URL:

https://lineart.in/download/File_pass1234.7z

Full analysis: https://app.any.run/tasks/d124ba61-e2b9-433a-9c3c-f46775e38c9b
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: July 27, 2023, 07:39:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
privateloader
evasion
loader
payload
risepro
stealer
rat
redline
fabookie
gcleaner
amadey
trojan
vidar
arkei
smoke
g0njxa
Indicators:
MD5:

28FE38F46E07ED98337AB0996491289E

SHA1:

91143BBCB920E7CCEA9B7819242818EF07765F39

SHA256:

CD15A81782F3F7F527AD29E535E6526CBC4D8E8539F5D0495A8851D60F460A71

SSDEEP:

3:N8MLh9Fm8hWUXTfn:2MvFjhW+fn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file the system directory

      • File.exe (PID: 3284)
      • HXGPspimyZgUlJ4B1yB_ldsv.exe (PID: 2492)

    • Connects to the CnC server

      • File.exe (PID: 3284)
      • HXGPspimyZgUlJ4B1yB_ldsv.exe (PID: 2492)
      • ojV0JrxnSblsaOx9Devk9uUU.exe (PID: 3808)
      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • dvNXvnZ2Mo1SrHAHzMgyCMzN.exe (PID: 2932)
      • FJSpacer727.exe (PID: 3316)
      • AppLaunch.exe (PID: 3708)
      • Q0U87.exe (PID: 3616)
      • d1674499.exe (PID: 1656)
      • pdates.exe (PID: 4024)
      • explorer.exe (PID: 1880)
      • AppLaunch.exe (PID: 3716)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • PgCU43D1TyIXCryvuMHPSSkC.exe (PID: 2644)
      • AppLaunch.exe (PID: 3032)
      • VQqI2kTAY7MHW6Lto7Zp_UD7.exe (PID: 2600)

    • PRIVATELOADER was detected

      • File.exe (PID: 3284)
      • HXGPspimyZgUlJ4B1yB_ldsv.exe (PID: 2492)
      • ojV0JrxnSblsaOx9Devk9uUU.exe (PID: 3808)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • VQqI2kTAY7MHW6Lto7Zp_UD7.exe (PID: 2600)

    • Actions looks like stealing of personal data

      • File.exe (PID: 3284)
      • dvNXvnZ2Mo1SrHAHzMgyCMzN.exe (PID: 2932)
      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • gZOue3Y4GqpIgVbROYeTccwk.exe (PID: 3412)
      • qpvV5vyiay5KWARulh6wodYi.exe (PID: 764)
      • Q0U87.exe (PID: 3616)
      • AppLaunch.exe (PID: 3716)
      • d1674499.exe (PID: 1656)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • AppLaunch.exe (PID: 3708)
      • LFXFPgCk0BJHNRB3o8MBL7JI.exe (PID: 3876)

    • Application was dropped or rewritten from another process

      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • 5tDwXADxNln46Px4_wwZ9Eny.exe (PID: 3872)
      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • yhRDrWsvCvJyDuoKV52ycMVj.exe (PID: 1496)
      • dvNXvnZ2Mo1SrHAHzMgyCMzN.exe (PID: 2932)
      • n4UD_1RkeTViEc_TLOPrIg7n.exe (PID: 3148)
      • jE37Xsl0a0j_WxmVJS2wLuYs.exe (PID: 2668)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • v1894336.exe (PID: 1468)
      • v4110462.exe (PID: 3080)
      • a2470491.exe (PID: 3820)
      • B8KDsqC.exe (PID: 2372)
      • b0673562.exe (PID: 2624)
      • c5709934.exe (PID: 4060)
      • pdates.exe (PID: 4024)
      • 坣确䕺㔸㍣㙮䜵砸㕣 (PID: 3228)
      • Q0U87.exe (PID: 3616)
      • d1674499.exe (PID: 1656)
      • vO1I.exe (PID: 3096)
      • Rwxly.exe (PID: 3308)
      • pdates.exe (PID: 4052)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • pdates.exe (PID: 3192)
      • oKzd8P0fz39iNryDOgPSse1S.exe (PID: 964)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe (PID: 3136)
      • LFXFPgCk0BJHNRB3o8MBL7JI.exe (PID: 3876)
      • RX36NaoUm7ILsEsVJV2i8rK1.exe (PID: 3752)
      • HydQznHitzaFvzkg309hDxiM.exe (PID: 3880)
      • work.exe (PID: 3692)
      • dwa.exe (PID: 3388)

    • Loads dropped or rewritten executable

      • 5tDwXADxNln46Px4_wwZ9Eny.exe.tmp (PID: 2704)
      • msiexec.exe (PID: 2604)
      • AppLaunch.exe (PID: 3708)
      • rundll32.exe (PID: 1680)

    • RISEPRO was detected

      • R5HoX6DekP78Dzdme2dyiJty.exe (PID: 120)

