Analysis Overview
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Threat Level: Known bad
The file Downloaders.zip was found to be: Known bad.
Malicious Activity Summary
Stealerium
Stealc
Stealc family
Amadey family
Stealerium family
AsyncRat
Asyncrat family
Amadey
Async RAT payload
Downloads MZ/PE file
Executes dropped EXE
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Delays execution with timeout.exe
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-14 01:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-14 01:00
Reported
2025-02-14 01:03
Platform
win10v2004-20250211-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Nzg5N0EwMDktQ0RCMC00Mjg5LUJERjItNDA0REMwRDJBODE2fSIgdXNlcmlkPSJ7MUVGOUY2QzMtRDlCMS00QzA1LThBNzEtNTdERkU0MDAwMDc4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDE3M0FCQTEtRjQ2My00MDA3LUJFRjUtM0ZEQkM1RkNDMEE0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjU0ODAyOTcxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| RU | 185.215.113.75:80 | 185.215.113.75 | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 4.155.164.36:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 104.77.160.86:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 150.171.27.10:443 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2952-0-0x00000000744BE000-0x00000000744BF000-memory.dmp
memory/2952-1-0x0000000000E70000-0x0000000000E78000-memory.dmp
memory/2952-2-0x0000000005820000-0x00000000058BC000-memory.dmp
memory/2952-3-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/2952-4-0x00000000744BE000-0x00000000744BF000-memory.dmp
memory/2952-5-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/4564-7-0x00000281A38F0000-0x00000281A38F1000-memory.dmp
memory/4564-9-0x00000281A38F0000-0x00000281A38F1000-memory.dmp
memory/4564-8-0x00000281A38F0000-0x00000281A38F1000-memory.dmp
memory/4564-19-0x00000281A38F0000-0x00000281A38F1000-memory.dmp
memory/4564-13-0x00000281A38F0000-0x00000281A38F1000-memory.dmp
memory/4564-18-0x00000281A38F0000-0x00000281A38F1000-memory.dmp
memory/4564-17-0x00000281A38F0000-0x00000281A38F1000-memory.dmp
memory/4564-16-0x00000281A38F0000-0x00000281A38F1000-memory.dmp
memory/4564-15-0x00000281A38F0000-0x00000281A38F1000-memory.dmp
memory/4564-14-0x00000281A38F0000-0x00000281A38F1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-02-14 01:00
Reported
2025-02-14 01:03
Platform
win11-20250211-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
AsyncRat
Asyncrat family
Stealc
Stealc family
Stealerium
Stealerium family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\lgamarwz.url | C:\Windows\system32\taskmgr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\TCP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\plrifjidicfid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\Wallet-PrivateKey.Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\perviy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4912 set thread context of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\TCP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Wallet-PrivateKey.Pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\perviy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Files\Wallet-PrivateKey.Pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUEyRDQ2QTUtQkEwMS00Q0E0LUIzMEMtNzcwMkRENzkxMkExfSIgdXNlcmlkPSJ7Q0QwMkFFMUUtRDUxMS00ODIzLTg0NEEtNTk4RkJFNkREMTVGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjAyMUJCRTQtNzQxOS00MTc5LTlGREYtQjRERkQzNEMxMUJGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjIiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ3OTY3Mzg4NzUiLz48L2FwcD48L3JlcXVlc3Q-
C:\Users\Admin\AppData\Local\Temp\Files\TCP.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TCP.exe"
C:\Users\Admin\AppData\Local\Temp\Files\plrifjidicfid.exe
"C:\Users\Admin\AppData\Local\Temp\Files\plrifjidicfid.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Wallet-PrivateKey.Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Wallet-PrivateKey.Pdf.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
C:\Users\Admin\AppData\Local\Temp\Files\perviy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\perviy.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe
"C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f54de641-b5f1-487d-994f-cde4236f1e51.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\taskkill.exe
taskkill /F /PID 800
C:\Windows\system32\timeout.exe
