File name: | C:\Users\admin\AppData\Local\Temp\Rar$DRb2940.32419\529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474 |
Full analysis: | https://app.any.run/tasks/c6d8e082-d948-4bf3-89eb-d08089230cc8 |
Verdict: | Malicious activity |
Threats: | Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files. |
Analysis date: | August 02, 2022, 18:27:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | D946C183FD128B4ACF88D83EE89D79D3 |
SHA1: | 6F35DA72F339C7101E93A7ADADA27D24902DB598 |
SHA256: | 529586CBBD8586D7F33A3EA9BDD517B7EAD617B4E12165106E81E4BFAD859474 |
SSDEEP: | 12288:B9uox8a9XqSYVr9N4VT0sFHOox8a9XqSYVr9N4VT9y2kLrGrEPHnHr0sFCFlXz2t:B9ws50MT0yQs50MT979oPnr01sFo2P |
.exe | | | Win32 Executable MS Visual C++ 5.0 (77.9) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (8.4) |
.exe | | | Win32 Executable (generic) (5.7) |
.exe | | | Win16/32 Executable Delphi generic (2.6) |
.exe | | | Generic Win/DOS Executable (2.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2022:06:19 12:53:23+02:00 |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 778240 |
InitializedDataSize: | 8192 |
UninitializedDataSize: | - |
EntryPoint: | 0xabf1d |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.0.0.0 |
ProductVersionNumber: | 1.0.0.0 |
FileFlagsMask: | 0x0000 |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | German |
CharacterSet: | Unicode |
ProductName: | msdcawedceas |
FileVersion: | 1 |
ProductVersion: | 1 |
InternalName: | wqerxymdnxqwsa |
OriginalFileName: | wqerxymdnxqwsa.exe |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 19-Jun-2022 10:53:23 |
Detected languages: |
|
ProductName: | msdcawedceas |
FileVersion: | 1.00 |
ProductVersion: | 1.00 |
InternalName: | wqerxymdnxqwsa |
OriginalFilename: | wqerxymdnxqwsa.exe |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 19-Jun-2022 10:53:23 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000BD230 | 0x000BE000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.81222 |
.data | 0x000BF000 | 0x000015D8 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x000C1000 | 0x0000025C | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.36906 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.14997 | 516 | Latin 1 / Western European | German - Germany | RT_VERSION |
ADVAPI32.DLL |
KERNEL32.DLL |
MSVBVM60.DLL |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2996 | "C:\Users\admin\Desktop\529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe" | C:\Users\admin\Desktop\529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
4088 | "C:\Users\admin\AppData\Roaming\fcvtee.exe" | C:\Users\admin\AppData\Roaming\fcvtee.exe | — | 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
1996 | "C:\Users\admin\Desktop\529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe" | C:\Users\admin\Desktop\529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
3816 | "C:\Users\admin\AppData\Roaming\fcvtee.exe" | C:\Users\admin\AppData\Roaming\fcvtee.exe | fcvtee.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 1.00 Modules
