Analysis Overview
SHA256
9c2b49dde271accdeb74a011a6091c6d7ed432326d24d424bc547eb57c343a6f
Threat Level: Known bad
The file quarantine.7z was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Vidar
Detect Vidar Stealer
XMRig Miner payload
RedLine payload
RedLine
Xworm family
Redline family
Socks5systemz family
Systembc family
Vidar family
Xmrig family
Detect Socks5Systemz Payload
xmrig
SystemBC
Socks5Systemz
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Uses browser remote debugging
Executes dropped EXE
Checks BIOS information in registry
Reads user/profile data of local email clients
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Identifies Wine through registry keys
Unsecured Credentials: Credentials In Files
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-03-04 00:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win7-20241023-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1484 set thread context of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\JCFx2xj.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\JCFx2xj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\JCFx2xj.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\JCFx2xj.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7089758,0x7fef7089768,0x7fef7089778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1344,i,9037681793641153570,10111960948445957046,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1344,i,9037681793641153570,10111960948445957046,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1344,i,9037681793641153570,10111960948445957046,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2172 --field-trial-handle=1344,i,9037681793641153570,10111960948445957046,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2184 --field-trial-handle=1344,i,9037681793641153570,10111960948445957046,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3240 --field-trial-handle=1344,i,9037681793641153570,10111960948445957046,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1280 --field-trial-handle=1344,i,9037681793641153570,10111960948445957046,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1344,i,9037681793641153570,10111960948445957046,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1420 --field-trial-handle=1344,i,9037681793641153570,10111960948445957046,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 --field-trial-handle=1344,i,9037681793641153570,10111960948445957046,131072 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\ai58y" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 11
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.201.106:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 216.58.201.106:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| GB | 142.250.200.46:443 | play.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
| DE | 5.75.210.83:443 | 5.75.210.83 | tcp |
Files
memory/2636-0-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-2-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar5CA8.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b8938f96b22f26507a79ed5a3dfb97e |
| SHA1 | 7901432faa8cee8f0afcb8888e7e02d6d8daa41d |
| SHA256 | 841b6f78a9a91a86b3641d25e0dc6c7fc233006f308afd71925cb541e68ecb59 |
| SHA512 | 6147c61f67dac927fe89a6b04b643eff8a18cf3ef7e73b42480f467fbd74263d37c201b77e736fd10fad8bf8cdb1ee37cb1231c17c2275b2e0fbbfaab4cb8e58 |
memory/2636-150-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-171-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-176-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-197-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-200-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-224-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-245-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-249-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-270-0x0000000000400000-0x0000000000429000-memory.dmp
\??\pipe\crashpad_2536_FWCKYFXSIYBRTSPX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2636-290-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
memory/2636-341-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-362-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-365-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-388-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-409-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-410-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-472-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-493-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-494-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-557-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:48
Platform
win10v2004-20250217-en
Max time kernel
94s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 220 -ip 220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 304
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 104.208.16.91:443 | tcp |
Files
memory/220-0-0x0000000000620000-0x0000000000D0E000-memory.dmp
memory/220-1-0x0000000000CC8000-0x0000000000CC9000-memory.dmp
memory/220-2-0x0000000000620000-0x0000000000D0E000-memory.dmp
memory/220-3-0x0000000000CC8000-0x0000000000CC9000-memory.dmp
memory/220-4-0x0000000000620000-0x0000000000D0E000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:48
Platform
win10v2004-20250217-en
Max time kernel
92s
Max time network
149s
Command Line
Signatures
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 172.67.146.181:443 | gadgethgfub.icu | tcp |
| US | 172.67.146.181:443 | gadgethgfub.icu | tcp |
| US | 172.67.146.181:443 | gadgethgfub.icu | tcp |
| US | 172.67.146.181:443 | gadgethgfub.icu | tcp |
| US | 172.67.146.181:443 | gadgethgfub.icu | tcp |
| US | 172.67.146.181:443 | gadgethgfub.icu | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2716-3-0x00000000035A0000-0x00000000035A5000-memory.dmp
memory/2716-4-0x00000000035A0000-0x00000000035A5000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win10v2004-20250217-en
Max time kernel
123s
Max time network
139s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge Protect = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinTemp\\Microsoft Edge Protect.exe\"" | C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe"
C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe
"C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe"
C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe
"C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get ProcessorId
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC BIOS GET SERIALNUMBER"
C:\Windows\System32\Wbem\WMIC.exe
WMIC BIOS GET SERIALNUMBER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC COMPUTERSYSTEM GET MODEL"
C:\Windows\System32\Wbem\WMIC.exe
WMIC COMPUTERSYSTEM GET MODEL
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC COMPUTERSYSTEM GET MANUFACTURER"
C:\Windows\System32\Wbem\WMIC.exe
WMIC COMPUTERSYSTEM GET MANUFACTURER
Network
| Country | Destination | Domain | Proto |
| FI | 135.181.76.95:80 | 135.181.76.95 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 135.181.76.95:80 | 135.181.76.95 | tcp |
| FI | 135.181.76.95:80 | 135.181.76.95 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| FI | 135.181.76.95:80 | 135.181.76.95 | tcp |
| FI | 135.181.76.95:80 | 135.181.76.95 | tcp |
| FI | 135.181.76.95:80 | 135.181.76.95 | tcp |
Files
memory/2912-1-0x00007FF741FC0000-0x00007FF742110000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI6882\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\Africa\Conakry
| MD5 | 796a57137d718e4fa3db8ef611f18e61 |
| SHA1 | 23f0868c618aee82234605f5a0002356042e9349 |
| SHA256 | f3e7fcaa0e9840ff4169d3567d8fb5926644848f4963d7acf92320843c5d486e |
| SHA512 | 64a8de7d9e2e612a6e9438f2de598b11fecc5252052d92278c96dd6019abe7465e11c995e009dfbc76362080217e9df9091114bdbd1431828842348390cb997b |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\Africa\Djibouti
| MD5 | fe54394a3dcf951bad3c293980109dd2 |
| SHA1 | 4650b524081009959e8487ed97c07a331c13fd2d |
| SHA256 | 0783854f52c33ada6b6d2a5d867662f0ae8e15238d2fce7b9ada4f4d319eb466 |
| SHA512 | fe4cf1dd66ae0739f1051be91d729efebde5459967bbe41adbdd3330d84d167a7f8db6d4974225cb75e3b2d207480dfb3862f2b1dda717f33b9c11d33dcac418 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\Africa\Lagos
| MD5 | 89de77d185e9a76612bd5f9fb043a9c2 |
| SHA1 | 0c58600cb28c94c8642dedb01ac1c3ce84ee9acf |
| SHA256 | e5ef1288571cc56c5276ca966e1c8a675c6747726d758ecafe7effce6eca7be4 |
| SHA512 | e2fb974fa770639d56edc5f267306be7ee9b00b9b214a06739c0dad0403903d8432e1c7b9d4322a8c9c31bd1faa8083e262f9d851c29562883ca3933e01d018c |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\Africa\Kigali
| MD5 | a87061b72790e27d9f155644521d8cce |
| SHA1 | 78de9718a513568db02a07447958b30ed9bae879 |
| SHA256 | fd4a97368230a89676c987779510a9920fe8d911fa065481536d1048cd0f529e |
| SHA512 | 3f071fd343d4e0f5678859c4f7f48c292f8b9a3d62d1075938c160142defd4f0423d8f031c95c48119ac71f160c9b6a02975841d49422b61b542418b8a63e441 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\America\Curacao
| MD5 | 92d3b867243120ea811c24c038e5b053 |
| SHA1 | ade39dfb24b20a67d3ac8cc7f59d364904934174 |
| SHA256 | abbe8628dd5487c889db816ce3a5077bbb47f6bafafeb9411d92d6ef2f70ce8d |
| SHA512 | 1eee8298dffa70049439884f269f90c0babcc8e94c5ccb595f12c8cfe3ad12d52b2d82a5853d0ff4a0e4d6069458cc1517b7535278b2fdef145e024e3531daad |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\America\Toronto
| MD5 | 3fa8a9428d799763fa7ea205c02deb93 |
| SHA1 | 222b74b3605024b3d9ed133a3a7419986adcc977 |
| SHA256 | 815ab4db7a1b1292867d2f924b718e1bba32455ce9f92205db2feb65029c6761 |
| SHA512 | 107a4dbb64107f781e3ed17b505baea28d4ca6683c2b49d146dda41c28ca3f9c307809ed938e4152011e199a7be6913de6f7b78cafe8ef300dc3034397945238 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\Etc\Greenwich
| MD5 | e7577ad74319a942781e7153a97d7690 |
| SHA1 | 91d9c2bf1cbb44214a808e923469d2153b3f9a3f |
| SHA256 | dc4a07571b10884e4f4f3450c9d1a1cbf4c03ef53d06ed2e4ea152d9eba5d5d7 |
| SHA512 | b4bc0ddba238fcab00c99987ea7bd5d5fa15967eceba6a2455ecd1d81679b4c76182b5a9e10c004b55dc98abc68ce0912d4f42547b24a22b0f5f0f90117e2b55 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\Europe\London
