org tcp
US 8.8.8.8:53 youtube4kdowloader.club udp

Files

memory/2500-0-0x0000000000020000-0x0000000000040000-memory.dmp

memory/2500-1-0x0000000000220000-0x0000000000258000-memory.dmp

memory/2500-2-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2500-3-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2500-4-0x0000000000020000-0x0000000000040000-memory.dmp

memory/2500-5-0x0000000000220000-0x0000000000258000-memory.dmp

memory/2500-6-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2500-16-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2500-15-0x0000000000400000-0x0000000000462000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1372 set thread context of 4156 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/1372-0-0x0000000000620000-0x0000000000629000-memory.dmp

memory/1372-1-0x0000000000780000-0x0000000000789000-memory.dmp

memory/4156-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1372-3-0x0000000000620000-0x0000000000629000-memory.dmp

memory/4156-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4156-5-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20240903-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 1304 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 1304 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 1304 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe C:\Windows\SysWOW64\control.exe
PID 2176 wrote to memory of 2188 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2188 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2188 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2188 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2188 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2188 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 2188 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 2188 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 2188 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 2188 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 2716 wrote to memory of 3028 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2716 wrote to memory of 3028 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2716 wrote to memory of 3028 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2716 wrote to memory of 3028 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2716 wrote to memory of 3028 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2716 wrote to memory of 3028 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2716 wrote to memory of 3028 N/A C:\Windows\system32\RunDll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\G1V6MSEY.nr

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G1V6MSEY.nr

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\G1V6MSEY.nr

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\G1V6MSEY.nr

Network

Country Destination Domain Proto
FR 78.112.80.48:8080 tcp
FR 78.112.80.48:8080 tcp

Files

memory/2188-6-0x0000000002430000-0x0000000003430000-memory.dmp

memory/2188-7-0x0000000002430000-0x0000000003430000-memory.dmp

memory/2188-8-0x000000002D380000-0x000000002D431000-memory.dmp

memory/2188-9-0x0000000002080000-0x000000000211D000-memory.dmp

memory/2188-10-0x0000000002080000-0x000000000211D000-memory.dmp

memory/2188-12-0x0000000002080000-0x000000000211D000-memory.dmp

memory/2188-17-0x0000000002080000-0x000000000211D000-memory.dmp

memory/2188-19-0x000000002F240000-0x000000002F2D6000-memory.dmp

memory/2188-18-0x000000002D440000-0x000000002F232000-memory.dmp

memory/2188-20-0x000000002F2E0000-0x000000002F370000-memory.dmp

memory/3028-26-0x0000000002580000-0x0000000003580000-memory.dmp

memory/3028-28-0x0000000002580000-0x0000000003580000-memory.dmp

memory/3028-29-0x000000002D340000-0x000000002D3F1000-memory.dmp

memory/3028-31-0x0000000000360000-0x00000000003FD000-memory.dmp

memory/3028-33-0x0000000000360000-0x00000000003FD000-memory.dmp

memory/3028-42-0x0000000000360000-0x00000000003FD000-memory.dmp

memory/3028-43-0x000000002D400000-0x000000002F1F2000-memory.dmp

memory/3028-44-0x0000000000B70000-0x0000000000C06000-memory.dmp

memory/3028-45-0x000000002F200000-0x000000002F290000-memory.dmp

memory/3028-48-0x000000002F200000-0x000000002F290000-memory.dmp

memory/3028-49-0x0000000000050000-0x0000000000053000-memory.dmp

memory/3028-50-0x0000000000060000-0x0000000000065000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20240903-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1724 set thread context of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Network

Country Destination Domain Proto
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp

Files

memory/1724-0-0x000000007463E000-0x000000007463F000-memory.dmp

memory/1724-1-0x0000000000DF0000-0x0000000000E7A000-memory.dmp

memory/1724-2-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/1724-3-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/2172-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2172-9-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2172-12-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2172-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2172-8-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2172-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2172-14-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1724-18-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/2172-17-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2172-19-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/2172-20-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/2172-21-0x0000000074630000-0x0000000074D1E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20240903-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a

Network

Country Destination Domain Proto
US 8.8.8.8:53 v.xyzgamev.com udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