    • REDLINE was detected

      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • Q0U87.exe (PID: 3616)
      • d1674499.exe (PID: 1656)
      • AppLaunch.exe (PID: 3716)
      • PgCU43D1TyIXCryvuMHPSSkC.exe (PID: 2644)
      • AppLaunch.exe (PID: 3032)

    • Disables Windows Defender

      • a2470491.exe (PID: 3820)

    • Runs injected code in another process

      • jE37Xsl0a0j_WxmVJS2wLuYs.exe (PID: 2668)
      • c5709934.exe (PID: 4060)

    • Application was injected by another process

      • explorer.exe (PID: 1880)

    • FABOOKIE was detected

      • dvNXvnZ2Mo1SrHAHzMgyCMzN.exe (PID: 2932)

    • PRIVATELOADER detected by memory dumps

      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • HXGPspimyZgUlJ4B1yB_ldsv.exe (PID: 2492)
      • R5HoX6DekP78Dzdme2dyiJty.exe (PID: 120)
      • ojV0JrxnSblsaOx9Devk9uUU.exe (PID: 3808)
      • VQqI2kTAY7MHW6Lto7Zp_UD7.exe (PID: 2600)

    • Steals credentials from Web Browsers

      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • AppLaunch.exe (PID: 3708)
      • Q0U87.exe (PID: 3616)
      • d1674499.exe (PID: 1656)
      • AppLaunch.exe (PID: 3716)

    • Changes the autorun value in the registry

      • pdates.exe (PID: 4024)

    • Uses Task Scheduler to run other applications

      • pdates.exe (PID: 4024)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)

    • GCLEANER was detected

      • FJSpacer727.exe (PID: 3316)

    • VIDAR was detected

      • AppLaunch.exe (PID: 3708)

    • ARKEI was detected

      • AppLaunch.exe (PID: 3708)

    • ARKEI detected by memory dumps

      • YxRwall2KIKfALf5FH2Gv7Sp.exe (PID: 3716)
      • vO1I.exe (PID: 3096)
      • 坣确䕺㔸㍣㙮䜵砸㕣 (PID: 3228)
      • AppLaunch.exe (PID: 3708)
      • AppLaunch.exe (PID: 3256)

    • Steals credentials

      • AppLaunch.exe (PID: 3708)

    • AMADEY was detected

      • pdates.exe (PID: 4024)

    • AMADEY detected by memory dumps

      • pdates.exe (PID: 4024)

    • Starts CMD.EXE for self-deleting

      • FJSpacer727.exe (PID: 3316)

    • SMOKE was detected

      • explorer.exe (PID: 1880)

    • REDLINE detected by memory dumps

      • Rwxly.exe (PID: 3308)
      • gkcQkWMasTFMI_T_QznizcEC.exe (PID: 3012)
      • LsVVLk6Q1eT5PlFVIJKbBmAD.exe (PID: 3184)

    • Uses Task Scheduler to autorun other applications

      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)

    • GCLEANER detected by memory dumps

      • FJSpacer727.exe (PID: 352)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • File.exe (PID: 3284)
      • HXGPspimyZgUlJ4B1yB_ldsv.exe (PID: 2492)
      • ojV0JrxnSblsaOx9Devk9uUU.exe (PID: 3808)
      • AppLaunch.exe (PID: 3708)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)

    • Connects to the server without a host name

      • File.exe (PID: 3284)
      • HXGPspimyZgUlJ4B1yB_ldsv.exe (PID: 2492)
      • ojV0JrxnSblsaOx9Devk9uUU.exe (PID: 3808)
      • FJSpacer727.exe (PID: 3316)
      • pdates.exe (PID: 4024)
      • explorer.exe (PID: 1880)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • VQqI2kTAY7MHW6Lto7Zp_UD7.exe (PID: 2600)

    • Executes as Windows Service

      • raserver.exe (PID: 3820)
      • raserver.exe (PID: 1376)
      • raserver.exe (PID: 4068)
      • raserver.exe (PID: 3268)

    • Checks for external IP

      • File.exe (PID: 3284)
      • HXGPspimyZgUlJ4B1yB_ldsv.exe (PID: 2492)
      • ojV0JrxnSblsaOx9Devk9uUU.exe (PID: 3808)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • VQqI2kTAY7MHW6Lto7Zp_UD7.exe (PID: 2600)

    • Adds/modifies Windows certificates

      • WinRAR.exe (PID: 3984)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)

    • Reads the Internet Settings

      • File.exe (PID: 3284)
      • dvNXvnZ2Mo1SrHAHzMgyCMzN.exe (PID: 2932)
      • yhRDrWsvCvJyDuoKV52ycMVj.exe (PID: 1496)
      • FJSpacer727.exe (PID: 3316)
      • pdates.exe (PID: 4024)
      • b0673562.exe (PID: 2624)
      • AppLaunch.exe (PID: 3708)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • HydQznHitzaFvzkg309hDxiM.exe (PID: 3880)
      • RX36NaoUm7ILsEsVJV2i8rK1.exe (PID: 3752)
      • No7uYNfoXPrQi_rMxmDWOTRI.exe (PID: 3176)
      • work.exe (PID: 3692)