| MD5 | d111147703d04769072d1b824d0ddc0c |
| SHA1 | 0c99c01cad245400194d78f9023bd92ee511fbb1 |
| SHA256 | 676541f0b8ad457c744c093f807589adcad909e3fd03f901787d08786eedbd33 |
| SHA512 | 21502d194dfd89ac66f3df6610cb7725936f69faafb6597d4c22cec9d5e40965d05dd7111de9089bc119ec2b701fea664d3cb291b20ae04d59bcbd79e681d07a |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\Europe\Oslo
| MD5 | 2577d6d2ba90616ca47c8ee8d9fbca20 |
| SHA1 | e8f7079796d21c70589f90d7682f730ed236afd4 |
| SHA256 | a7fd9932d785d4d690900b834c3563c1810c1cf2e01711bcc0926af6c0767cb7 |
| SHA512 | f228ca1ef2756f955566513d7480d779b10b74a8780f2c3f1768730a1a9ae54c5ac44890d0690b59df70c4194a414f276f59bb29389f6fa29719cb06cb946ceb |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\Europe\Skopje
| MD5 | a4ac1780d547f4e4c41cab4c6cf1d76d |
| SHA1 | 9033138c20102912b7078149abc940ea83268587 |
| SHA256 | a8c964f3eaa7a209d9a650fb16c68c003e9a5fc62ffbbb10fa849d54fb3662d6 |
| SHA512 | 7fd5c4598f9d61a3888b4831b0c256ac8c07a5ae28123f969549ae3085a77fece562a09805c44eab7973765d850f6c58f9fcf42582bdd7fd0cdba6cd3d432469 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\PRC
| MD5 | dff9cd919f10d25842d1381cdff9f7f7 |
| SHA1 | 2aa2d896e8dde7bc74cb502cd8bff5a2a19b511f |
| SHA256 | bf8b7ed82fe6e63e6d98f8cea934eeac901cd16aba85eb5755ce3f8b4289ea8a |
| SHA512 | c6f4ef7e4961d9f5ae353a5a54d5263fea784255884f7c18728e05806d7c80247a2af5d9999d805f40b0cc86a580a3e2e81135fdd49d62876a15e1ab50e148b7 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\Pacific\Wallis
| MD5 | ba8d62a6ed66f462087e00ad76f7354d |
| SHA1 | 584a5063b3f9c2c1159cebea8ea2813e105f3173 |
| SHA256 | 09035620bd831697a3e9072f82de34cfca5e912d50c8da547739aa2f28fb6d8e |
| SHA512 | 9c5dba4f7c71d5c753895cbfdb01e18b9195f7aad971948eb8e8817b7aca9b7531ca250cdce0e01a5b97ba42c1c9049fd93a2f1ed886ef9779a54babd969f761 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\Pacific\Yap
| MD5 | bcf8aa818432d7ae244087c7306bcb23 |
| SHA1 | 5a91d56826d9fc9bc84c408c581a12127690ed11 |
| SHA256 | 683001055b6ef9dc9d88734e0eddd1782f1c3643b7c13a75e9cf8e9052006e19 |
| SHA512 | d5721c5bf8e1df68fbe2c83bb5cd1edea331f8be7f2a7ef7a6c45f1c656857f2f981adb2c82d8b380c88b1ddea6abb20d692c45403f9562448908637d70fa221 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\tzdata\zoneinfo\UCT
| MD5 | 51d8a0e68892ebf0854a1b4250ffb26b |
| SHA1 | b3ea2db080cd92273d70a8795d1f6378ac1d2b74 |
| SHA256 | fddce1e648a1732ac29afd9a16151b2973cdf082e7ec0c690f7e42be6b598b93 |
| SHA512 | 4d0def0cd33012754835b27078d64141503c8762e7fb0f74ac669b8e2768deeba14900feef6174f65b1c3dd2ea0ce9a73bba499275c1c75bcae91cd266262b78 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\python312.dll
| MD5 | d521654d889666a0bc753320f071ef60 |
| SHA1 | 5fd9b90c5d0527e53c199f94bad540c1e0985db6 |
| SHA256 | 21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2 |
| SHA512 | 7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\_ctypes.pyd
| MD5 | fb454c5e74582a805bc5e9f3da8edc7b |
| SHA1 | 782c3fa39393112275120eaf62fc6579c36b5cf8 |
| SHA256 | 74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1 |
| SHA512 | 727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\base_library.zip
| MD5 | 640a70cacdc3878c7128a88b75a81709 |
| SHA1 | 3a7d6b07e94c906ca227c6b2d5723389573dc335 |
| SHA256 | 6da8c9eaea69628e5a4c4c85205994b781e0ebc1d8a05fde1377d3e12c081d5b |
| SHA512 | d284fba54c349592a2dc5896148ca2dafe08af55c065d0077529c297fb63ffc692bea6abe122ab082b4b80197ebd4cbd54d5dec3ec4f0a773a22275562f16ee8 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\python3.DLL
| MD5 | a07661c5fad97379cf6d00332999d22c |
| SHA1 | dca65816a049b3cce5c4354c3819fef54c6299b0 |
| SHA256 | 5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b |
| SHA512 | 6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\_bz2.pyd
| MD5 | 5bebc32957922fe20e927d5c4637f100 |
| SHA1 | a94ea93ee3c3d154f4f90b5c2fe072cc273376b3 |
| SHA256 | 3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62 |
| SHA512 | afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\_lzma.pyd
| MD5 | 195defe58a7549117e06a57029079702 |
| SHA1 | 3795b02803ca37f399d8883d30c0aa38ad77b5f2 |
| SHA256 | 7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a |
| SHA512 | c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | cfe0c1dfde224ea5fed9bd5ff778a6e0 |
| SHA1 | 5150e7edd1293e29d2e4d6bb68067374b8a07ce6 |
| SHA256 | 0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e |
| SHA512 | b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\pyexpat.pyd
| MD5 | 958231414cc697b3c59a491cc79404a7 |
| SHA1 | 3dec86b90543ea439e145d7426a91a7aca1eaab6 |
| SHA256 | efd6099b1a6efdadd988d08dce0d8a34bd838106238250bccd201dc7dcd9387f |
| SHA512 | fd29d0aab59485340b68dc4552b9e059ffb705d4a64ff9963e1ee8a69d9d96593848d07be70528d1beb02bbbbd69793ee3ea764e43b33879f5c304d8a912c3be |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\libssl-3.dll
| MD5 | 19a2aba25456181d5fb572d88ac0e73e |
| SHA1 | 656ca8cdfc9c3a6379536e2027e93408851483db |
| SHA256 | 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006 |
| SHA512 | df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\libcrypto-3.dll
| MD5 | e547cf6d296a88f5b1c352c116df7c0c |
| SHA1 | cafa14e0367f7c13ad140fd556f10f320a039783 |
| SHA256 | 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de |
| SHA512 | 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | a0776b3a28f7246b4a24ff1b2867bdbf |
| SHA1 | 383c9a6afda7c1e855e25055aad00e92f9d6aaff |
| SHA256 | 2e554d9bf872a64d2cd0f0eb9d5a06dea78548bc0c7a6f76e0a0c8c069f3c0a9 |
| SHA512 | 7c9f0f8e53b363ef5b2e56eec95e7b78ec50e9308f34974a287784a1c69c9106f49ea2d9ca037f0a7b3c57620fcbb1c7c372f207c68167df85797affc3d7f3ba |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 001e60f6bbf255a60a5ea542e6339706 |
| SHA1 | f9172ec37921432d5031758d0c644fe78cdb25fa |
| SHA256 | 82fba9bc21f77309a649edc8e6fc1900f37e3ffcb45cd61e65e23840c505b945 |
| SHA512 | b1a6dc5a34968fbdc8147d8403adf8b800a06771cc9f15613f5ce874c29259a156bab875aae4caaec2117817ce79682a268aa6e037546aeca664cd4eea60adbf |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 115e8275eb570b02e72c0c8a156970b3 |
| SHA1 | c305868a014d8d7bbef9abbb1c49a70e8511d5a6 |
| SHA256 | 415025dce5a086dbffc4cf322e8ead55cb45f6d946801f6f5193df044db2f004 |
| SHA512 | b97ef7c5203a0105386e4949445350d8ff1c83bdeaee71ccf8dc22f7f6d4f113cb0a9be136717895c36ee8455778549f629bf8d8364109185c0bf28f3cb2b2ca |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 96498dc4c2c879055a7aff2a1cc2451e |
| SHA1 | fecbc0f854b1adf49ef07beacad3cec9358b4fb2 |
| SHA256 | 273817a137ee049cbd8e51dc0bb1c7987df7e3bf4968940ee35376f87ef2ef8d |
| SHA512 | 4e0b2ef0efe81a8289a447eb48898992692feee4739ceb9d87f5598e449e0059b4e6f4eb19794b9dcdce78c05c8871264797c14e4754fd73280f37ec3ea3c304 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 20c0afa78836b3f0b692c22f12bda70a |
| SHA1 | 60bb74615a71bd6b489c500e6e69722f357d283e |
| SHA256 | 962d725d089f140482ee9a8ff57f440a513387dd03fdc06b3a28562c8090c0bc |
| SHA512 | 65f0e60136ab358661e5156b8ecd135182c8aaefd3ec320abdf9cfc8aeab7b68581890e0bbc56bad858b83d47b7a0143fa791195101dc3e2d78956f591641d16 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 272c0f80fd132e434cdcdd4e184bb1d8 |
| SHA1 | 5bc8b7260e690b4d4039fe27b48b2cecec39652f |
| SHA256 | bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d |
| SHA512 | 94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-private-l1-1-0.dll
| MD5 | 7ea5935428f10d970ad446ba72313440 |
| SHA1 | 58c2a2938bc44769bc3487327bd6c840a3fe2e5c |
| SHA256 | 8b19bcb4918b346a8ba5e19d91823e5842314e928dbb86de8758d0dbb2b94bb4 |
| SHA512 | 02abf2c37283ad69648b22375c6cac76e5c2cc8c637e106da014977d1a22beac8be65b75890e9d0bf96a55d77652254aad597ef7bd1e61577813bd393b7ed0ef |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | 075419431d46dc67932b04a8b91a772f |
| SHA1 | db2af49ee7b6bec379499b5a80be39310c6c8425 |
| SHA256 | 3a4b66e65a5ee311afc37157a8101aba6017ff7a4355b4dd6e6c71d5b7223560 |
| SHA512 | 76287e0003a396cda84ce6b206986476f85e927a389787d1d273684167327c41fc0fe5e947175c0deb382c5accf785f867d9fce1fea4abd7d99b201e277d1704 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-math-l1-1-0.dll
| MD5 | b8f0210c47847fc6ec9fbe2a1ad4debb |
| SHA1 | e99d833ae730be1fedc826bf1569c26f30da0d17 |
| SHA256 | 1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7 |
| SHA512 | 992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 650435e39d38160abc3973514d6c6640 |
| SHA1 | 9a5591c29e4d91eaa0f12ad603af05bb49708a2d |
| SHA256 | 551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0 |
| SHA512 | 7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | d5d77669bd8d382ec474be0608afd03f |
| SHA1 | 1558f5a0f5facc79d3957ff1e72a608766e11a64 |
| SHA256 | 8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8 |
| SHA512 | 8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 5107487b726bdcc7b9f7e4c2ff7f907c |
| SHA1 | ebc46221d3c81a409fab9815c4215ad5da62449c |
| SHA256 | 94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade |
| SHA512 | a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | f9235935dd3ba2aa66d3aa3412accfbf |
| SHA1 | 281e548b526411bcb3813eb98462f48ffaf4b3eb |
| SHA256 | 2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200 |
| SHA512 | ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | edf71c5c232f5f6ef3849450f2100b54 |
| SHA1 | ed46da7d59811b566dd438fa1d09c20f5dc493ce |
| SHA256 | b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc |
| SHA512 | 481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | d4fba5a92d68916ec17104e09d1d9d12 |
| SHA1 | 247dbc625b72ffb0bf546b17fb4de10cad38d495 |
| SHA256 | 93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5 |
| SHA512 | d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-util-l1-1-0.dll
| MD5 | 0f129611a4f1e7752f3671c9aa6ea736 |
| SHA1 | 40c07a94045b17dae8a02c1d2b49301fad231152 |
| SHA256 | 2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f |
| SHA512 | 6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | d12403ee11359259ba2b0706e5e5111c |