Signatures

Socelars

stealer socelars

Socelars family

socelars

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.listincode.com udp
US 52.203.72.196:443 www.listincode.com tcp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" .\G1V6MSEY.nr

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G1V6MSEY.nr

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\G1V6MSEY.nr

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\G1V6MSEY.nr

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/3688-5-0x00000000030D0000-0x00000000040D0000-memory.dmp

memory/3688-6-0x00000000030D0000-0x00000000040D0000-memory.dmp

memory/3688-7-0x00000000030D0000-0x00000000040D0000-memory.dmp

memory/3688-8-0x00000000030D0000-0x00000000040D0000-memory.dmp

memory/3688-9-0x00000000030D0000-0x00000000040D0000-memory.dmp

memory/3688-10-0x00000000030D0000-0x00000000040D0000-memory.dmp

memory/3688-11-0x00000000030D0000-0x00000000040D0000-memory.dmp

memory/3688-12-0x00000000030D0000-0x00000000040D0000-memory.dmp

memory/3688-13-0x00000000030D0000-0x00000000040D0000-memory.dmp

memory/3688-14-0x00000000030D0000-0x00000000040D0000-memory.dmp

memory/3688-15-0x000000002E0F0000-0x000000002E1A1000-memory.dmp

memory/3688-16-0x000000002E1B0000-0x000000002E24D000-memory.dmp

memory/3688-17-0x000000002E1B0000-0x000000002E24D000-memory.dmp

memory/3688-19-0x000000002E1B0000-0x000000002E24D000-memory.dmp

memory/3688-20-0x00000000030D0000-0x00000000040D0000-memory.dmp

memory/3688-24-0x000000002E1B0000-0x000000002E24D000-memory.dmp

memory/3688-26-0x0000000030050000-0x00000000300E6000-memory.dmp

memory/3688-25-0x000000002E250000-0x0000000030042000-memory.dmp

memory/3688-27-0x00000000300F0000-0x0000000030180000-memory.dmp

memory/4420-32-0x00000000027E0000-0x00000000037E0000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1836

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.16.227:80 c.pki.goog tcp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20241010-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2440 set thread context of 2432 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd41f841_Tue2365aa82b7.exe"

Network

N/A

Files

memory/2440-0-0x0000000000020000-0x0000000000029000-memory.dmp

memory/2440-1-0x0000000000030000-0x0000000000039000-memory.dmp

memory/2432-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2440-5-0x0000000000020000-0x0000000000029000-memory.dmp

memory/2432-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2432-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2432-7-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dpcapps.me udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/5004-0-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/5004-1-0x0000000002700000-0x000000000273B000-memory.dmp

memory/5004-5-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/5004-4-0x0000000000401000-0x0000000000444000-memory.dmp

memory/5004-3-0x0000000000790000-0x0000000000791000-memory.dmp

memory/5004-2-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/5004-6-0x00000000007E0000-0x00000000007F8000-memory.dmp

memory/5004-13-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/5004-14-0x0000000001060000-0x000000000106A000-memory.dmp

memory/5004-15-0x0000000005460000-0x0000000005A04000-memory.dmp

memory/5004-16-0x0000000002AC0000-0x0000000002B52000-memory.dmp

memory/5004-20-0x0000000002700000-0x000000000273B000-memory.dmp

memory/5004-18-0x00000000007E0000-0x00000000007F8000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1380

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 signaturebusinesspark.com udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20241010-en

Max time kernel

13s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 264

Network

N/A

Files

memory/2284-0-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2284-1-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2284-2-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2284-7-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2284-13-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2284-12-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2284-11-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2284-10-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2284-9-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2284-8-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2284-6-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2284-5-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2284-4-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2284-3-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2284-19-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2284-16-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2284-15-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2284-14-0x000000006B280000-0x000000006B2A6000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