    • Checks Windows Trust Settings

      • File.exe (PID: 3284)
      • AppLaunch.exe (PID: 3708)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)

    • Connects to unusual port

      • File.exe (PID: 3284)
      • R5HoX6DekP78Dzdme2dyiJty.exe (PID: 120)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • AppLaunch.exe (PID: 3708)
      • d1674499.exe (PID: 1656)
      • Q0U87.exe (PID: 3616)
      • AppLaunch.exe (PID: 3716)
      • AppLaunch.exe (PID: 3032)
      • PgCU43D1TyIXCryvuMHPSSkC.exe (PID: 2644)
      • LsVVLk6Q1eT5PlFVIJKbBmAD.exe (PID: 3184)

    • Reads security settings of Internet Explorer

      • File.exe (PID: 3284)
      • AppLaunch.exe (PID: 3708)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)

    • Process requests binary or script from the Internet

      • File.exe (PID: 3284)
      • pdates.exe (PID: 4024)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)

    • Executable content was dropped or overwritten

      • File.exe (PID: 3284)
      • 5tDwXADxNln46Px4_wwZ9Eny.exe (PID: 3872)
      • 5tDwXADxNln46Px4_wwZ9Eny.exe.tmp (PID: 2704)
      • yhRDrWsvCvJyDuoKV52ycMVj.exe (PID: 1496)
      • n4UD_1RkeTViEc_TLOPrIg7n.exe (PID: 3148)
      • v4110462.exe (PID: 3080)
      • v1894336.exe (PID: 1468)
      • FJSpacer727.exe (PID: 3316)
      • b0673562.exe (PID: 2624)
      • YxRwall2KIKfALf5FH2Gv7Sp.exe (PID: 3716)
      • AppLaunch.exe (PID: 3708)
      • explorer.exe (PID: 1880)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • pdates.exe (PID: 4024)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe (PID: 3136)
      • No7uYNfoXPrQi_rMxmDWOTRI.exe (PID: 3176)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe.tmp (PID: 2592)
      • work.exe (PID: 3692)
      • dwa.exe (PID: 3388)
      • FJSpacer727.exe (PID: 352)

    • Reads the Windows owner or organization settings

      • 5tDwXADxNln46Px4_wwZ9Eny.exe.tmp (PID: 2704)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe.tmp (PID: 2592)

    • Reads the BIOS version

      • gZOue3Y4GqpIgVbROYeTccwk.exe (PID: 3412)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • AppLaunch.exe (PID: 3708)

    • Searches for installed software

      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • AppLaunch.exe (PID: 3708)
      • d1674499.exe (PID: 1656)
      • Q0U87.exe (PID: 3616)
      • AppLaunch.exe (PID: 3716)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe.tmp (PID: 2592)

    • Reads browser cookies

      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • Q0U87.exe (PID: 3616)
      • d1674499.exe (PID: 1656)
      • AppLaunch.exe (PID: 3716)

    • Starts CMD.EXE for commands execution

      • pdates.exe (PID: 4024)
      • cmd.exe (PID: 2584)
      • FJSpacer727.exe (PID: 3316)
      • No7uYNfoXPrQi_rMxmDWOTRI.exe (PID: 3176)

    • Application launched itself

      • cmd.exe (PID: 2584)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 2584)

    • Starts itself from another location

      • b0673562.exe (PID: 2624)

    • Starts application with an unusual extension

      • YxRwall2KIKfALf5FH2Gv7Sp.exe (PID: 3716)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3904)

    • The process executes via Task Scheduler

      • pdates.exe (PID: 4052)
      • pdates.exe (PID: 3192)

    • Executing commands from a ".bat" file

      • No7uYNfoXPrQi_rMxmDWOTRI.exe (PID: 3176)

  • INFO

    • The process uses the downloaded file

      • firefox.exe (PID: 1964)
      • WinRAR.exe (PID: 3984)

    • Application launched itself

      • firefox.exe (PID: 1964)

    • Manual execution by a user

      • WinRAR.exe (PID: 3984)