| SHA1 | 03cc7827a30fd1dee38665c0cc993b4b533ac138 |
| SHA256 | f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781 |
| SHA512 | 9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | fd46c3f6361e79b8616f56b22d935a53 |
| SHA1 | 107f488ad966633579d8ec5eb1919541f07532ce |
| SHA256 | 0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df |
| SHA512 | 3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 1281e9d1750431d2fe3b480a8175d45c |
| SHA1 | bc982d1c750b88dcb4410739e057a86ff02d07ef |
| SHA256 | 433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa |
| SHA512 | a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 225d9f80f669ce452ca35e47af94893f |
| SHA1 | 37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50 |
| SHA256 | 61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232 |
| SHA512 | 2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-string-l1-1-0.dll
| MD5 | 2666581584ba60d48716420a6080abda |
| SHA1 | c103f0ea32ebbc50f4c494bce7595f2b721cb5ad |
| SHA256 | 27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328 |
| SHA512 | befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | a0c2dbe0f5e18d1add0d1ba22580893b |
| SHA1 | 29624df37151905467a223486500ed75617a1dfd |
| SHA256 | 3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f |
| SHA512 | 3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-profile-l1-1-0.dll
| MD5 | f3ff2d544f5cd9e66bfb8d170b661673 |
| SHA1 | 9e18107cfcd89f1bbb7fdaf65234c1dc8e614add |
| SHA256 | e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f |
| SHA512 | 184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 517eb9e2cb671ae49f99173d7f7ce43f |
| SHA1 | 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab |
| SHA256 | 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54 |
| SHA512 | 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | c3632083b312c184cbdd96551fed5519 |
| SHA1 | a93e8e0af42a144009727d2decb337f963a9312e |
| SHA256 | be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125 |
| SHA512 | 8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 0462e22f779295446cd0b63e61142ca5 |
| SHA1 | 616a325cd5b0971821571b880907ce1b181126ae |
| SHA256 | 0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e |
| SHA512 | 07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | 321a3ca50e80795018d55a19bf799197 |
| SHA1 | df2d3c95fb4cbb298d255d342f204121d9d7ef7f |
| SHA256 | 5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f |
| SHA512 | 3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 3c38aac78b7ce7f94f4916372800e242 |
| SHA1 | c793186bcf8fdb55a1b74568102b4e073f6971d6 |
| SHA256 | 3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d |
| SHA512 | c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 724223109e49cb01d61d63a8be926b8f |
| SHA1 | 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b |
| SHA256 | 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210 |
| SHA512 | 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 1f2a00e72bc8fa2bd887bdb651ed6de5 |
| SHA1 | 04d92e41ce002251cc09c297cf2b38c4263709ea |
| SHA256 | 9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142 |
| SHA512 | 8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | c6024cc04201312f7688a021d25b056d |
| SHA1 | 48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd |
| SHA256 | 8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500 |
| SHA512 | d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-heap-l1-1-0.dll
| MD5 | accc640d1b06fb8552fe02f823126ff5 |
| SHA1 | 82ccc763d62660bfa8b8a09e566120d469f6ab67 |
| SHA256 | 332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f |
| SHA512 | 6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-handle-l1-1-0.dll
| MD5 | e89cdcd4d95cda04e4abba8193a5b492 |
| SHA1 | 5c0aee81f32d7f9ec9f0650239ee58880c9b0337 |
| SHA256 | 1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238 |
| SHA512 | 55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-file-l2-1-0.dll
| MD5 | bfffa7117fd9b1622c66d949bac3f1d7 |
| SHA1 | 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2 |
| SHA256 | 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e |
| SHA512 | b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1c58526d681efe507deb8f1935c75487 |
| SHA1 | 0e6d328faf3563f2aae029bc5f2272fb7a742672 |
| SHA256 | ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2 |
| SHA512 | 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-file-l1-1-0.dll
| MD5 | efad0ee0136532e8e8402770a64c71f9 |
| SHA1 | cda3774fe9781400792d8605869f4e6b08153e55 |
| SHA256 | 3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed |
| SHA512 | 69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | eb0978a9213e7f6fdd63b2967f02d999 |
| SHA1 | 9833f4134f7ac4766991c918aece900acfbf969f |
| SHA256 | ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e |
| SHA512 | 6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 33bbece432f8da57f17bf2e396ebaa58 |
| SHA1 | 890df2dddfdf3eeccc698312d32407f3e2ec7eb1 |
| SHA256 | 7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e |
| SHA512 | 619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5 |
C:\Users\Admin\AppData\Local\Temp\_MEI6882\api-ms-win-core-console-l1-1-0.dll
| MD5 | e8b9d74bfd1f6d1cc1d99b24f44da796 |
| SHA1 | a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452 |
| SHA256 | b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59 |
| SHA512 | b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27 |
memory/2912-851-0x00007FF741FC0000-0x00007FF742110000-memory.dmp
memory/2880-852-0x00000000648C0000-0x000000006496A000-memory.dmp
memory/2880-854-0x000002C2084B0000-0x000002C208A1D000-memory.dmp
memory/2880-853-0x00007FFE0E4B0000-0x00007FFE1058A000-memory.dmp
memory/2912-1521-0x00007FF741FC0000-0x00007FF742110000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:48
Platform
win7-20240903-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\d0HNrLB = "C:\\Users\\Admin\\AppData\\Roaming\\d0HNrLB.exe" | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2908 set thread context of 2216 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe |
| PID 2676 set thread context of 3052 | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe |
| PID 2948 set thread context of 2484 | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe |
| PID 2472 set thread context of 2576 | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 520
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "d0HNrLB" /tr "C:\Users\Admin\AppData\Roaming\d0HNrLB.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {F99F3997-B368-4A7A-878A-CDBB5680CDD1} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
"C:\Users\Admin\AppData\Roaming\d0HNrLB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 508
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
"C:\Users\Admin\AppData\Roaming\d0HNrLB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 508
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
"C:\Users\Admin\AppData\Roaming\d0HNrLB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 508
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | appengine.google.com | udp |
| HU | 178.250.188.144:22635 | tcp | |
| HU | 178.250.188.144:22635 | tcp | |
| HU | 178.250.188.144:22635 | tcp | |
| HU | 178.250.188.144:22635 | tcp | |
| HU | 178.250.188.144:22635 | tcp | |
| HU | 178.250.188.144:22635 | tcp |
Files
memory/2908-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp
memory/2908-1-0x0000000001350000-0x000000000139E000-memory.dmp
memory/2908-2-0x0000000074CE0000-0x00000000753CE000-memory.dmp
memory/2216-14-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2216-18-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2216-16-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2216-12-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2216-10-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2216-8-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2216-6-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2216-4-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2908-19-0x0000000074CE0000-0x00000000753CE000-memory.dmp
memory/2216-20-0x0000000074CE0000-0x00000000753CE000-memory.dmp
memory/2908-24-0x0000000074CE0000-0x00000000753CE000-memory.dmp
memory/2216-25-0x0000000074CE0000-0x00000000753CE000-memory.dmp
memory/2676-28-0x0000000000EB0000-0x0000000000EFE000-memory.dmp
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
| MD5 | d1458dc39b290683cefbb01cc5b0991a |
| SHA1 | e9749971be9d943cb2a62e2be5eb442161876ec6 |
| SHA256 | dc7d690adb8ea5ab1a9b1f65fc3a62b35d9ae4c57a7806ccb226b825f1465f2d |
| SHA512 | f90bc037576ee1205fa260d5b6b05c95f930025bc40f541b92f39b845b8e9a90a59ec18ef0be1ab5cf7bb74ed6a6222fc1a882df894ba8e1e722d671aef37e35 |
memory/3052-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2948-49-0x0000000000100000-0x000000000014E000-memory.dmp
memory/2484-59-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2472-70-0x00000000011D0000-0x000000000121E000-memory.dmp
memory/2576-80-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0HNrLB.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0HNrLB = "C:\\Users\\Admin\\AppData\\Roaming\\d0HNrLB.exe" | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4748 set thread context of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe |
| PID 2304 set thread context of 4356 | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe |
| PID 3632 set thread context of 4172 | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\d0HNrLB.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\d0HNrLB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 760
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "d0HNrLB" /tr "C:\Users\Admin\AppData\Roaming\d0HNrLB.exe"
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
"C:\Users\Admin\AppData\Roaming\d0HNrLB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2304 -ip 2304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 804
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
"C:\Users\Admin\AppData\Roaming\d0HNrLB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 772