Arkei(PID) Process(3816) fcvtee.exe C2 (1)http://werido.ug/kanorgate.php Strings (618)LoadLibraryA GetProcAddress ExitProcess advapi32.dll crypt32.dll GetTickCount Sleep GetUserDefaultLangID CreateMutexA GetLastError HeapAlloc GetProcessHeap GetComputerNameA VirtualProtect GetCurrentProcess VirtualAllocExNuma GetUserNameA CryptStringToBinaryA HAL9TH JohnDoe 21/04/2022 20:00:00 http:// Default %hu/%hu/%hu %hu:%hu:%hu open sqlite3.dll C:\ProgramData\sqlite3.dll freebl3.dll C:\ProgramData\freebl3.dll mozglue.dll C:\ProgramData\mozglue.dll msvcp140.dll C:\ProgramData\msvcp140.dll nss3.dll C:\ProgramData\nss3.dll softokn3.dll C:\ProgramData\softokn3.dll vcruntime140.dll C:\ProgramData\vcruntime140.dll .zip Tag: IP: IP? Country: Country? Working Path: Local Time: TimeZone: Display Language: Keyboard Languages: Is Laptop: Processor: Installed RAM: OS: ( Bit) Videocard: Display Resolution: PC name: User name: Domain name: MachineID: GUID: Installed Software: system.txt Grabber\%s.zip %APPDATA% %LOCALAPPDATA% %USERPROFILE% %DESKTOP% Wallets\ Ethereum \Ethereum\ keystore Electrum \Electrum\wallets\ *.* ElectrumLTC \Electrum-LTC\wallets\ Exodus \Exodus\ exodus.conf.json window-state.json \Exodus\exodus.wallet\ passphrase.json seed.seco info.seco ElectronCash \ElectronCash\wallets\ default_wallet MultiDoge \MultiDoge\ multidoge.wallet JAXX \jaxx\Local Storage\ file__0.localstorage Atomic \atomic\Local Storage\leveldb\ 000003.log CURRENT LOCK LOG MANIFEST-000001 0000* Binance \Binance\ app-store.json Coinomi \Coinomi\Coinomi\wallets\ *.wallet *.config *wallet*.dat GetSystemTime lstrcatA SystemTimeToFileTime ntdll.dll sscanf memset memcpy wininet.dll user32.dll gdi32.dll netapi32.dll psapi.dll bcrypt.dll vaultcli.dll shlwapi.dll shell32.dll gdiplus.dll ole32.dll dbghelp.dll CreateFileA WriteFile CloseHandle GetFileSize lstrlenA LocalAlloc GlobalFree ReadFile OpenProcess SetFilePointer SetEndOfFile GetCurrentProcessId GetLocalTime GetTimeZoneInformation GetUserDefaultLocaleName LocalFree GetSystemPowerStatus GetSystemInfo GlobalMemoryStatusEx IsWow64Process GetTempPathA GetLocaleInfoA GetFileSizeEx GetFileAttributesA FindFirstFileA FindNextFileA FindClose GetCurrentDirectoryA CopyFileA DeleteFileA lstrcmpW GlobalAlloc FreeLibrary SetCurrentDirectoryA CreateFileMappingA MapViewOfFile UnmapViewOfFile FileTimeToSystemTime GetFileInformationByHandle GlobalLock GlobalSize WideCharToMultiByte GetWindowsDirectoryA GetVolumeInformationA GetVersionExA GetModuleFileNameA CreateFileW CreateFileMappingW MultiByteToWideChar CreateThread GetEnvironmentVariableA SetEnvironmentVariableA lstrcpyA lstrcpynA InternetOpenA InternetConnectA HttpOpenRequestA HttpSendRequestA HttpQueryInfoA InternetCloseHandle InternetReadFile InternetSetOptionA InternetOpenUrlA InternetCrackUrlA wsprintfA CharToOemW GetKeyboardLayoutList EnumDisplayDevicesA ReleaseDC GetDC GetSystemMetrics GetDesktopWindow GetWindowRect GetWindowDC CloseWindow RegOpenKeyExA RegQueryValueExA RegCloseKey GetCurrentHwProfileA RegEnumKeyExA RegGetValueA CreateDCA GetDeviceCaps CreateCompatibleDC CreateCompatibleBitmap SelectObject BitBlt DeleteObject StretchBlt GetObjectW GetDIBits SaveDC CreateDIBSection DeleteDC RestoreDC DsRoleGetPrimaryDomainInformation GetModuleFileNameExA CryptUnprotectData BCryptCloseAlgorithmProvider BCryptDestroyKey BCryptOpenAlgorithmProvider BCryptSetProperty