Signatures

Socelars

stealer socelars

Socelars family

socelars

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757802045549607" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2460 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2460 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2028 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2028 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 4148 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 1100 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 1100 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3388 wrote to memory of 3612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd78769f_Tue234b6c24d9a0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff7562cc40,0x7fff7562cc4c,0x7fff7562cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2064 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1976,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1584,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5124,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5476,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4976,i,2045792401777222179,15386602616897452105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5428 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com tcp
GB 216.58.201.106:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
GB 216.58.201.106:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 216.58.213.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 323a8aecb373992550d8f1fcadb6ce9d
SHA1 075e3542af7dbcb0df5d1ff1c9a21298f1348124
SHA256 decf401a1aaf084846d7e352992ae4440a4d98bce047d6acada838b15ff8d103
SHA512 34581cb860a13b40514cf265af4f03c2c0d751ed6486b473ad22a0d770f1442211b4a675b50e0eb154c95da3d5440fd11c10689d04eef19ece6ef88cf526db1f

\??\pipe\crashpad_3388_WNKGZITEMVOSVTRC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\scoped_dir3388_844605549\72761e82-214a-470d-8dfe-8dc0bfb73bca.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Temp\scoped_dir3388_844605549\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 5964f5f2d0e635558954710d3f867140
SHA1 512a4f53ebc8ff37f6e14dfda70fff08e9d4bb89
SHA256 b1df549f1aa020420bfa1dc257731c5e3abf0debffe3702f8e7b36efa3ff1d0b
SHA512 39cc80a08aa7495f46ef83f880abf9c629f3a8da04f4e3345a007422385e5990d1b8c3c3bb0aae629f5c3ff06c75202764125736d283bd347912f8f360f4b080

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 4b2cdae7e94da2e0bd13e2e7de34394b
SHA1 58d1b03ebd2bb75e4b7bbcd31ed750feb9f82382
SHA256 c4e7867aab1a1e92677bdb8feee4781e3fb349ba551c0c8822a44f939ce97528
SHA512 19a63fe2997fc1c3d8974cb0ec7e667f28003b3f9110ac8954ce9acba6dbf34636efad6b408f6d18c27986dad0a7a244c44bd07be96e4252f468d90d9b919bcb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 34395d0344d2be06ab1a1085cc6b6a45
SHA1 2da8f0671a6691dbe56fb3918d501673013e16b5
SHA256 6e27a467767e5f5b21601bf423330124129c3c50d47e20e0e7edb1d0668e7140
SHA512 417586c1615788d89ae867fa7c68e66565c21d9918f389c42abb3d8881ec0ee1c67963f32b70bc294d80234cb0c4617b2f951e1b3ebb78448e6b72035059f09b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 46d52cf4d5367b761e77d2931e253f6a
SHA1 4db539b10ec431d546b571357043ba9c0fffc8cf
SHA256 35822f0f7f25feb50163dcf038fda149df72c96e70a016c3ad95208008b28377
SHA512 01c63e0d76da3fd06264583ef01c255c51703a345b50e09670d1faec7d62aa1372e2af7c6ca1cc0227f5f03edfbcfea4b7cd7c4d17c5316cf3fa6ad919cc3948

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 90f1ec74cd654f43eecb0e69e584caf7
SHA1 cc50c7d68321d684498b870e52e84dffa993ded8
SHA256 94a54bb7a36ff49f25be45cfd5f10719819e97029a9a28c7ef1d486f88a6a57a
SHA512 cf460bf06d9f70d35056d9e975b74f565f2a99b8fed42c6161a12de8d7fb41a9d548a4c530bd3f106c6f6264b579a79f083c1333a083fa5f9259561f4003bab8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 f4ec1678308895d14eccf7df988b2345
SHA1 0febda5bbc6dc851d51b8061db986c244b692b03
SHA256 43d80e2babab2dadcaa1f639df93a6f87cb233d35428db083bf47c1325d9d963
SHA512 b9e08dad63c94770db160afdcd1f3b1f25fbd4d43602940c04bcd10c37307e33355c5d7c189197e462cdb2afc9a9af78d80b00ce348278c0f32a390572fe328b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 624dc0ae429a967dfcce73b3174a8c6c
SHA1 765984c79c6077bc932a513d254241f4a5ec69e2
SHA256 26e74364bdcf639cb7865fafc76222171a9a4c020e325f9d07c086f4b39414b2
SHA512 47d2c2318a1eaa3d87b7990d36d905b7cf6c09f05355df10f547b3c98033c10bd1fad3cbb70f2f82bb687818255bf455b4ad63d7e32a641afdfd004d38bdd64d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 933bff49d796f2469bbe787f52a8956a
SHA1 00874a997782afb4e7c814eacc4ef84d9c038dbd
SHA256 959ccfb78d5eb82a2d073c3a0f01cebcd62d30a18c12d2cde1045bf6ea373881
SHA512 54331bda770c89a68384941eb320be8e760a177b8641277bf6cbce44f8d853e70f75b105a45740d9501dd38f5297d7610b1841d02bfd0de91cd1e9393e3eae21