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | appengine.google.com | udp |
| HU | 178.250.188.144:22635 | tcp | |
| HU | 178.250.188.144:22635 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 20.189.173.27:443 | tcp | |
| HU | 178.250.188.144:22635 | tcp | |
| HU | 178.250.188.144:22635 | tcp | |
| HU | 178.250.188.144:22635 | tcp | |
| HU | 178.250.188.144:22635 | tcp | |
| HU | 178.250.188.144:22635 | tcp |
Files
memory/4748-0-0x00000000751BE000-0x00000000751BF000-memory.dmp
memory/4748-1-0x0000000000010000-0x000000000005E000-memory.dmp
memory/4748-3-0x0000000005120000-0x00000000056C4000-memory.dmp
memory/4748-2-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/4748-4-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/4740-6-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4748-7-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/4740-8-0x00000000054D0000-0x000000000556C000-memory.dmp
memory/4740-9-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/4740-10-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/4748-11-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/4740-15-0x00000000751B0000-0x0000000075960000-memory.dmp
C:\Users\Admin\AppData\Roaming\d0HNrLB.exe
| MD5 | d1458dc39b290683cefbb01cc5b0991a |
| SHA1 | e9749971be9d943cb2a62e2be5eb442161876ec6 |
| SHA256 | dc7d690adb8ea5ab1a9b1f65fc3a62b35d9ae4c57a7806ccb226b825f1465f2d |
| SHA512 | f90bc037576ee1205fa260d5b6b05c95f930025bc40f541b92f39b845b8e9a90a59ec18ef0be1ab5cf7bb74ed6a6222fc1a882df894ba8e1e722d671aef37e35 |
memory/2304-18-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/2304-19-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/2304-20-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/2304-24-0x00000000751B0000-0x0000000075960000-memory.dmp
memory/2304-25-0x00000000751B0000-0x0000000075960000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d0HNrLB.exe.log
| MD5 | 5e94b238b014b2475a606db72c39b60f |
| SHA1 | a6a2b64884f1a2bb82c0ee7fe0682f9c2c619ed9 |
| SHA256 | 15f497aea89068cc4068fc495ecc93a4e5b6325423d6bf576cb73cae7ff86e48 |
| SHA512 | f57b4921101ee4c473af007d9eaf502c38681b3249bd8765156a741788b3b672687c0f06b31029aa09e6a8f3159666de6ed5e221fa5188ca7d5ca1c05e992896 |
Analysis: behavioral17
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win7-20240903-en
Max time kernel
145s
Max time network
119s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\ejqa\dehms.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\ejqa\dehms.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\ejqa\dehms.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\ejqa\dehms.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine | C:\ProgramData\ejqa\dehms.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| N/A | N/A | C:\ProgramData\ejqa\dehms.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\ejqa\dehms.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| N/A | N/A | C:\ProgramData\ejqa\dehms.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2868 wrote to memory of 2864 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\ejqa\dehms.exe |
| PID 2868 wrote to memory of 2864 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\ejqa\dehms.exe |
| PID 2868 wrote to memory of 2864 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\ejqa\dehms.exe |
| PID 2868 wrote to memory of 2864 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\ejqa\dehms.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {9606F752-8187-4FF6-AB77-030002174F2E} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
C:\ProgramData\ejqa\dehms.exe
C:\ProgramData\ejqa\dehms.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
Files
memory/1484-0-0x0000000000400000-0x0000000000856000-memory.dmp
memory/1484-1-0x0000000077CA0000-0x0000000077CA2000-memory.dmp
memory/1484-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/1484-4-0x0000000000400000-0x0000000000856000-memory.dmp
memory/1484-6-0x0000000000400000-0x0000000000856000-memory.dmp
memory/1484-7-0x0000000000400000-0x0000000000856000-memory.dmp
memory/1484-8-0x0000000000400000-0x0000000000856000-memory.dmp
memory/1484-9-0x0000000000400000-0x0000000000856000-memory.dmp
memory/1484-10-0x0000000000400000-0x0000000000856000-memory.dmp
memory/1484-11-0x0000000000400000-0x0000000000856000-memory.dmp
C:\ProgramData\ejqa\dehms.exe
| MD5 | efac52cc9304919d4f9e49c56bdbd484 |
| SHA1 | 68e90fd0a473ba822bb4f708d718afcbbd660850 |
| SHA256 | e903bd6ec4817fca7a718b770d6d6a509c7e522cbebb41bd26e48bfe009d0510 |
| SHA512 | 9185437c21c56772d3dd7172269b3569380b518e78c8cb9dcf947968476d4d79beb2aeb31da66d3736a2a0f3be88d3caf86d9ba79c59608aaca196c409466ada |
memory/2864-14-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-15-0x0000000000400000-0x0000000000856000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | 4887385ed6b14d359e6297c851044acc |
| SHA1 | c0d431751afb63e8fb4beb428bd454003afcc77a |
| SHA256 | 5718e266f7a2450202a8967a179986d1288de84848755586f080cab002f38c0e |
| SHA512 | 0e25625535d1d4b7aff5a7c12cb4a60dabdb57133b4aa28dc25fed499ffa2e30c3709d3974839d570fe516158cf21a467802f5788479e4c83eb3e95187bc9f62 |
memory/2864-17-0x0000000000400000-0x0000000000856000-memory.dmp
memory/1484-18-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-19-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-20-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-21-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-22-0x0000000000400000-0x0000000000856000-memory.dmp
memory/1484-23-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-24-0x0000000000400000-0x0000000000856000-memory.dmp
memory/1484-25-0x0000000000400000-0x0000000000856000-memory.dmp
memory/1484-26-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-27-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-28-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-29-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-30-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-31-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-32-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-33-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-34-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-35-0x0000000000400000-0x0000000000856000-memory.dmp
memory/2864-36-0x0000000000400000-0x0000000000856000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win7-20240903-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3008 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3008 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3008 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\zY9sqWs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 1040
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | joyfulhezart.tech | udp |
| US | 8.8.8.8:53 | hardswarehub.today | udp |
| US | 8.8.8.8:53 | gadgethgfub.icu | udp |
| US | 104.21.95.173:443 | gadgethgfub.icu | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win7-20241010-en
Max time kernel
141s
Max time network
130s
Command Line
Signatures
Detect Socks5Systemz Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Socks5Systemz
Socks5systemz family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\infinity.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe | N/A |
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\infinity.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\infinity.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\infinity.exe"
C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp" /SL5="$5014E,3457933,56832,C:\Users\Admin\AppData\Local\Temp\quarantine\infinity.exe"
C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe
"C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe" -i
Network
| Country | Destination | Domain | Proto |
| RU | 176.113.115.96:443 | 176.113.115.96 | tcp |
Files
memory/1600-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/1600-0-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-FCQ1I.tmp\infinity.tmp
| MD5 | a68e919aa98af0107e6c6c200955ef9c |
| SHA1 | c48fc16fab8ab5f59c2619fad6c14c676faee68b |
| SHA256 | 8577c42c652797ce0b766cac8e82f0c35b78c24da42a56a0ae5e0fab3353e3f5 |
| SHA512 | 183bc84d30d16a27ef509eb8fa75ee5687623825825ead596f3dfa6b84e4eb96d1495d54707ef8894e536d0e75717d0baade380b3a9f9a957606d62347de6d99 |
memory/1864-8-0x0000000000400000-0x00000000004BD000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-M2SR8.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-M2SR8.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe
| MD5 | b613d3d4eadea3e65bee9f920ffa88a2 |
| SHA1 | 121451a5d4f2c49d3a194992c4418cf130f6ea74 |
| SHA256 | 21586cff912594096a699b483df4438523422e97f0d0c47e59a8da2bc4204dcf |
| SHA512 | 19c22fd7b322b65eda1ca75b4de281c22727b090a38181ff8c483660e6da071362258a79aee3f7ea01cca4c25bbbeab0ccc4857fb8abab9da412f9fa7c3065b4 |
C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
memory/1864-49-0x0000000003BE0000-0x0000000003ECB000-memory.dmp
memory/2940-50-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-51-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/1864-55-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1600-56-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2940-59-0x0000000060900000-0x0000000060992000-memory.dmp
memory/2940-58-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-62-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-66-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-70-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-74-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-78-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-80-0x0000000002A10000-0x0000000002AB0000-memory.dmp
memory/2940-85-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/1864-87-0x0000000003BE0000-0x0000000003ECB000-memory.dmp
memory/2940-90-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-94-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-98-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-102-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-106-0x0000000000400000-0x00000000006EB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