BCryptGenerateSymmetricKey BCryptDecrypt VaultOpenVault VaultCloseVault VaultEnumerateItems VaultGetItemWin8 VaultGetItemWin7 VaultFree StrCmpCA StrStrA PathMatchSpecA SHGetFolderPathA ShellExecuteExA GdipGetImageEncodersSize GdipGetImageEncoders GdipCreateBitmapFromHBITMAP GdiplusStartup GdiplusShutdown GdipSaveImageToStream GdipDisposeImage GdipFree CreateStreamOnHGlobal GetHGlobalFromStream SymMatchString HEAD HTTP/1.1 GET POST file Content-Type: multipart/form-data; boundary=---- Content-Disposition: form-data; name=" Content-Disposition: form-data; name="file"; filename=" Content-Type: application/octet-stream Content-Transfer-Encoding: binary SOFT: PROF: ? PROF: HOST: USER: PASS: sqlite3_open sqlite3_prepare_v2 sqlite3_step sqlite3_column_text sqlite3_finalize sqlite3_close sqlite3_column_bytes sqlite3_column_blob encrypted_key "} PATH PATH= NSS_Init NSS_Shutdown PK11_GetInternalKeySlot PK11_FreeSlot PK11_Authenticate PK11SDR_Decrypt SELECT origin_url, username_value, password_value FROM logins Cookies\%s_%s.txt SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies TRUE FALSE Autofill\%s_%s.txt SELECT name, value FROM autofill CC\%s_%s.txt SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards Card number: Name on card: Expiration date: History\%s_%s.txt SELECT url FROM urls Downloads\%s_%s.txt SELECT target_path, tab_url from downloads Login Data Cookies Web Data History SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies logins.json formSubmitURL usernameField encryptedUsername encryptedPassword guid SELECT fieldname, value FROM moz_formhistory SELECT url FROM moz_places cookies.sqlite formhistory.sqlite places.sqlite \Local State ..\profiles.ini C:\ProgramData\ Chrome \Google\Chrome\User Data ChromeBeta \Google\Chrome Beta\User Data ChromeCanary \Google\Chrome SxS\User Data Chromium \Chromium\User Data Edge_Chromium \Microsoft\Edge\User Data Kometa \Kometa\User Data Amigo \Amigo\User Data Torch \Torch\User Data Orbitum \Orbitum\User Data Comodo \Comodo\Dragon\User Data Nichrome \Nichrome\User Data Maxthon5 \Maxthon5\Users Sputnik \Sputnik\User Data EPB \Epic Privacy Browser\User Data Vivaldi \Vivaldi\User Data CocCoc \CocCoc\Browser\User Data Uran \uCozMedia\Uran\User Data QIP \QIP Surf\User Data Cent \CentBrowser\User Data Elements \Elements Browser\User Data TorBro \TorBro\Profile CryptoTab \CryptoTab Browser\User Data Brave \BraveSoftware\Brave-Browser\User Data Opera \Opera Software\Opera Stable\ OperaGX \Opera Software\Opera GX Stable\ OperaNeon \Opera Software\Opera Neon\User Data Firefox \Mozilla\Firefox\Profiles\ SlimBrowser \FlashPeak\SlimBrowser\Profiles\ PaleMoon \Moonchild Productions\Pale Moon\Profiles\ Waterfox \Waterfox\Profiles\ Cyberfox \8pecxstudios\Cyberfox\Profiles\ BlackHawk \NETGATE Technologies\BlackHawk\Profiles\ IceCat \Mozilla\icecat\Profiles\ KMeleon \K-Meleon\ Thunderbird \Thunderbird\Profiles\ passwords.txt ibnejdfjmmkpcnlpebklmnkoeoihofec TronLink nkbihfbeogaeaoehlefnkodbefgpgknn MetaMask fhbohimaelbohpjbbldcngcnapndodjp Binance Chain Wallet ffnbelfdoeiohenkjibnmadjiehjhajb Yoroi jbdaocneiiinmjbjlgalhcelgbejmnid Nifty Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc Math Wallet