    • Checks supported languages

      • File.exe (PID: 3284)
      • 5tDwXADxNln46Px4_wwZ9Eny.exe (PID: 3872)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • dvNXvnZ2Mo1SrHAHzMgyCMzN.exe (PID: 2932)
      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • jE37Xsl0a0j_WxmVJS2wLuYs.exe (PID: 2668)
      • ojV0JrxnSblsaOx9Devk9uUU.exe (PID: 3808)
      • HXGPspimyZgUlJ4B1yB_ldsv.exe (PID: 2492)
      • R5HoX6DekP78Dzdme2dyiJty.exe (PID: 120)
      • n4UD_1RkeTViEc_TLOPrIg7n.exe (PID: 3148)
      • yhRDrWsvCvJyDuoKV52ycMVj.exe (PID: 1496)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • gZOue3Y4GqpIgVbROYeTccwk.exe (PID: 3412)
      • qpvV5vyiay5KWARulh6wodYi.exe (PID: 764)
      • 5tDwXADxNln46Px4_wwZ9Eny.exe.tmp (PID: 2704)
      • YxRwall2KIKfALf5FH2Gv7Sp.exe (PID: 3716)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • v1894336.exe (PID: 1468)
      • v4110462.exe (PID: 3080)
      • a2470491.exe (PID: 3820)
      • FJSpacer727.exe (PID: 3316)
      • B8KDsqC.exe (PID: 2372)
      • b0673562.exe (PID: 2624)
      • pdates.exe (PID: 4024)
      • c5709934.exe (PID: 4060)
      • AppLaunch.exe (PID: 3708)
      • AppLaunch.exe (PID: 3256)
      • Q0U87.exe (PID: 3616)
      • d1674499.exe (PID: 1656)
      • 坣确䕺㔸㍣㙮䜵砸㕣 (PID: 3228)
      • Rwxly.exe (PID: 3308)
      • AppLaunch.exe (PID: 3716)
      • vO1I.exe (PID: 3096)
      • pdates.exe (PID: 4052)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • pdates.exe (PID: 3192)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe (PID: 3136)
      • oKzd8P0fz39iNryDOgPSse1S.exe (PID: 964)
      • RX36NaoUm7ILsEsVJV2i8rK1.exe (PID: 3752)
      • LFXFPgCk0BJHNRB3o8MBL7JI.exe (PID: 3876)
      • HydQznHitzaFvzkg309hDxiM.exe (PID: 3880)
      • LsVVLk6Q1eT5PlFVIJKbBmAD.exe (PID: 3184)
      • No7uYNfoXPrQi_rMxmDWOTRI.exe (PID: 3176)
      • VQqI2kTAY7MHW6Lto7Zp_UD7.exe (PID: 2600)
      • PgCU43D1TyIXCryvuMHPSSkC.exe (PID: 2644)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe.tmp (PID: 2592)
      • gkcQkWMasTFMI_T_QznizcEC.exe (PID: 3012)
      • AppLaunch.exe (PID: 3032)
      • work.exe (PID: 3692)
      • dwa.exe (PID: 3388)

    • Reads the computer name

      • File.exe (PID: 3284)
      • dvNXvnZ2Mo1SrHAHzMgyCMzN.exe (PID: 2932)
      • 5tDwXADxNln46Px4_wwZ9Eny.exe.tmp (PID: 2704)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • yhRDrWsvCvJyDuoKV52ycMVj.exe (PID: 1496)
      • HXGPspimyZgUlJ4B1yB_ldsv.exe (PID: 2492)
      • ojV0JrxnSblsaOx9Devk9uUU.exe (PID: 3808)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • gZOue3Y4GqpIgVbROYeTccwk.exe (PID: 3412)
      • a2470491.exe (PID: 3820)
      • qpvV5vyiay5KWARulh6wodYi.exe (PID: 764)
      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • FJSpacer727.exe (PID: 3316)
      • b0673562.exe (PID: 2624)
      • pdates.exe (PID: 4024)
      • AppLaunch.exe (PID: 3708)
      • AppLaunch.exe (PID: 3256)
      • Q0U87.exe (PID: 3616)
      • d1674499.exe (PID: 1656)
      • 坣确䕺㔸㍣㙮䜵砸㕣 (PID: 3228)
      • AppLaunch.exe (PID: 3716)
      • vO1I.exe (PID: 3096)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • LFXFPgCk0BJHNRB3o8MBL7JI.exe (PID: 3876)
      • HydQznHitzaFvzkg309hDxiM.exe (PID: 3880)
      • RX36NaoUm7ILsEsVJV2i8rK1.exe (PID: 3752)
      • No7uYNfoXPrQi_rMxmDWOTRI.exe (PID: 3176)
      • LsVVLk6Q1eT5PlFVIJKbBmAD.exe (PID: 3184)
      • AppLaunch.exe (PID: 3032)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe.tmp (PID: 2592)
      • PgCU43D1TyIXCryvuMHPSSkC.exe (PID: 2644)
      • oKzd8P0fz39iNryDOgPSse1S.exe (PID: 964)
      • work.exe (PID: 3692)
      • VQqI2kTAY7MHW6Lto7Zp_UD7.exe (PID: 2600)
      • dwa.exe (PID: 3388)