memory/2940-148-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/2940-152-0x0000000000400000-0x00000000006EB000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win7-20240903-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DriverStore\winDriverChipsetService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NhNotifSys\Z9A6Elb8S.bin | N/A |
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\NhNotifSys\Z9A6Elb8S.bin | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\7UlMpzX.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\7UlMpzX.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe
"C:/Users/Admin/AppData/Local/Microsoft/ShellKernelBridge.exe"
C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe
"C:/Users/Admin/AppData/Roaming/Oracle/VirtualBoxNetworkBridge.exe"
C:\Users\Admin\AppData\Local\DriverStore\winDriverChipsetService.exe
"C:/Users/Admin/AppData/Local/DriverStore/winDriverChipsetService.exe"
C:\Users\Admin\AppData\Local\NhNotifSys\Z9A6Elb8S.bin
"C:\Users\Admin\AppData\Local\NhNotifSys\Z9A6Elb8S.bin"
Network
| Country | Destination | Domain | Proto |
| SE | 77.239.121.5:1668 | tcp | |
| SE | 77.239.121.5:1668 | tcp | |
| SE | 77.239.121.5:1668 | tcp | |
| SE | 77.239.121.5:1668 | tcp | |
| SE | 77.239.121.5:1668 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
| MD5 | 73913f6963f89dbf98c4f716ee545b8f |
| SHA1 | c343d9b82c0680131ded13626029b65092276486 |
| SHA256 | fadbefdced9db4132541cca2fdb0a8da8d35757900150404c626cae9ab81d61a |
| SHA512 | ccd744dad29ff8e98e7370cbb5f23b2a2f3b6c51f6afb12c2f84e85a1b71a7393ece650d26862569b0190d71a2e53a49f3b85b386fa3214fc4fa03300be80df2 |
\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
| MD5 | 37af0a4faa5b323e4cb04bdbd8cca117 |
| SHA1 | 4aaa6e6994e4ef5f55a155a6c561a3873c2b8e84 |
| SHA256 | 61a30d43b723b8b2921bc7016325b45b0c055cb28ba83b1364164a4a3df6206f |
| SHA512 | 0a6e993e51fd9383c9e813145e8004892618156d45b94741dcf7cf9814214d7c8f8fca295dc639431098758dbd5e241980502f18ca2838c505cce4d0c4c32422 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\libcrypto-3-x64.dll
| MD5 | 8d9dc42ffefe2b3443add056784c98fb |
| SHA1 | c2a97d2a372e4badacac196a1f6bcbecdcd35940 |
| SHA256 | d45ff6fdb2911d07efc3d47a2e0298534eab617d63e9eebd358d1686ed0992aa |
| SHA512 | e04e07e7c7a8f9b9b98ca0e94767a64808295290a936b50786e06f6a65207dd6ee4fd423bc3e1639186005767e0522c3dd7ba23ac0cbe50116249717fd6c3b83 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\VCRUNTIME140.dll
| MD5 | 7af17bfd24be72d5376c9c5ce86bef54 |
| SHA1 | 23bf5fa4c467f28990cc878ef945f9f5db616b75 |
| SHA256 | bf28f4d89ea74cb5cecbf42b951bf0629d71efa6525cc58aee71aa5e06f1198a |
| SHA512 | 0783c5dae87f110cc9bb61355c92c4ef3a96f484bbce6354d7f4130bb92ffb655974fcac4fe11c8923dd81ddade7fa92c8e3d9c43d0a3d0a24dd3d30e626fb5e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\msvcp140.dll
| MD5 | d424100821374848f3c22d0acd55ad69 |
| SHA1 | 8e4f879faece2d5171b3d398202c74b7286c50b1 |
| SHA256 | a6e45d08e347eddc955e5074354fc9e98a48ee75587b73a18d01943527cf05a8 |
| SHA512 | f78085cbba49c4c2c4441d1483e63e9222ec5b4282b89c1e0c1ea0790972e5de452f82e61ceae7324c7466d33b9a5fc6224594cf574068c69bf949e94fb86ae6 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\vcruntime140_1.dll
| MD5 | e2520906be67a9bde01ebe9e0a53aab5 |
| SHA1 | 9a9e445a47508ba5e1126791a863107060d258a1 |
| SHA256 | fd8ee0936d0380962830e9c1a132b8b7bf25084cb342bb064f699a2daa343bc4 |
| SHA512 | 6616df46da37f656ac3e1fe7b371792b249e3ff97f2cbcefc19e7854e384aba88f63e7afc7c81ba14d3d15d309146986b23e25c071f4d0150429009de110e9c5 |
\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe
| MD5 | 190087de930ce9c533c4604443f5cabd |
| SHA1 | 55d528b565c618d85498ad3fd985dedcb2ed69ae |
| SHA256 | 48ce94f595dd7a5749abac13bc30acc30c7136aa315f227dafd99d659bb04d36 |
| SHA512 | 264bf65deba869e179035eb19d7da6127a718c50a2d70f90b3f03de1167b82d27549811dc0a6cd4947fae8107d94de0a9e32685e3735208e6005576c641e073e |
C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe
| MD5 | 71fab897d51e93631b6f713dc0bc2c1d |
| SHA1 | bff7f15042cb21d985fa128bf64406b755b8a2ae |
| SHA256 | 6a3764bee4d71c38181689ebc31fa2e78c268b43aff50bd07d0002429a4f49d9 |
| SHA512 | 40b1de1a05ab68aea8bf83fe2f46ee795add6d788dc6fb4a8628481f22db7fa200729c002eca6c08b496ed747e8f96380e8f3b7f843f4ec915d1a669bba9a8e7 |
\Users\Admin\AppData\Local\DriverStore\winDriverChipsetService.exe
| MD5 | 264b039e4b1a2357945ef11b21d8e0e2 |
| SHA1 | 048ac96891a2c27606b020c48a48f3af1691f95a |
| SHA256 | a265f252b49514cfeadbe0b707ca2bb49147040b1893f9b8ddc81d2746bb6c9b |
| SHA512 | 4fa9d3a02d0d893e5de9f1661be0e759f4c57dce479d0126050c4baf24f9bd0cc5de6cb297a11668fdbb6801bdf90293402eac7027c228f5ba09f4f25f75a517 |
C:\Users\Admin\AppData\Local\NhNotifSys\Z9A6Elb8S.bin
| MD5 | 7e34d2d140ef1a30edc86f38740ac4dc |
| SHA1 | c24ebc49edc449c1d13654af4250ba068a02e40c |
| SHA256 | 6f4c245f3f7f2b591f8e8ef254e017b99a6b6c9381bfe0b16e2bde0170d242be |
| SHA512 | d26fc00bf161127d9ce83708b18a2dee1d85f94ca7f4cd065a2153ab9c7754926851211ca643e0cd330dece4c86ca4ac01abfac26bd72933d84b51f51c3f4ec9 |
C:\Users\Admin\AppData\Local\NhNotifSys\config.json
| MD5 | 93fd8b513a142f97037826e300804f60 |
| SHA1 | 07f061d4748e7daf66ae37e8503bfe5db598af0e |
| SHA256 | f87865e5bd6b4419f4c8ea682bcbbbabcc029eefad1381b181e79324f202aea4 |
| SHA512 | f7511023530e1466b50b98a8f21ff0f23af94be3c5c6d23ab00ed1de618ef255eda3eee59165d7e2f1474dcf650a2bbac7592860202a6389d0971d322b8b64e3 |
memory/2112-61-0x0000000000080000-0x00000000000A0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:48
Platform
win10v2004-20250217-en
Max time kernel
94s
Max time network
147s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1136 set thread context of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\JCFx2xj.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\JCFx2xj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133855227802341541" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\JCFx2xj.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\JCFx2xj.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc5fa8cc40,0x7ffc5fa8cc4c,0x7ffc5fa8cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1740 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2120 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2196 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3184 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4496,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3168 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4588,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4620 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4512 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3868,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4180 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4480,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4600 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4476 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5108,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4880 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4776 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5100,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4600 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5008,i,4874511964245941870,11521268272381956086,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4844 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5fa946f8,0x7ffc5fa94708,0x7ffc5fa94718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,8012300223218389567,11856551733256784793,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,8012300223218389567,11856551733256784793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,8012300223218389567,11856551733256784793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1960,8012300223218389567,11856551733256784793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1960,8012300223218389567,11856551733256784793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1960,8012300223218389567,11856551733256784793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1960,8012300223218389567,11856551733256784793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\glf3e" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 11
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | d.mx.goldenloafuae.com | udp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | e6.o.lencr.org | udp |
| GB | 2.18.190.206:80 | e6.o.lencr.org | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.206:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 142.250.179.225:443 | clients2.googleusercontent.com | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.178.10:443 | ogads-pa.googleapis.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | udp |
| GB | 142.250.178.10:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 40.69.147.202:443 | nw-umwatson.events.data.microsoft.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
| FI | 95.217.27.252:443 | d.mx.goldenloafuae.com | tcp |
Files
memory/2484-0-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-10-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-16-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-19-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-23-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-24-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-28-0x0000000000400000-0x0000000000429000-memory.dmp
\??\pipe\crashpad_852_CVVCWNEBYXZMJKHA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2484-36-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\scoped_dir852_906816940\658fb963-d511-4569-8be0-9089c9735034.tmp
| MD5 | eae462c55eba847a1a8b58e58976b253 |
| SHA1 | 4d7c9d59d6ae64eb852bd60b48c161125c820673 |
| SHA256 | ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad |
| SHA512 | 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir852_906816940\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | dda19db8afa3ff0d70ff8c944b1c41e3 |
| SHA1 | 59c6fc1121e26ebb8d39c68cbaab658deba7a41f |
| SHA256 | 576769283b884aa7dcadd004121a863c0ea55f810c70c2596192bd41c2eeafcd |