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 aff45e6bf8f12b51f8e54810193edc28
SHA1 0d4adc9be2933ee03c6e66d03b22db5843ca6341
SHA256 195abaa60eb63528a2527bb8acc35a1a2fded1311afcac7688d66c0d3690d509
SHA512 610673ae66e68acd404504babc62af49edf8eaa59f640a8b286f60e6120c6fabb6d1d8466e3d19c975dd6c6f4adcb1a61821d105ed402c8d6e1e5278c793bb01

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 05a22b071b1c7572bda0de48c9359010
SHA1 2fbc135044c9e6b58537fa75b4feb700168bf3df
SHA256 cfd718b36477f888153d062b36f5aee6c08d10dfc15102ce850a8b73050da831
SHA512 fea599f5ed803245e69bd9979fbc7098fbc70c4ce0ca670aff9f0f7c2979fae3504b46067cd6a04fd5c569fdd048d2d1c1dea6bc468b7e168931b80233c4311a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 887dc942eb4cda4bd40062d35a3fe24c
SHA1 2fbf1a941ff9dc7a089ea6e364afca3a58a048ca
SHA256 a5260642a1d1c7122f9d1d4e50957c59fa99d81d1eb811ab75d12444220def94
SHA512 258492ff31863668167e182c2f46e22351d45529ffab3da592188d9c942b4ddac65bc04bd811e4fb669d974eb40025a0357cb2d032c77734b06643a4467e06c0

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 928

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501ab629f_Tue23c4645058.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1404 -ip 1404

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7501ab629f_Tue23c4645058.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 716

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 102.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1404-0-0x00000000004B0000-0x00000000004DA000-memory.dmp

memory/1404-1-0x0000000000920000-0x000000000096C000-memory.dmp

memory/1404-2-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1404-3-0x0000000000400000-0x000000000046C000-memory.dmp

memory/1404-4-0x00000000004B0000-0x00000000004DA000-memory.dmp

memory/1404-5-0x0000000000920000-0x000000000096C000-memory.dmp

memory/1404-6-0x0000000000400000-0x0000000000450000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20241010-en

Max time kernel

139s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2152 set thread context of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 2152 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Network

Country Destination Domain Proto
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp

Files

memory/2152-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

memory/2152-1-0x0000000000A80000-0x0000000000B0A000-memory.dmp

memory/2152-2-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/2152-3-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/2908-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2908-7-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2908-10-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2908-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2908-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2908-5-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2908-15-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2908-12-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2908-17-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/2152-16-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/2908-18-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/2908-19-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20240903-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-6BNN1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6BNN1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2392 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2392 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2392 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2392 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2392 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2392 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 1632 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 1632 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 1632 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 1632 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 1632 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 1632 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 1632 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 2256 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-6BNN1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2256 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-6BNN1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2256 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-6BNN1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2256 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-6BNN1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2256 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-6BNN1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2256 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-6BNN1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2256 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-6BNN1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$40026,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-6BNN1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6BNN1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$301D2,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

Network

Country Destination Domain Proto
US 8.8.8.8:53 noplayboy.com udp

Files

memory/2392-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2392-3-0x0000000000401000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-H70HM.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/1632-8-0x0000000000400000-0x00000000004BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-QKVK2.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-QKVK2.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2392-29-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1632-26-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2256-24-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2256-22-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2256-44-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2828-45-0x0000000000400000-0x00000000004BD000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4540 set thread context of 3216 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe
PID 4540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501b7eabe_Tue2344597f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 92.255.57.115:59426 tcp
RU 92.255.57.115:59426 tcp