    • The process checks LSA protection

      • File.exe (PID: 3284)
      • yhRDrWsvCvJyDuoKV52ycMVj.exe (PID: 1496)
      • 5tDwXADxNln46Px4_wwZ9Eny.exe.tmp (PID: 2704)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • dvNXvnZ2Mo1SrHAHzMgyCMzN.exe (PID: 2932)
      • HXGPspimyZgUlJ4B1yB_ldsv.exe (PID: 2492)
      • ojV0JrxnSblsaOx9Devk9uUU.exe (PID: 3808)
      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • FJSpacer727.exe (PID: 3316)
      • b0673562.exe (PID: 2624)
      • pdates.exe (PID: 4024)
      • gZOue3Y4GqpIgVbROYeTccwk.exe (PID: 3412)
      • qpvV5vyiay5KWARulh6wodYi.exe (PID: 764)
      • AppLaunch.exe (PID: 3708)
      • Q0U87.exe (PID: 3616)
      • d1674499.exe (PID: 1656)
      • explorer.exe (PID: 1880)
      • AppLaunch.exe (PID: 3716)
      • taskkill.exe (PID: 3836)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • No7uYNfoXPrQi_rMxmDWOTRI.exe (PID: 3176)
      • RX36NaoUm7ILsEsVJV2i8rK1.exe (PID: 3752)
      • HydQznHitzaFvzkg309hDxiM.exe (PID: 3880)
      • LsVVLk6Q1eT5PlFVIJKbBmAD.exe (PID: 3184)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe.tmp (PID: 2592)
      • LFXFPgCk0BJHNRB3o8MBL7JI.exe (PID: 3876)
      • AppLaunch.exe (PID: 3032)
      • PgCU43D1TyIXCryvuMHPSSkC.exe (PID: 2644)
      • work.exe (PID: 3692)
      • oKzd8P0fz39iNryDOgPSse1S.exe (PID: 964)
      • VQqI2kTAY7MHW6Lto7Zp_UD7.exe (PID: 2600)

    • Reads the Internet Settings

      • explorer.exe (PID: 1880)

    • Reads the machine GUID from the registry

      • File.exe (PID: 3284)
      • dvNXvnZ2Mo1SrHAHzMgyCMzN.exe (PID: 2932)
      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • HXGPspimyZgUlJ4B1yB_ldsv.exe (PID: 2492)
      • ojV0JrxnSblsaOx9Devk9uUU.exe (PID: 3808)
      • FJSpacer727.exe (PID: 3316)
      • b0673562.exe (PID: 2624)
      • qpvV5vyiay5KWARulh6wodYi.exe (PID: 764)
      • gZOue3Y4GqpIgVbROYeTccwk.exe (PID: 3412)
      • AppLaunch.exe (PID: 3256)
      • pdates.exe (PID: 4024)
      • AppLaunch.exe (PID: 3708)
      • Q0U87.exe (PID: 3616)
      • d1674499.exe (PID: 1656)
      • 坣确䕺㔸㍣㙮䜵砸㕣 (PID: 3228)
      • AppLaunch.exe (PID: 3716)
      • vO1I.exe (PID: 3096)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • HydQznHitzaFvzkg309hDxiM.exe (PID: 3880)
      • LsVVLk6Q1eT5PlFVIJKbBmAD.exe (PID: 3184)
      • LFXFPgCk0BJHNRB3o8MBL7JI.exe (PID: 3876)
      • AppLaunch.exe (PID: 3032)
      • PgCU43D1TyIXCryvuMHPSSkC.exe (PID: 2644)
      • oKzd8P0fz39iNryDOgPSse1S.exe (PID: 964)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 1964)

    • Process checks computer location settings

      • File.exe (PID: 3284)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)

    • Checks proxy server information

      • File.exe (PID: 3284)
      • dvNXvnZ2Mo1SrHAHzMgyCMzN.exe (PID: 2932)
      • FJSpacer727.exe (PID: 3316)
      • AppLaunch.exe (PID: 3708)
      • pdates.exe (PID: 4024)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • HydQznHitzaFvzkg309hDxiM.exe (PID: 3880)

    • Create files in a temporary directory

      • File.exe (PID: 3284)
      • 5tDwXADxNln46Px4_wwZ9Eny.exe (PID: 3872)
      • 5tDwXADxNln46Px4_wwZ9Eny.exe.tmp (PID: 2704)
      • n4UD_1RkeTViEc_TLOPrIg7n.exe (PID: 3148)
      • yhRDrWsvCvJyDuoKV52ycMVj.exe (PID: 1496)
      • v1894336.exe (PID: 1468)
      • v4110462.exe (PID: 3080)
      • b0673562.exe (PID: 2624)
      • YxRwall2KIKfALf5FH2Gv7Sp.exe (PID: 3716)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe (PID: 3136)
      • No7uYNfoXPrQi_rMxmDWOTRI.exe (PID: 3176)
      • RX36NaoUm7ILsEsVJV2i8rK1.exe (PID: 3752)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe.tmp (PID: 2592)
      • work.exe (PID: 3692)