| SHA512 | ce4f65da59b817756e23a2094594162823e0b68f444021c975de056eb457352f6a8421fc0744258a6258167db165b1672caf89d3f2df3a8622a7050a8298a0f0 |
memory/2484-458-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-459-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-460-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-461-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f09c5037ff47e75546f2997642cac037 |
| SHA1 | 63d599921be61b598ef4605a837bb8422222bef2 |
| SHA256 | ba61197fff5ed487084790b869045ab41830bdf6db815503e8e064dd4e4df662 |
| SHA512 | 280bff6eac4b2b4fe515696223f61531f6b507c4c863ad9eef5ab0b1d65d264eba74fb7c9314b6920922142b8ab7605792211fca11a9a9ef0fc2ae995bf4f473 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 010f6dd77f14afcb78185650052a120d |
| SHA1 | 76139f0141fa930b6460f3ca6f00671b4627dc98 |
| SHA256 | 80321891fd7f7c02dd4be4e5be09f8e57d49e076c750f8deb300be8f600de2d7 |
| SHA512 | 6e6c9e348e948b946cfb97478698423e1272c4417bc8540e5daa64858e28be8fda5baf28538aee849f8bb409c17a51c60e48a3f1793e3a86cb27edeb32aa30a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dc2a4ac9-ee25-4140-8ba6-a01fd083cc70.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 91d92ec8fe699fc5da06abdc87983197 |
| SHA1 | 5f55c804b6d9d021735b03cc9f2e551ee4943233 |
| SHA256 | a335ba8ec1b3d1461e343868275425e3dda8c3886a1b0dd6f89397449c524b55 |
| SHA512 | 5fb40d0ba7f6b2a1aaf75485313627911329d59a8261898d287dad496e09db98d1d828de6a5cafdc29a234745e38405f1a800c3bc5f476634c3516bed3510c89 |
memory/2484-495-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-499-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-496-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-503-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-504-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-508-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-513-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-514-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-520-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-521-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-522-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-523-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-524-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-525-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-526-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2484-529-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2496 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2496 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2496 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2496 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\UBiTCuj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 144
Network
Files
memory/2496-0-0x0000000000A90000-0x000000000117E000-memory.dmp
memory/2496-1-0x0000000001138000-0x0000000001139000-memory.dmp
memory/2496-2-0x0000000000A90000-0x000000000117E000-memory.dmp
memory/2496-3-0x0000000000A90000-0x000000000117E000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win7-20250207-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge Protect = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinTemp\\Microsoft Edge Protect.exe\"" | C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\bPDDW9F.exe"
C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe
"C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe"
C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe
"C:\Users\Admin\AppData\Local\Temp\WinTemp\Microsoft Edge Protect.exe"
Network
| Country | Destination | Domain | Proto |
| FI | 135.181.76.95:80 | 135.181.76.95 | tcp |
Files
memory/1284-1-0x000000013FC80000-0x000000013FDD0000-memory.dmp
memory/1284-105-0x000000013FC80000-0x000000013FDD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI30202\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\Africa\Conakry
| MD5 | 796a57137d718e4fa3db8ef611f18e61 |
| SHA1 | 23f0868c618aee82234605f5a0002356042e9349 |
| SHA256 | f3e7fcaa0e9840ff4169d3567d8fb5926644848f4963d7acf92320843c5d486e |
| SHA512 | 64a8de7d9e2e612a6e9438f2de598b11fecc5252052d92278c96dd6019abe7465e11c995e009dfbc76362080217e9df9091114bdbd1431828842348390cb997b |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\Africa\Djibouti
| MD5 | fe54394a3dcf951bad3c293980109dd2 |
| SHA1 | 4650b524081009959e8487ed97c07a331c13fd2d |
| SHA256 | 0783854f52c33ada6b6d2a5d867662f0ae8e15238d2fce7b9ada4f4d319eb466 |
| SHA512 | fe4cf1dd66ae0739f1051be91d729efebde5459967bbe41adbdd3330d84d167a7f8db6d4974225cb75e3b2d207480dfb3862f2b1dda717f33b9c11d33dcac418 |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\Africa\Kigali
| MD5 | a87061b72790e27d9f155644521d8cce |
| SHA1 | 78de9718a513568db02a07447958b30ed9bae879 |
| SHA256 | fd4a97368230a89676c987779510a9920fe8d911fa065481536d1048cd0f529e |
| SHA512 | 3f071fd343d4e0f5678859c4f7f48c292f8b9a3d62d1075938c160142defd4f0423d8f031c95c48119ac71f160c9b6a02975841d49422b61b542418b8a63e441 |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\Africa\Lagos
| MD5 | 89de77d185e9a76612bd5f9fb043a9c2 |
| SHA1 | 0c58600cb28c94c8642dedb01ac1c3ce84ee9acf |
| SHA256 | e5ef1288571cc56c5276ca966e1c8a675c6747726d758ecafe7effce6eca7be4 |
| SHA512 | e2fb974fa770639d56edc5f267306be7ee9b00b9b214a06739c0dad0403903d8432e1c7b9d4322a8c9c31bd1faa8083e262f9d851c29562883ca3933e01d018c |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\America\Curacao
| MD5 | 92d3b867243120ea811c24c038e5b053 |
| SHA1 | ade39dfb24b20a67d3ac8cc7f59d364904934174 |
| SHA256 | abbe8628dd5487c889db816ce3a5077bbb47f6bafafeb9411d92d6ef2f70ce8d |
| SHA512 | 1eee8298dffa70049439884f269f90c0babcc8e94c5ccb595f12c8cfe3ad12d52b2d82a5853d0ff4a0e4d6069458cc1517b7535278b2fdef145e024e3531daad |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\America\Toronto
| MD5 | 3fa8a9428d799763fa7ea205c02deb93 |
| SHA1 | 222b74b3605024b3d9ed133a3a7419986adcc977 |
| SHA256 | 815ab4db7a1b1292867d2f924b718e1bba32455ce9f92205db2feb65029c6761 |
| SHA512 | 107a4dbb64107f781e3ed17b505baea28d4ca6683c2b49d146dda41c28ca3f9c307809ed938e4152011e199a7be6913de6f7b78cafe8ef300dc3034397945238 |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\Etc\Greenwich
| MD5 | e7577ad74319a942781e7153a97d7690 |
| SHA1 | 91d9c2bf1cbb44214a808e923469d2153b3f9a3f |
| SHA256 | dc4a07571b10884e4f4f3450c9d1a1cbf4c03ef53d06ed2e4ea152d9eba5d5d7 |
| SHA512 | b4bc0ddba238fcab00c99987ea7bd5d5fa15967eceba6a2455ecd1d81679b4c76182b5a9e10c004b55dc98abc68ce0912d4f42547b24a22b0f5f0f90117e2b55 |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\Europe\London
| MD5 | d111147703d04769072d1b824d0ddc0c |
| SHA1 | 0c99c01cad245400194d78f9023bd92ee511fbb1 |
| SHA256 | 676541f0b8ad457c744c093f807589adcad909e3fd03f901787d08786eedbd33 |
| SHA512 | 21502d194dfd89ac66f3df6610cb7725936f69faafb6597d4c22cec9d5e40965d05dd7111de9089bc119ec2b701fea664d3cb291b20ae04d59bcbd79e681d07a |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\Europe\Oslo
| MD5 | 2577d6d2ba90616ca47c8ee8d9fbca20 |
| SHA1 | e8f7079796d21c70589f90d7682f730ed236afd4 |
| SHA256 | a7fd9932d785d4d690900b834c3563c1810c1cf2e01711bcc0926af6c0767cb7 |
| SHA512 | f228ca1ef2756f955566513d7480d779b10b74a8780f2c3f1768730a1a9ae54c5ac44890d0690b59df70c4194a414f276f59bb29389f6fa29719cb06cb946ceb |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\Europe\Skopje
| MD5 | a4ac1780d547f4e4c41cab4c6cf1d76d |
| SHA1 | 9033138c20102912b7078149abc940ea83268587 |
| SHA256 | a8c964f3eaa7a209d9a650fb16c68c003e9a5fc62ffbbb10fa849d54fb3662d6 |
| SHA512 | 7fd5c4598f9d61a3888b4831b0c256ac8c07a5ae28123f969549ae3085a77fece562a09805c44eab7973765d850f6c58f9fcf42582bdd7fd0cdba6cd3d432469 |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\PRC
| MD5 | dff9cd919f10d25842d1381cdff9f7f7 |
| SHA1 | 2aa2d896e8dde7bc74cb502cd8bff5a2a19b511f |
| SHA256 | bf8b7ed82fe6e63e6d98f8cea934eeac901cd16aba85eb5755ce3f8b4289ea8a |
| SHA512 | c6f4ef7e4961d9f5ae353a5a54d5263fea784255884f7c18728e05806d7c80247a2af5d9999d805f40b0cc86a580a3e2e81135fdd49d62876a15e1ab50e148b7 |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\Pacific\Yap
| MD5 | bcf8aa818432d7ae244087c7306bcb23 |
| SHA1 | 5a91d56826d9fc9bc84c408c581a12127690ed11 |
| SHA256 | 683001055b6ef9dc9d88734e0eddd1782f1c3643b7c13a75e9cf8e9052006e19 |
| SHA512 | d5721c5bf8e1df68fbe2c83bb5cd1edea331f8be7f2a7ef7a6c45f1c656857f2f981adb2c82d8b380c88b1ddea6abb20d692c45403f9562448908637d70fa221 |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\Pacific\Wallis
| MD5 | ba8d62a6ed66f462087e00ad76f7354d |
| SHA1 | 584a5063b3f9c2c1159cebea8ea2813e105f3173 |
| SHA256 | 09035620bd831697a3e9072f82de34cfca5e912d50c8da547739aa2f28fb6d8e |
| SHA512 | 9c5dba4f7c71d5c753895cbfdb01e18b9195f7aad971948eb8e8817b7aca9b7531ca250cdce0e01a5b97ba42c1c9049fd93a2f1ed886ef9779a54babd969f761 |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\tzdata\zoneinfo\UCT
| MD5 | 51d8a0e68892ebf0854a1b4250ffb26b |
| SHA1 | b3ea2db080cd92273d70a8795d1f6378ac1d2b74 |
| SHA256 | fddce1e648a1732ac29afd9a16151b2973cdf082e7ec0c690f7e42be6b598b93 |
| SHA512 | 4d0def0cd33012754835b27078d64141503c8762e7fb0f74ac669b8e2768deeba14900feef6174f65b1c3dd2ea0ce9a73bba499275c1c75bcae91cd266262b78 |
C:\Users\Admin\AppData\Local\Temp\_MEI30202\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
\Users\Admin\AppData\Local\Temp\_MEI30202\python312.dll
| MD5 | d521654d889666a0bc753320f071ef60 |
| SHA1 | 5fd9b90c5d0527e53c199f94bad540c1e0985db6 |
| SHA256 | 21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2 |
| SHA512 | 7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3 |
\Users\Admin\AppData\Local\Temp\_MEI30202\api-ms-win-core-file-l2-1-0.dll
| MD5 | bfffa7117fd9b1622c66d949bac3f1d7 |
| SHA1 | 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2 |
| SHA256 | 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e |
| SHA512 | b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f |
\Users\Admin\AppData\Local\Temp\_MEI30202\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | d12403ee11359259ba2b0706e5e5111c |
| SHA1 | 03cc7827a30fd1dee38665c0cc993b4b533ac138 |
| SHA256 | f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781 |