timeout /T 2 /NOBREAK
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| CN | 121.40.48.175:80 | tcp | |
| US | 4.155.164.36:443 | msedge.api.cdp.microsoft.com | tcp |
| GB | 104.77.160.78:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | maper.info | udp |
| VN | 14.243.221.170:3322 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 172.67.155.114:443 | maper.info | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| VN | 14.243.221.170:3322 | tcp | |
| RU | 185.215.113.217:80 | tcp | |
| RU | 185.215.113.217:80 | tcp | |
| HK | 47.76.249.169:80 | 47.76.249.169 | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.217:80 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| VN | 14.243.221.170:3322 | tcp | |
| VN | 14.243.221.170:3322 | tcp |
Files
memory/3480-0-0x000000007429E000-0x000000007429F000-memory.dmp
memory/3480-1-0x00000000002F0000-0x00000000002F8000-memory.dmp
memory/3480-2-0x0000000004DD0000-0x0000000004E6C000-memory.dmp
memory/3480-3-0x0000000074290000-0x0000000074A41000-memory.dmp
memory/3480-4-0x000000007429E000-0x000000007429F000-memory.dmp
memory/3480-6-0x0000000074290000-0x0000000074A41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\TCP.exe
| MD5 | f127aef5829703426ff8399a76c1852c |
| SHA1 | 17e72d081ceb20119abe7bef8c640d5db48276f6 |
| SHA256 | 6907ab3a0f4e69bf6dcb8c03a18bd8402afa701ade8863a0e15808614ffb1b17 |
| SHA512 | c3125920567b59119b86e284ed96c3860b1998f9d6b6078b5c2a18aa6b4c56274124fd2f77710bbbf972a6387ef20cb4a5d19c96be2131fb02f6d5692c2384c0 |
memory/1516-18-0x0000000000AF0000-0x0000000000B02000-memory.dmp
memory/1516-19-0x0000000074290000-0x0000000074A41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\plrifjidicfid.exe
| MD5 | b56db4ebf7110c1083550ed83a03df17 |
| SHA1 | 258b171956d961a628efa6433f8cb3f629a346fc |
| SHA256 | 2d6863a49648f59642f53236790f35a63df119facda1d98549025b3a8ddac2fb |
| SHA512 | f94d231f631a55a14130b7c8d9f5c1fd314b0b07029dc28146677f65aac99055e860b5744231b119fb06d0d582db59d4d73716c79f087d4fa455955a77ba4580 |
C:\Users\Admin\AppData\Local\Temp\Files\Wallet-PrivateKey.Pdf.exe
| MD5 | 036ba72c9c4cf36bda1dc440d537af3c |
| SHA1 | 3c10ef9932ffc206a586fe5768879bf078e9ebeb |
| SHA256 | bb41ae95f911a55ab1101ca7854918ec0f23548376d4846a2176b9c289102114 |
| SHA512 | c7e8c37787b759bca7fb6d02692c0263d6c60f606ee52e890f3c177dabd00ac6305cd43056164f6e16fbc18046a8c4226172f295ebc85e310ea7e52878d5137d |
memory/3428-39-0x0000000000380000-0x00000000003A0000-memory.dmp
memory/3428-40-0x00000000051B0000-0x0000000005756000-memory.dmp
memory/3428-41-0x0000000004CF0000-0x0000000004D82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 9d347d5ac998a89f78ba00e74b951f55 |
| SHA1 | 73df3d5c8388a4d6693cbb24f719dba8833c9157 |
| SHA256 | 2ea5686422bd8fb6eda542e9a96588f9deb1c97c45f3cb7d3b21ac4da540b57c |
| SHA512 | 3db7421aa98e8e108bf982048dda7e0f09428c6498cf5f9f56ef499fb2fafc5deabde8ecb99e1fdd570d54ae9c0533b7502de5848c9e772708cf75509d0c9d9e |
memory/3428-54-0x0000000006900000-0x000000000690A000-memory.dmp
memory/3272-55-0x0000000000B60000-0x0000000000B78000-memory.dmp
memory/1516-56-0x0000000074290000-0x0000000074A41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
| MD5 | 26d8d52bac8f4615861f39e118efa28d |
| SHA1 | efd5a7ccd128ffe280af75ec8b3e465c989d9e35 |
| SHA256 | 8521a1f4d523a2a9e7f8ddf01147e65e7f3ff54b268e9b40f91e07dc01fa148f |
| SHA512 | 1911a21d654e317fba50308007bb9d56fba2c19a545ef6dfaade17821b0f8fc48aa041c8a4a0339bee61cbd429852d561985e27c574eced716b2e937afa18733 |
memory/4912-68-0x00000000008F0000-0x0000000000976000-memory.dmp
memory/4912-69-0x000000001C7C0000-0x000000001C842000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\perviy.exe
| MD5 | 23ad8a022dd0138e14615a93b01d87da |
| SHA1 | 8c8d2b1d1c8006410fab2111b56ab55e0d55eb8b |
| SHA256 | fbb5cee6f3ee4ca8643b64da8d85e2aee256199f009d195d8b776cf0445e4b91 |
| SHA512 | c1889f29d8813b4853a688900c461a6f45950038387069176fc8950ba44f6c53705a39fdc09dfdd32979cd3f12790898fe505ea3c725f55413b4b3234e545c86 |
memory/2464-77-0x0000000000BB0000-0x0000000000E00000-memory.dmp
memory/2464-79-0x0000000000BB0000-0x0000000000E00000-memory.dmp
memory/2460-81-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2460-82-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2460-84-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2460-85-0x0000000000400000-0x0000000000473000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 9918786300ad8c717995d228a3239f40 |