hnfanknocfeofbddgcijnmhnfnkdnaad Coinbase Wallet hpglfhgfnhbgpjdenjgmdgoeiappafln Guarda blnieiiffboillknjnepogjhkgnoapac EQUAL Wallet cjelfplplebdjjenllpjcblmjkfcffne Jaxx Liberty fihkakfobkmkjojpchpfgcmhfjnmnfpi BitApp Wallet kncchdigobghenbbaddojjnnaogfppfj iWallet amkmjjmmflddogmhpjloimipbofnfjih Wombat nlbmnnijcnlegkjjpcfjclmcfggfefdm MEW CX nanjmdknhkinifnkgdcggcfnhdaammmj GuildWallet nkddgncdjgjfcddamfgcmfnlhccnimig Saturn Wallet fnjhmkhhmkbjkkabndcnnogagogbneec Ronin Wallet cphhlgmgameodnhkjdmkpanlelnlohao NeoLine nhnkbkgjikgcigadomkphalanndcapjk Clover Wallet kpfopkelmapcoipemfendmdcghnegimn Liquality Wallet aiifbnbfobpmeekipheeijimdpnlpgpp Terra Station dmkamcknogkgcdfhhbddcghachkejeap Keplr fhmfendgdocmcbmfikdcogofphimnkno Sollet cnmamaachppnkjgnildpdmkaakejnhae Auro Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf Polymesh Wallet flpiciilemghbmfalicajoolhkkenfel ICONex nknhiehlklippafakaeklbeglecifhad Nabox Wallet hcflpincpppdclinealmandijcmnkbgn KHC ookjlbkiijinhpmnjffcofjonbfbgaoc Temple mnfifefkajgofkcjkemidiaecocnkjeh TezBox dkdedlpgdmmkkfjabffeganieamfklkm Cyano Wallet nlgbhdfgdhgbiamfdfmbikcdghidoadd Byone infeboajgfhgbjpjbeppbkgnabfdkdaf OneKey cihmoadaighcejopammfbmddcmdekcje LeafWallet lodccjjbdhfakaekdiahmedfbieldgik DAppPlay ijmpgkjfkbfhoebgogflfebnmejmfbml BitClip lkcjlnjfpbikmcmbachjpdbijejflpcm Steem Keychain onofpnbbkehpmmoabgpcpmigafmmnjhl Nash Extension bcopgchhojmggmffilplmbdicgaihlkp Hycon Lite Client klnaejjgbibmhlephnhpmaofohgkpgkd ZilPay aeachknmefphepccionboohckonoeemg Coin98 Wallet bfnaelmomeimhlpmgjnjophhpkkoljpa Phantom hifafgmccdpekplomjjkcfgodnhcellj Crypto.com dngmlblcodfobpdpecaadgfbcggfjfnm Maiar DeFi Wallet ppdadbejkmjnefldpcdjhnkpbjkikoip Oasis hpbgcgmiemanfelegbndmhieiigkackl MonstaWallet fcckkdbjnoikooededlapcalpionmalo MOBOX jccapkebeeiajkkdemacblkjhhhboiek Crust Wallet mgffkfbidihjpoaomajlbgchddlicgpn Pali Wallet nphplpgoakhhjchkkhmiggakijnkhfnd TON Wallet ldinpeekobnhjjdofggfgjlcehhmanlj Hiro Wallet pocmplpaccanhmnllbbkpgfliimjljgo Slope Wallet bhhhlbepdkbapadjdnnojkbgioiodbic Solflare Wallet pgiaagfkgcbnmiiolekcfmljdagdhlcm Stargazer Wallet cgeeodpfagjceefieflmdfphplkenlfk EVER Wallet gjkdbeaiifkpoencioahhcilildpjhgh partisia-wallet bgjogpoidejdemgoochpnkmdjpocgkha Ecto Wallet ifckdpamphokdglkkdomedpdegcjhjdp ONTO Wallet agechnindjilpccclelhlbjphbgnobpf Fractal Wallet algblmhagnobbnmakepomicmfljlbehg ADS Wallet imijjbmbnebfnbmonjeileijahaipglj Moonlet Wallet kpjdchaapjheajadlaakiiigcbhoppda ZEBEDEE dlcobpjiigpikoobohmabehhmhfoodbb Argent X StarkNet Wallet bofddndhbegljegmpmnlbhcejofmjgbn X-Wallet mapbhaebnddapnmifbbkgeedkeplgjmf Biport Wallet kfdniefadaanbjodldohaedphafoffoh Typhon Wallet jaooiolkmfcmloonphpiiogkfckgciom Twetch Wallet aijcbedoijmgnlmjeegjaglmepbmpkpi Leap Wallet fhfffofbcgbjjojdnpcfompojdjjhdim Lamden Wallet agkfnefiabmfpanochlcakggnkdfmmjd Earth Wallet lpfcbjknijpeeillifnkikgncikgfhdo Nami fecfflganphcinpahcklgahckeohalog Coin Wallet ilhaljfiglknggcoegeknjghdgampffk Beam Web Wallet dklmlehijiaepdijfnbbhncfpcoeeljf FShares Wallet fkhebcilafocjhnlcngogekljmllgdhd WAGMIswap.io Wallet laphpbhjhhgigmjoflgcchgodbbclahk BLUE - Worlds Safest and Simplest Wallet mkjjflkhdddfjhonakofipfojoepfndk