| SHA512 | 9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0 |
\Users\Admin\AppData\Local\Temp\_MEI30202\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1c58526d681efe507deb8f1935c75487 |
| SHA1 | 0e6d328faf3563f2aae029bc5f2272fb7a742672 |
| SHA256 | ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2 |
| SHA512 | 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1 |
\Users\Admin\AppData\Local\Temp\_MEI30202\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 517eb9e2cb671ae49f99173d7f7ce43f |
| SHA1 | 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab |
| SHA256 | 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54 |
| SHA512 | 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be |
\Users\Admin\AppData\Local\Temp\_MEI30202\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 724223109e49cb01d61d63a8be926b8f |
| SHA1 | 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b |
| SHA256 | 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210 |
| SHA512 | 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c |
memory/1284-1572-0x000000013FC80000-0x000000013FDD0000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win10v2004-20250217-en
Max time kernel
125s
Max time network
145s
Command Line
Signatures
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | socialsscesforum.icu | udp |
| US | 172.67.222.46:443 | socialsscesforum.icu | tcp |
| US | 172.67.222.46:443 | socialsscesforum.icu | tcp |
| US | 172.67.222.46:443 | socialsscesforum.icu | tcp |
| US | 172.67.222.46:443 | socialsscesforum.icu | tcp |
| US | 172.67.222.46:443 | socialsscesforum.icu | tcp |
| US | 172.67.222.46:443 | socialsscesforum.icu | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4876-1-0x0000000000870000-0x0000000000970000-memory.dmp
memory/4876-2-0x0000000000DD0000-0x0000000000E35000-memory.dmp
memory/4876-7-0x0000000000870000-0x0000000000970000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:48
Platform
win10v2004-20250217-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\solax\tuwct.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\solax\tuwct.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\solax\tuwct.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\solax\tuwct.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\ProgramData\solax\tuwct.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| N/A | N/A | C:\ProgramData\solax\tuwct.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\solax\tuwct.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe | N/A |
| N/A | N/A | C:\ProgramData\solax\tuwct.exe | N/A |
| N/A | N/A | C:\ProgramData\solax\tuwct.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe"
C:\ProgramData\solax\tuwct.exe
C:\ProgramData\solax\tuwct.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
Files
memory/3212-0-0x0000000000400000-0x0000000000856000-memory.dmp
memory/3212-1-0x00000000773A4000-0x00000000773A6000-memory.dmp
memory/3212-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/3212-3-0x0000000000400000-0x0000000000856000-memory.dmp
memory/3212-6-0x0000000000400000-0x0000000000856000-memory.dmp
memory/3212-7-0x0000000000400000-0x0000000000856000-memory.dmp
memory/3212-8-0x0000000000400000-0x0000000000856000-memory.dmp
memory/3212-9-0x0000000000400000-0x0000000000856000-memory.dmp
memory/3212-10-0x0000000000400000-0x0000000000856000-memory.dmp
C:\ProgramData\solax\tuwct.exe
| MD5 | efac52cc9304919d4f9e49c56bdbd484 |
| SHA1 | 68e90fd0a473ba822bb4f708d718afcbbd660850 |
| SHA256 | e903bd6ec4817fca7a718b770d6d6a509c7e522cbebb41bd26e48bfe009d0510 |
| SHA512 | 9185437c21c56772d3dd7172269b3569380b518e78c8cb9dcf947968476d4d79beb2aeb31da66d3736a2a0f3be88d3caf86d9ba79c59608aaca196c409466ada |
memory/4568-13-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-14-0x0000000000400000-0x0000000000856000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | a02f4af5d3ed84a4781645feb7569069 |
| SHA1 | 4ee8a79ee65a554378093162b261391b63731e17 |
| SHA256 | 256175e76f243996362a4e5481e3b5d2a6b75a17f1970d158d37ccdaaaa283ea |
| SHA512 | a0650a0bd4493748d066c668f15c958bcdeb778ed0a4945fc24ec439e7a06808c1115c075a80b66865d43180e1313811e6d7dac8cbb43bf1e0c18aa69b49fcf4 |
memory/4568-16-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-17-0x0000000000400000-0x0000000000856000-memory.dmp
memory/3212-18-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-19-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-20-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-21-0x0000000000400000-0x0000000000856000-memory.dmp
memory/3212-22-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-23-0x0000000000400000-0x0000000000856000-memory.dmp
memory/3212-24-0x0000000000400000-0x0000000000856000-memory.dmp
memory/3212-26-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-27-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-28-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-29-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-30-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-31-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-32-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-33-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-34-0x0000000000400000-0x0000000000856000-memory.dmp
memory/4568-35-0x0000000000400000-0x0000000000856000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:48
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DriverStore\winDriverChipsetService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NhNotifSys\yn7B9ZD53.bin | N/A |
Loads dropped DLL
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\NhNotifSys\yn7B9ZD53.bin | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\7UlMpzX.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\7UlMpzX.exe"
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe
"C:/Users/Admin/AppData/Local/Microsoft/ShellKernelBridge.exe"
C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe
"C:/Users/Admin/AppData/Roaming/Oracle/VirtualBoxNetworkBridge.exe"
C:\Users\Admin\AppData\Local\DriverStore\winDriverChipsetService.exe
"C:/Users/Admin/AppData/Local/DriverStore/winDriverChipsetService.exe"
C:\Users\Admin\AppData\Local\NhNotifSys\yn7B9ZD53.bin
"C:\Users\Admin\AppData\Local\NhNotifSys\yn7B9ZD53.bin"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| SE | 77.239.121.5:1668 | tcp | |
| SE | 77.239.121.5:1668 | tcp | |
| SE | 77.239.121.5:1668 | tcp | |
| SE | 77.239.121.5:1668 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| SE | 77.239.121.5:1668 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
| MD5 | 73913f6963f89dbf98c4f716ee545b8f |
| SHA1 | c343d9b82c0680131ded13626029b65092276486 |
| SHA256 | fadbefdced9db4132541cca2fdb0a8da8d35757900150404c626cae9ab81d61a |
| SHA512 | ccd744dad29ff8e98e7370cbb5f23b2a2f3b6c51f6afb12c2f84e85a1b71a7393ece650d26862569b0190d71a2e53a49f3b85b386fa3214fc4fa03300be80df2 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
| MD5 | 37af0a4faa5b323e4cb04bdbd8cca117 |
| SHA1 | 4aaa6e6994e4ef5f55a155a6c561a3873c2b8e84 |
| SHA256 | 61a30d43b723b8b2921bc7016325b45b0c055cb28ba83b1364164a4a3df6206f |
| SHA512 | 0a6e993e51fd9383c9e813145e8004892618156d45b94741dcf7cf9814214d7c8f8fca295dc639431098758dbd5e241980502f18ca2838c505cce4d0c4c32422 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\libcrypto-3-x64.dll
| MD5 | 8d9dc42ffefe2b3443add056784c98fb |
| SHA1 | c2a97d2a372e4badacac196a1f6bcbecdcd35940 |
| SHA256 | d45ff6fdb2911d07efc3d47a2e0298534eab617d63e9eebd358d1686ed0992aa |
| SHA512 | e04e07e7c7a8f9b9b98ca0e94767a64808295290a936b50786e06f6a65207dd6ee4fd423bc3e1639186005767e0522c3dd7ba23ac0cbe50116249717fd6c3b83 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\vcruntime140.dll
| MD5 | 7af17bfd24be72d5376c9c5ce86bef54 |
| SHA1 | 23bf5fa4c467f28990cc878ef945f9f5db616b75 |
| SHA256 | bf28f4d89ea74cb5cecbf42b951bf0629d71efa6525cc58aee71aa5e06f1198a |
| SHA512 | 0783c5dae87f110cc9bb61355c92c4ef3a96f484bbce6354d7f4130bb92ffb655974fcac4fe11c8923dd81ddade7fa92c8e3d9c43d0a3d0a24dd3d30e626fb5e |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\msvcp140.dll
| MD5 | d424100821374848f3c22d0acd55ad69 |
| SHA1 | 8e4f879faece2d5171b3d398202c74b7286c50b1 |
| SHA256 | a6e45d08e347eddc955e5074354fc9e98a48ee75587b73a18d01943527cf05a8 |
| SHA512 | f78085cbba49c4c2c4441d1483e63e9222ec5b4282b89c1e0c1ea0790972e5de452f82e61ceae7324c7466d33b9a5fc6224594cf574068c69bf949e94fb86ae6 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\vcruntime140_1.dll
| MD5 | e2520906be67a9bde01ebe9e0a53aab5 |
| SHA1 | 9a9e445a47508ba5e1126791a863107060d258a1 |
| SHA256 | fd8ee0936d0380962830e9c1a132b8b7bf25084cb342bb064f699a2daa343bc4 |
| SHA512 | 6616df46da37f656ac3e1fe7b371792b249e3ff97f2cbcefc19e7854e384aba88f63e7afc7c81ba14d3d15d309146986b23e25c071f4d0150429009de110e9c5 |
C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe
| MD5 | 190087de930ce9c533c4604443f5cabd |
| SHA1 | 55d528b565c618d85498ad3fd985dedcb2ed69ae |
| SHA256 | 48ce94f595dd7a5749abac13bc30acc30c7136aa315f227dafd99d659bb04d36 |
| SHA512 | 264bf65deba869e179035eb19d7da6127a718c50a2d70f90b3f03de1167b82d27549811dc0a6cd4947fae8107d94de0a9e32685e3735208e6005576c641e073e |
C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe
| MD5 | 71fab897d51e93631b6f713dc0bc2c1d |
| SHA1 | bff7f15042cb21d985fa128bf64406b755b8a2ae |
| SHA256 | 6a3764bee4d71c38181689ebc31fa2e78c268b43aff50bd07d0002429a4f49d9 |
| SHA512 | 40b1de1a05ab68aea8bf83fe2f46ee795add6d788dc6fb4a8628481f22db7fa200729c002eca6c08b496ed747e8f96380e8f3b7f843f4ec915d1a669bba9a8e7 |
C:\Users\Admin\AppData\Local\NhNotifSys\yn7B9ZD53.bin
| MD5 | 7e34d2d140ef1a30edc86f38740ac4dc |
| SHA1 | c24ebc49edc449c1d13654af4250ba068a02e40c |
| SHA256 | 6f4c245f3f7f2b591f8e8ef254e017b99a6b6c9381bfe0b16e2bde0170d242be |
| SHA512 | d26fc00bf161127d9ce83708b18a2dee1d85f94ca7f4cd065a2153ab9c7754926851211ca643e0cd330dece4c86ca4ac01abfac26bd72933d84b51f51c3f4ec9 |
C:\Users\Admin\AppData\Local\NhNotifSys\config.json
| MD5 | 93fd8b513a142f97037826e300804f60 |
| SHA1 | 07f061d4748e7daf66ae37e8503bfe5db598af0e |
| SHA256 | f87865e5bd6b4419f4c8ea682bcbbbabcc029eefad1381b181e79324f202aea4 |