Files

memory/4540-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

memory/4540-1-0x0000000000920000-0x00000000009AA000-memory.dmp

memory/4540-2-0x0000000005340000-0x00000000053B6000-memory.dmp

memory/4540-3-0x0000000074EB0000-0x0000000075660000-memory.dmp

memory/4540-4-0x0000000005320000-0x000000000533E000-memory.dmp

memory/4540-5-0x0000000074EB0000-0x0000000075660000-memory.dmp

memory/4540-6-0x0000000005CA0000-0x0000000006244000-memory.dmp

memory/3216-7-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61e7501b7eabe_Tue2344597f.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/3216-10-0x0000000074EB0000-0x0000000075660000-memory.dmp

memory/3216-12-0x0000000005D30000-0x0000000006348000-memory.dmp

memory/3216-13-0x00000000031F0000-0x0000000003202000-memory.dmp

memory/4540-11-0x0000000074EB0000-0x0000000075660000-memory.dmp

memory/3216-14-0x0000000005820000-0x000000000592A000-memory.dmp

memory/3216-15-0x0000000005750000-0x000000000578C000-memory.dmp

memory/3216-16-0x0000000005930000-0x000000000597C000-memory.dmp

memory/3216-17-0x0000000074EB0000-0x0000000075660000-memory.dmp

memory/3216-18-0x0000000074EB0000-0x0000000075660000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11111.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2188 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2188 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2188 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2188 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2188 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2188 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2188 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Users\Admin\AppData\Local\Temp\11111.exe
PID 2188 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Windows\system32\WerFault.exe
PID 2188 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Windows\system32\WerFault.exe
PID 2188 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501db65f3_Tue23c7b395c3.exe"

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\11111.exe

C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2188 -s 476

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.hhiuew33.com udp

Files

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 94989927a6611e1919f84e1871922b63
SHA1 b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA256 6abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512 ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e

memory/2704-6-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2704-8-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

memory/2796-17-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11111.exe

MD5 d0527733abcc5c58735e11d43061b431
SHA1 28de9d191826192721e325787b8a50a84328cffd
SHA256 b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA512 7704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5

memory/2796-23-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 46183ada973d3bfaab7be726c800e96e
SHA1 7fcb7272b04d8b1caaf1343ec720461ca79f45c2
SHA256 0cba483c4b5eeb5d275d2a54db9f7c3c213615628b4ac79044980347930e7a1f
SHA512 338c4ccf7cde74e3aa5c9bb27672797ab8b4c8aa6e99fbcf61a2dc8caecdd871b747e4bcc654391479bc4df5a1e72257da9957f9768c67b2846dd9435b950926

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "61e7502b8389b_Tue233252e9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502b8389b_Tue233252e9.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 804 -ip 804

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "61e7502b8389b_Tue233252e9.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1788

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 myvideodonwload.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:80 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 91.241.19.125:80 tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 91.241.19.125:80 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:80 iplogger.org tcp
US 8.8.8.8:53 myvideodonwload.com udp
US 172.67.74.161:80 iplogger.org tcp
US 8.8.8.8:53 youtube4kdowloader.club udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp

Files

memory/804-0-0x0000000000580000-0x00000000005A0000-memory.dmp

memory/804-1-0x00000000008C0000-0x00000000008F8000-memory.dmp

memory/804-2-0x0000000000400000-0x000000000043B000-memory.dmp

memory/804-3-0x0000000000580000-0x00000000005A0000-memory.dmp

memory/804-4-0x0000000000400000-0x0000000000462000-memory.dmp

memory/804-5-0x00000000008C0000-0x00000000008F8000-memory.dmp

memory/804-9-0x0000000000400000-0x0000000000462000-memory.dmp

memory/804-10-0x0000000000400000-0x000000000043B000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 916 set thread context of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 916 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 916 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 916 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 916 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 916 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 916 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe
PID 916 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7501c830d6_Tue23bdf4712a32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 88.99.35.59:63020 tcp
DE 88.99.35.59:63020 tcp