    • Creates files or folders in the user directory

      • File.exe (PID: 3284)
      • dvNXvnZ2Mo1SrHAHzMgyCMzN.exe (PID: 2932)
      • FJSpacer727.exe (PID: 3316)
      • AppLaunch.exe (PID: 3708)
      • explorer.exe (PID: 1880)
      • pdates.exe (PID: 4024)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • ZOfV32Kal39s4M0d2MeEupfL.exe (PID: 2308)
      • HydQznHitzaFvzkg309hDxiM.exe (PID: 3880)
      • dwa.exe (PID: 3388)

    • Application was dropped or rewritten from another process

      • 5tDwXADxNln46Px4_wwZ9Eny.exe.tmp (PID: 2704)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe.tmp (PID: 2592)

    • Process checks are UAC notifies on

      • gZOue3Y4GqpIgVbROYeTccwk.exe (PID: 3412)

    • Creates files in the program directory

      • 5tDwXADxNln46Px4_wwZ9Eny.exe.tmp (PID: 2704)
      • AppLaunch.exe (PID: 3708)
      • 8PfshrVyh5MFvAOImO7gXtiF.exe (PID: 3896)
      • dTZq7JbnJ9ZJZLevGEut6vzU.exe.tmp (PID: 2592)

    • Reads Environment values

      • cNWAOXSBZJk8Jle0DTVq4HfV.exe (PID: 3192)
      • v0Ftatds3QWsBTYgMBdmNu9W.exe (PID: 3344)
      • bRZu4woQLn7PT86wTXzkSzBq.exe (PID: 2392)
      • AppLaunch.exe (PID: 3708)
      • Q0U87.exe (PID: 3616)
      • d1674499.exe (PID: 1656)
      • AppLaunch.exe (PID: 3716)

    • Reads product name

      • AppLaunch.exe (PID: 3708)

    • Reads CPU info

      • AppLaunch.exe (PID: 3708)

    • The executable file from the user directory is run by the CMD process

      • work.exe (PID: 3692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Arkei

(PID) Process(3716) YxRwall2KIKfALf5FH2Gv7Sp.exe
C2 (27)http://schemas.microsoft.com/SMI/2005/WindowsSettings
https://sectigo.com/CPS0
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46
http://crl.comodoca.com/AAACertificateServices
http://crl.comodoca.com/AAACertificateServices
http://crl.comodo.net/AAACertificateServices
http://crl.usertrust.com/USERTrustRSACertificationAuthority
http://crt.usertrust.com/USERTrustRSAAddTrustCA
https://sectigo.com/CPS0
http://crl.sectigo.com/SectigoRSATimeStampingCA
http://crt.sectigo.com/SectigoRSATimeStampingCA
https://sectigo.com/CPS0
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46
http://crl.comodoca.com/AAACertificateServices
http://crl.comodoca.com/AAACertificateServices
http://crl.comodo.net/AAACertificateServices
http://crl.usertrust.com/USERTrustRSACertificationAuthority
http://crt.usertrust.com/USERTrustRSAAddTrustCA
https://sectigo.com/CPS0
http://crl.sectigo.com/SectigoRSATimeStampingCA
http://crt.sectigo.com/SectigoRSATimeStampingCA
Strings (80)ACAGACAOAC
,30<3
Q@GG\
VVVVVVVUVVVVVVVV
5!"SAS
VVVVVVVUVVVVVVVV
ohjdc
ohjdn
ohjdn
Q@GG\
q@GG\
SW^P^Q^R
Q@GG\
VVVVVVVV
ohjdn
~uqlr
~vvbr
~uzfr
~uqlr
~vvbr
~uzfr
~uqlr
~vvbr
~uzfr
ohjdc
uj-_^
fak6_^
IDX@kq
>z:aW
12bN2Y'
3w:n
TG1R8i
$/;]Q
$/;]Q
JeZ/A
{0*?{
{0*?{
$/;]Q
$/;]Q
JeZ/A
{0*?{
{0*?{
T;0Q8\M
xz}gS
4Z37gmg
*$A_2
EB.?!8N
)#R_@I<G\[
qlyYZ
vbeuE
H0*1:
eVDFX-H1-
QZ5B5#@RLbhv
Z)DP+_
g9k~
`rnkq
cs{z5Yggn`96
<orkf`l]
7G*humDqtft,
}cvPbeaC
Kj~Aa|'B
tp%ki"4
YUQHCb`kU`jb
J JWP[9E9A!HND&]V
/91GF[4F9H!^:8R5:
A#_][N5CLM9*CQ<>A
:9"78$VR1=B O@*
.\/wc)AQ
>5TO [
S9,F=%
xhdHS
PA@B^HJ@&C"GD
GQPN%43YU
2IW(PNK(4)7
)I75[9]H
@0CY=&@)6@
XC;EW5!@[)K
bo E}`x