| SHA512 | f7511023530e1466b50b98a8f21ff0f23af94be3c5c6d23ab00ed1de618ef255eda3eee59165d7e2f1474dcf650a2bbac7592860202a6389d0971d322b8b64e3 |
memory/4120-58-0x0000028EE7240000-0x0000028EE7260000-memory.dmp
C:\Users\Admin\AppData\Local\DriverStore\winDriverChipsetService.exe
| MD5 | 264b039e4b1a2357945ef11b21d8e0e2 |
| SHA1 | 048ac96891a2c27606b020c48a48f3af1691f95a |
| SHA256 | a265f252b49514cfeadbe0b707ca2bb49147040b1893f9b8ddc81d2746bb6c9b |
| SHA512 | 4fa9d3a02d0d893e5de9f1661be0e759f4c57dce479d0126050c4baf24f9bd0cc5de6cb297a11668fdbb6801bdf90293402eac7027c228f5ba09f4f25f75a517 |
Analysis: behavioral3
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win7-20240903-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\BXxKvLN.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\BXxKvLN.exe"
Network
Files
memory/2280-0-0x000000013F160000-0x000000013F30E000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win10v2004-20250217-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Detect Socks5Systemz Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Socks5Systemz
Socks5systemz family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-54376.tmp\infinity.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-54376.tmp\infinity.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe | N/A |
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\infinity.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-54376.tmp\infinity.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-54376.tmp\infinity.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-54376.tmp\infinity.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-54376.tmp\infinity.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\infinity.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\infinity.exe"
C:\Users\Admin\AppData\Local\Temp\is-54376.tmp\infinity.tmp
"C:\Users\Admin\AppData\Local\Temp\is-54376.tmp\infinity.tmp" /SL5="$802CE,3457933,56832,C:\Users\Admin\AppData\Local\Temp\quarantine\infinity.exe"
C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe
"C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe" -i
Network
| Country | Destination | Domain | Proto |
| GB | 95.100.195.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| RU | 176.113.115.96:443 | 176.113.115.96 | tcp |
Files
memory/2676-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/2676-0-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-54376.tmp\infinity.tmp
| MD5 | a68e919aa98af0107e6c6c200955ef9c |
| SHA1 | c48fc16fab8ab5f59c2619fad6c14c676faee68b |
| SHA256 | 8577c42c652797ce0b766cac8e82f0c35b78c24da42a56a0ae5e0fab3353e3f5 |
| SHA512 | 183bc84d30d16a27ef509eb8fa75ee5687623825825ead596f3dfa6b84e4eb96d1495d54707ef8894e536d0e75717d0baade380b3a9f9a957606d62347de6d99 |
memory/952-6-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GV3I6.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe
| MD5 | b613d3d4eadea3e65bee9f920ffa88a2 |
| SHA1 | 121451a5d4f2c49d3a194992c4418cf130f6ea74 |
| SHA256 | 21586cff912594096a699b483df4438523422e97f0d0c47e59a8da2bc4204dcf |
| SHA512 | 19c22fd7b322b65eda1ca75b4de281c22727b090a38181ff8c483660e6da071362258a79aee3f7ea01cca4c25bbbeab0ccc4857fb8abab9da412f9fa7c3065b4 |
C:\Users\Admin\AppData\Local\Smart File Defrag 7.1.3\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
memory/4364-43-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-44-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-48-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/952-49-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2676-50-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4364-53-0x0000000060900000-0x0000000060992000-memory.dmp
memory/4364-52-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-54-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-57-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-61-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-65-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-69-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-73-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-74-0x0000000000810000-0x00000000008B0000-memory.dmp
memory/4364-80-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-84-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-85-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-89-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-93-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-97-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-101-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-115-0x0000000000400000-0x00000000006EB000-memory.dmp
memory/4364-119-0x0000000000400000-0x00000000006EB000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:48
Platform
win7-20241010-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2060 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2060 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2060 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2060 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\khykuQw.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 328
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | socialsscesforum.icu | udp |
| US | 104.21.67.123:443 | socialsscesforum.icu | tcp |
Files
memory/2060-1-0x0000000000310000-0x0000000000375000-memory.dmp
memory/2060-6-0x0000000000390000-0x0000000000490000-memory.dmp
memory/2060-7-0x0000000000390000-0x0000000000490000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win7-20241023-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Browser Information Discovery
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1788 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1788 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1788 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1788 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1224
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
Files
memory/1788-0-0x0000000001040000-0x00000000014DB000-memory.dmp
memory/1788-1-0x0000000077B50000-0x0000000077B52000-memory.dmp
memory/1788-2-0x0000000001041000-0x00000000010A1000-memory.dmp
memory/1788-3-0x0000000001040000-0x00000000014DB000-memory.dmp
memory/1788-4-0x0000000001040000-0x00000000014DB000-memory.dmp
memory/1788-5-0x0000000001040000-0x00000000014DB000-memory.dmp
memory/1788-6-0x0000000001041000-0x00000000010A1000-memory.dmp
memory/1788-7-0x0000000001040000-0x00000000014DB000-memory.dmp
memory/1788-8-0x0000000001040000-0x00000000014DB000-memory.dmp
memory/1788-9-0x0000000001040000-0x00000000014DB000-memory.dmp
memory/1788-11-0x0000000001040000-0x00000000014DB000-memory.dmp
memory/1788-12-0x0000000001041000-0x00000000010A1000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:47
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\v6Oqdnc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | biochextryhub.bet | udp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
| US | 104.21.68.89:443 | biochextryhub.bet | tcp |
Files
memory/4236-0-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-1-0x0000000077294000-0x0000000077296000-memory.dmp
memory/4236-2-0x0000000000081000-0x00000000000E1000-memory.dmp
memory/4236-3-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-4-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-5-0x0000000000081000-0x00000000000E1000-memory.dmp
memory/4236-6-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-7-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-8-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-9-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-10-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-11-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-12-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-13-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-14-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-15-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-16-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-17-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-18-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-19-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-20-0x0000000000080000-0x000000000051B000-memory.dmp
memory/4236-21-0x0000000000080000-0x000000000051B000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-03-04 00:44
Reported
2025-03-04 00:48
Platform
win10v2004-20250217-en
Max time kernel
141s
Max time network
143s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\BXxKvLN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\BXxKvLN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\BXxKvLN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\BXxKvLN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\BXxKvLN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\BXxKvLN.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\BXxKvLN.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\BXxKvLN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| FR | 45.155.103.183:1488 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/832-0-0x00000210FFC00000-0x00000210FFD00000-memory.dmp
memory/832-1-0x00007FFCBC3C3000-0x00007FFCBC3C5000-memory.dmp
memory/832-2-0x0000021081650000-0x00000210816A2000-memory.dmp
memory/832-3-0x00007FFCBC3C0000-0x00007FFCBCE81000-memory.dmp
memory/832-4-0x00007FFCBC3C0000-0x00007FFCBCE81000-memory.dmp
memory/832-5-0x00007FFCBC3C0000-0x00007FFCBCE81000-memory.dmp
memory/832-6-0x0000021100110000-0x000002110021A000-memory.dmp
memory/832-7-0x00000210FFF80000-0x00000210FFF92000-memory.dmp
memory/832-8-0x0000021100000000-0x000002110003C000-memory.dmp
memory/832-9-0x00007FF6B3B30000-0x00007FF6B3CDE000-memory.dmp
memory/832-10-0x0000021100040000-0x0000021100090000-memory.dmp
memory/832-11-0x00000211003F0000-0x00000211005B2000-memory.dmp
memory/832-12-0x000002109B3A0000-0x000002109B8C8000-memory.dmp
memory/832-13-0x00000210FFC00000-0x00000210FFD00000-memory.dmp
memory/832-14-0x00007FFCBC3C3000-0x00007FFCBC3C5000-memory.dmp
memory/832-15-0x00007FFCBC3C0000-0x00007FFCBCE81000-memory.dmp
memory/832-16-0x00007FFCBC3C0000-0x00007FFCBCE81000-memory.dmp