Files

memory/916-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

memory/916-1-0x0000000000880000-0x000000000090A000-memory.dmp

memory/916-2-0x00000000051E0000-0x0000000005256000-memory.dmp

memory/916-3-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/916-4-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/916-5-0x0000000005140000-0x000000000515E000-memory.dmp

memory/916-6-0x0000000005BB0000-0x0000000006154000-memory.dmp

memory/1672-7-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61e7501c830d6_Tue23bdf4712a32.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/1672-10-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/1672-13-0x0000000004E80000-0x0000000004E92000-memory.dmp

memory/916-12-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/1672-11-0x00000000054A0000-0x0000000005AB8000-memory.dmp

memory/1672-14-0x0000000004FB0000-0x00000000050BA000-memory.dmp

memory/1672-15-0x0000000004EE0000-0x0000000004F1C000-memory.dmp

memory/1672-16-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/1672-17-0x0000000004F20000-0x0000000004F6C000-memory.dmp

memory/1672-18-0x00000000744D0000-0x0000000074C80000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502c4cff3_Tue232cba58c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dpcapps.me udp

Files

memory/1924-2-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/1924-1-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/1924-0-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/1924-5-0x0000000000630000-0x0000000000648000-memory.dmp

memory/1924-4-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/1924-3-0x0000000000401000-0x0000000000444000-memory.dmp

memory/1924-12-0x0000000000230000-0x000000000023A000-memory.dmp

memory/1924-13-0x0000000000630000-0x0000000000648000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win7-20241010-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 248

Network

N/A

Files

memory/864-2-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/864-4-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/864-7-0x0000000064940000-0x0000000064959000-memory.dmp

memory/864-6-0x000000006494A000-0x000000006494F000-memory.dmp

memory/864-5-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/864-3-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/864-1-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/864-0-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/864-9-0x000000006EB40000-0x000000006EB63000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 1640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1640 -ip 1640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 652

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/1640-0-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1640-2-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1640-5-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1640-4-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1640-3-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1640-1-0x0000000064941000-0x000000006494F000-memory.dmp

memory/1640-7-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1640-9-0x000000006B440000-0x000000006B4CF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a

Network

Country Destination Domain Proto
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 v.xyzgamev.com udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-2HPE1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-2HPE1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-8MEFL.tmp\61e74fd3252fe_Tue23df2ad021a.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-2HPE1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2104 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-2HPE1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 2104 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-2HPE1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 3768 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\is-2HPE1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 3768 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\is-2HPE1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 3768 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\is-2HPE1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe
PID 4832 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-8MEFL.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 4832 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-8MEFL.tmp\61e74fd3252fe_Tue23df2ad021a.tmp
PID 4832 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe C:\Users\Admin\AppData\Local\Temp\is-8MEFL.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\is-2HPE1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2HPE1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$90116,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-8MEFL.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8MEFL.tmp\61e74fd3252fe_Tue23df2ad021a.tmp" /SL5="$A029C,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd3252fe_Tue23df2ad021a.exe" /SILENT

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 noplayboy.com udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 101.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/2104-2-0x0000000000401000-0x000000000040B000-memory.dmp

memory/2104-0-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2HPE1.tmp\61e74fd3252fe_Tue23df2ad021a.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/3768-7-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VAPT8.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4832-20-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4832-22-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3768-24-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2104-28-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4984-31-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LDAQS.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4832-39-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4984-42-0x0000000000400000-0x00000000004BD000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd53f766_Tue23ec97445e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 106.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
FR 212.193.30.45:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 45.144.225.57:80 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 2.56.59.42:80 tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe

"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fda51500_Tue23260baecb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1856 -ip 1856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 352

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/1856-0-0x0000000000520000-0x0000000000528000-memory.dmp

memory/1856-1-0x0000000000530000-0x0000000000539000-memory.dmp

memory/1856-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1856-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1856-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1856-5-0x0000000000530000-0x0000000000539000-memory.dmp

memory/1856-4-0x0000000000520000-0x0000000000528000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-11 06:29

Reported

2024-11-11 06:32

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 1304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 1304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 1304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7zS850A099E\libcurlpp.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1304 -ip 1304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 664

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1304-0-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1304-1-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1304-5-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1304-4-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1304-11-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1304-13-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1304-12-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1304-10-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1304-6-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1304-7-0x000000006494A000-0x000000006494F000-memory.dmp

memory/1304-3-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1304-8-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1304-9-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1304-2-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1304-15-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1304-14-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1304-20-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1304-19-0x000000006FE40000-0x000000006FFC6000-memory.dmp