| SHA1 | d2eaabdad2ae7975eda10ca4b164aa03ff40e90c |
| SHA256 | 98ef46a27db3af45c6a72f04826f6eef615a427f48caae9ccce6ed94a788a3e5 |
| SHA512 | d4d43b9a896b8c8029b7a159af96135cfcdf2fb9a1eca4e5c657beee3fd1226d355eba78ac883c89bef5efef179b8609ef9ecf173991b724118339d831e9a040 |
memory/2164-102-0x0000000005070000-0x00000000050A6000-memory.dmp
memory/2164-103-0x0000000005790000-0x0000000005DBA000-memory.dmp
memory/2164-106-0x0000000005750000-0x0000000005772000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4lvarr23.4pf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2164-111-0x0000000005EA0000-0x0000000005F06000-memory.dmp
memory/2164-110-0x0000000005E30000-0x0000000005E96000-memory.dmp
memory/2164-115-0x0000000005F10000-0x0000000006267000-memory.dmp
memory/2164-116-0x00000000063D0000-0x00000000063EE000-memory.dmp
memory/2164-117-0x0000000006420000-0x000000000646C000-memory.dmp
memory/2164-119-0x0000000007500000-0x0000000007546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe
| MD5 | 6967a105bf22f11871cf14fb2fda7bf1 |
| SHA1 | 9be5af0232c8219b9ba0df4cb2b924b07e467ac2 |
| SHA256 | d06a144d1382d9fb1596b5a7a94d43377249bc95faee1d7b23dce3d6ac98dd3d |
| SHA512 | df232d8915746eac5383a179fbcf322d697eacca9104da95962826a85416555c708575ffb84a769d8699c03597309a84269f310f3d555525a39f86967f85dcc5 |
memory/800-124-0x0000022727620000-0x00000227279D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\008898722351
| MD5 | 8e195a05808b604246ac1b67766767af |
| SHA1 | 8a6ad7a4c6feab1b532a915f75996b96e1ae1893 |
| SHA256 | c979cd46da2dc655bd08fc0181ecaa20e2b276f5ca44aa0717bdf4b9cabce388 |
| SHA512 | 84f3621ae8bb7ddf6ee224361df9819654cff7a691e2069b5ebba3d7d8be44c0ad68913bbf9d076ac85cefaa3fa58cbd8a75990f23d1f2dabe0e43e76da1c1b8 |
C:\Users\Admin\AppData\Local\Temp\f54de641-b5f1-487d-994f-cde4236f1e51.bat
| MD5 | 5ea688e3c877101837eaa05b3b6b531b |
| SHA1 | 252a60373659fe784464323587b7e278b29a0b6d |
| SHA256 | d8c1feb552976a859ae3890da831cc4f3944e7a95c5390cfe024b0c4c1f95227 |
| SHA512 | e573dc6dee8db7e0bed30885fd41c19a992c9dec956e62e1f94ccb82e62b3adf282586ac8ca76712f5ca3f149d671616591ea6ba3122134bec1f449db5759942 |
memory/948-140-0x0000021B65730000-0x0000021B65731000-memory.dmp
memory/948-139-0x0000021B65730000-0x0000021B65731000-memory.dmp
memory/948-138-0x0000021B65730000-0x0000021B65731000-memory.dmp
memory/948-150-0x0000021B65730000-0x0000021B65731000-memory.dmp
memory/948-149-0x0000021B65730000-0x0000021B65731000-memory.dmp
memory/948-148-0x0000021B65730000-0x0000021B65731000-memory.dmp
memory/948-147-0x0000021B65730000-0x0000021B65731000-memory.dmp
memory/948-146-0x0000021B65730000-0x0000021B65731000-memory.dmp
memory/948-145-0x0000021B65730000-0x0000021B65731000-memory.dmp
memory/948-144-0x0000021B65730000-0x0000021B65731000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url
| MD5 | 76f433b3fbd6c3d0ca94f50293292ecc |
| SHA1 | 55cecbed8cb353b05ce046ad185488fbcb91bed8 |
| SHA256 | b04b8ad6f41d55d715fee227f2c1e4d333627ff2a1b89c0f55e35384028f1b32 |
| SHA512 | 829f24bd3474abb436d4f685fc6ec8172b1d3ad548cfa71b3cd263b0a3fc353ae4cdd0ab925397fdb07bfa859e79711a6c0b7dbdd95b94b419fedce60090bdb6 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-14 01:00
Reported
2025-02-14 01:03
Platform
win7-20240903-en
Max time kernel
150s
Max time network
132s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2692-0-0x000000007497E000-0x000000007497F000-memory.dmp
memory/2692-1-0x0000000001390000-0x0000000001398000-memory.dmp
memory/2692-2-0x0000000074970000-0x000000007505E000-memory.dmp
memory/2692-12-0x000000007497E000-0x000000007497F000-memory.dmp
memory/2692-13-0x0000000074970000-0x000000007505E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab28B8.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar28DA.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7861d1fcb4e9548d8bd1549279f2ec7d |
| SHA1 | bb264871951ba92ccadcb9a93259a5dd8ddff2ec |
| SHA256 | 4dc2992de8268dc47a7ef68ecadb4c74d4bee11c433f783cce236cf43f2f115d |
| SHA512 | 8d9851453ba836b74b2831d84196dc15487f6570561aa3c4b19d63540d30cd54f5edb69cbf2b11eaf33d4c9b94ebbb7d166110301e809c0d5e382f50b85accb6 |
memory/2180-157-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2180-158-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2180-159-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2180-160-0x0000000140000000-0x00000001405E8000-memory.dmp