PrivateLoader

(PID) Process(3896) 8PfshrVyh5MFvAOImO7gXtiF.exe
C2 (4)85.208.136.10
94.142.138.131
94.142.138.113
208.67.104.60
Strings (62)Unknown
SOFTWARE\Microsoft\Cryptography
MachineGuid
telegram.org
twitter.com
yandex.ru
google.com
/api/tracemap.php
http://
15.5pnp.10.lock
data=
/api/firecom.php
ipinfo.io/widget
country
db-ip.com
data-api-key="
/self
countryCode
www.maxmind.com/geoip/v2.1/city/me
iso_code
GetIP
api.ipgeolocation.io/ipgeo?include=hostname&ip=
country_code2
PowerControl
\PowerControl
\PowerControl_Svc.exe
Power monitoring service for your device.
WININET.dll
WINHTTP.dll
85.208.136.10
94.142.138.131
94.142.138.113
208.67.104.60
GetVersion|
GetUpdateLink
https://
Later
" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
schtasks /create /f /RU "
" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
WinHttpConnect
WinHttpQueryHeaders
WinHttpOpen
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpCloseHandle
WinHttpSetTimeouts
CharNextA
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
InternetOpenA
InternetSetOptionA
HttpOpenRequestA
InternetConnectA
InternetOpenUrlA
HttpQueryInfoA
InternetQueryOptionA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
(PID) Process(2492) HXGPspimyZgUlJ4B1yB_ldsv.exe
C2 (7)http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
45.15.156.229
85.208.136.10
94.142.138.131
94.142.138.113
208.67.104.60
Attributes
Payload (36)https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
http://mnbuiy.pw/adsli/note8876.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
https://iplogger.org/2BTmf7
https://iplogger.org/2BAmf7
https://iplogger.org/2BDmf7
https://iplogger.org/2BFmf7
https://iplogger.org/2s2pg6
https://iplogger.org/2s3pg6
https://iplogger.org/2s4pg6
https://iplogger.org/2s5pg6
https://iplogger.org/2s6pg6
https://iplogger.org/2s7pg6
Strings (822)Snowman+under_a_sn0wdrift_forgot_the_Snow_Maiden
iplogger.org/1nhuM4.js
SOFTWARE\LilFreske
Installed
SOFTWARE\LilFreskeUS
IsWow64Process
GetModuleHandleA
LoadLibraryA
SetPriorityClass
Sleep
GetTempPathA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
CreateThread
CloseHandle
VirtualAlloc
VirtualFree
OpenProcess
TerminateProcess
GetUserGeoID
ntdll.dll
NtQuerySystemInformation
RtlGetVersion
Shell32.dll
ShellExecuteA
SHGetFolderPathA
Advapi32.dll
RegOpenKeyExA
RegSetValueExA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegQueryValueExA
RegEnumKeyExA
ConvertSidToStringSidA
LookupAccountNameA
WINHTTP.dll
wininet.dll
GetComputerNameA
VerSetConditionMask
VerifyVersionInfoW
GetGeoInfoA
GetCurrentProcess
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
GetCurrentProcessId
CreateToolhelp32Snapshot
Process32First
Process32Next
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
User32.dll
CharToOemA
//Minor Policy
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
Exclusions_Extensions
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
SOFTWARE\Policies\Microsoft\Windows Defender
DisableAntiSpyware
DisableRoutinelyTakingAction
SOFTWARE\Policies\Microsoft\Windows\System
EnableSmartScreen
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
DisableBehaviorMonitoring
DisableOnAccessProtection
DisableScanOnRealtimeEnable
DisableRealtimeMonitoring
DisableIOAVProtection
DisableRawWriteNotification
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows Server
Windows 10
Windows 8.1
Windows 8
Windows 7
Windows Vista
Windows XP
(x64)
(x32)
explorer.exe
current
children
SOFTWARE\Classes\ms-settings\Shell\Open\command
DelegateExecute
\ComputerDefaults.exe
SOFTWARE\Classes
ms-settings\Shell\Open\command
ms-settings\Shell\Open
ms-settings\Shell
ms-settings
data=
/api/firegate.php
Error!
onlyType
ext_url
cfg_url
ipinfo.io/widget
country
company
Google LLC
db-ip.com
data-api-key="
/self
countryCode
organization
www.maxmind.com/geoip/v2.1/city/me
iso_code
traits
GetIP
api.ipgeolocation.io/ipgeo?include=hostname&ip=
country_code2
/api/tracemap.php
http://