Unification Web Wallet jnldfbidonfeldmalbflbmlebbipcnle Infinity Wallet ellkdbaphhldpeajbepobaecooaoafpg Fetch.ai Network Wallet iokeahhehimjnekafflcihljlcjccdbe Alby Wallet omajpeaffjgmlpmhbfdjepdejoemifpe xBull Wallet pgojdfajgcjjpjnbpfaelnpnjocakldb Sugarchain Wallet pnndplcbkakcplkjnolgbkdgjikjednm Tronium fnnegphlobjdpkhecapkijjdkgcjhkib Harmony fhilaheimglignddkjgofkcbgekhenbh Oxygen cmbagcoinhmacpcgmbiniijboejgiahi JustLiquidity Wallet kmmolakhbgdlpkjkcjkebenjheonagdm AlgoSigner fnabdmcgpkkjjegokfcnfbpneacddpfh Goldmint Lite Wallet bgpipimickeadkjlklgciifhnalhdjhe GeroWallet hoighigmnhgkkdaenafgnefkcmipfjon EO.Finance nlgnepoeokdfodgjkjiblkadkjbdfmgd Multi Wallet nhihjlnjgibefgjhobhcphmnckoogdea Waves Enterprise Wallet ehibhohmlpipbaogcknmpmiibbllplph Bluehelix Wallet magbanejlegnbcppjljfhnmfmghialkl Nebulas Wallet fgkaeeikaoeiiggggbgdcjchmdfmamla Vtimes pnlfjmlcjdjgkddecgincndfgegkecke Crocobit Wallet bhghoamapcdpbohphigoooaddinpkbai Authenticator gaedmjdfmmahhbjefcbgaolhhanlaolb Authy oeljdldpnmdbchonielidgobddffflal EOS Authenticator ilgcnhelpchnceeipipijaljkblbcobl GAuth Authenticator imloifkgjagghnncjkhggdhalmcnfklk Trezor Password Manager %s\%s\Local Extension Settings\%s %s\CURRENT %s\%s\Sync Extension Settings\%s %s\%s\IndexedDB\chrome-extension_%s_0.indexeddb.leveldb Plugins\ HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName x64 x86 DISPLAY SOFTWARE\Microsoft\Cryptography MachineGuid SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall DisplayName DisplayVersion screenshot.jpg ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 /c timeout /t 5 & del /f /q "%s" & exit C:\Windows\System32\cmd.exe |
(PID) Process: | (2996) 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2996) 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2996) 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2996) 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1996) 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (1996) 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (1996) 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (1996) 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (1996) 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1996) 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2996 | 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | C:\Users\admin\AppData\Roaming\fcvtee.exe | executable | |
MD5:32AB5685131D8BCFA172BF165ADF9338 | SHA256:2A0DC11C02495205FADBBB4A5A5304A9E77FD079DCAB58DAA04804A59E4CC87E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1996 | 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | POST | — | 140.82.52.55:80 | http://140.82.52.55/ | US | — | — | malicious |
1996 | 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | POST | — | 136.244.65.99:80 | http://136.244.65.99/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 136.244.65.99:80 | — | Connecticut College | US | malicious |
1996 | 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | 136.244.65.99:80 | — | Connecticut College | US | malicious |
1996 | 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474.exe | 140.82.52.55:80 | — | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
werido.ug |
| malicious |