15.5pnp.10.lock
Guest Profile
System Profile
\Google\Chrome\Application
(x86)\Google\Chrome\Application
SOFTWARE\Google\Chrome\BLBeacon
version
\resources.pak
SOFTWARE\Google\Chrome\PreferenceMACs
\Google\Chrome\User Data\
\Secure Preferences
filter_browsers
chrome
browser
use_open_browser
extensions
settings
install_time
\Extensions\
\u003C
protection
extensions.settings.
super_mac
chrome.exe
ChromeRegistryHashStoreValidationSeed
\extensions.settings
SOFTWARE\Google\Chrome\PreferenceMACs\
\chrome.exe
\Microsoft\Edge\Application
(x86)\Microsoft\Edge\Application
SOFTWARE\Microsoft\Edge\BLBeacon
SOFTWARE\Microsoft\Edge\PreferenceMACs
\Microsoft\Edge\User Data\
msedge.exe
SOFTWARE\Microsoft\Edge\PreferenceMACs\
\msedge.exe
\Roaming
\atomic
\Atomic Wallet
\com.liberty.jaxx
\Electrum
\Exodus
\MultiDoge
\Monero
\binance.chain
\Binance
\Metamask
\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
sorare.com
yobit.net
zb.com
binance.com
huobi.com
okex.com
hitbtc.com
bitfinex.com
kraken.com
bitstamp.net
payoneer.com
bittrex.com
bittrex.zendesk.com
gate.io
exmo.com
yobit.io
bitflyer.com
poloniex.com
kucoin.com
coinone.co.kr
localbitcoins.com
korbit.co.kr
cex.io
luno.com
bitkonan.com
jubi.com
koinex.in
koineks.com
kuna.io
koinim.com
kiwi-coin.com
leoxchange.com
lykke.com
localtrade.cc
magnr.com
lbank.info
itbit.com
gemini.com
gdax.com
gatehub.net
satoshitango.com
foxbit.com.br
flowbtc.com.br
exx.com
exrates.me
excambriorex.com
ezbtc.ca
infinitycoin.exchange
tdax.com
stex.com
vbtc.exchange
coinmarketcap.com
vwlpro.com
nocks.com
nlexch.com
novaexchange.com
mynxt.info
nzbcx.com
nevbit.com
mixcoins.com
mr.exchange
neraex.pro
dsx.uk
okcoin.com
liquid.com
quoine.com
quadrigacx.com
rightbtc.com
rippex.net
ripplefox.com
qryptos.com
ore.bz
openledger.info
omnidex.io
paribu.com
paymium.com
dcexchange.ru
dcexe.com
bitmex.com
funpay.ru
bitmaszyna.pl
bitonic.nl
bitpanda.com
bitsblockchain.net
bitmarket.net
bitlish.com
bitfex.trade
blockchain.com
blockchain.info
cryptofresh.com
btcmarkets.net
braziliex.com
btc-trade.com.ua
btc-alpha.com
bitspark.io
bitso.com
bittylicious.com
altcointrader.co.za
arenabitcoin.com
allcoin.com
796.com
abucoins.com
aidosmarket.com
bitcointrade.com
bitcointoyou.com
bitbanktrade.jp
big.one
bcex.ca
bitconnect.co
coinsbank.com
coinsecure.in
coinsquare.com
coinspot.io
coinsmarkets.com
crypto-bridge.org
dcex.com
dabtc.com
decentrex.com
deribit.com
dgtmarket.com
btcturk.com
btcxindia.com
bt.cx
bitstarcoin.com
coincheck.com
coinmate.io
coingi.com
coinnest.co.kr
coinrail.co.kr
coinpit.io
coingather.com
coinfloor.co.uk
coinegg.com
coincorner.com
coinexchange.io
pancakeswap.finance
coinbase.com
livecoin.net
mercatox.com
cryptobridge.freshdesk.com
volabit.com
tradeogre.com
bitkub.com
uphold.com
wallet.uphold.com
login.blockchain.com
tidex.com
coinome.com
coinpayments.net
bitmax.io
bitbank.cc
independentreserve.com
bitmart.com
cryptopia.co.nz
cryptonator.com
advcash.com
my.dogechain.info
spectrocoin.com
exir.io
exir.tech
coinbene.com
bitforex.com
gopax.co.kr
catex.io
vindax.com
coineal.com
maicoin.com
finexbox.com
etherflyer.com
bx.in.th
bitopro.com
citex.co.kr
coinzo.com
atomars.com
coinfinit.com
bitker.com
dobitrade.com
btcexa.com
satowallet.com
cpdax.com
trade.io
btcnext.io
exmarkets.com
btc-exchange.com
chaoex.com
jex.com
therocktrading.com
gdac.com
southxchange.com
tokens.net
fexpro.net
btcbox.co.jp
coinmex.com
cryptology.com
cointiger.com
cashierest.com
coinbit.co.kr
mxc.com
bilaxy.com
coinall.com
coindeal.com
omgfin.com
oceanex.pro
bithumb.com
ftx.com
shortex.net
coin.z.com
fcoin.com
fatbtc.com
tokenize.exchange
simex.global
instantbitex.com
\Login Data
SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs
\BraveSoftware\Brave-Browser\User Data\
SOFTWARE\CryptoTab Browser\PreferenceMACs
\CryptoTab Browser\User Data\
\Opera Software\Opera Stable
ascendex.com
crypto.com
coins.ph
coins.th
dogechain.info
miningpoolhub.com
/vpn/index.html
portal/webclient
remote/login
/vpn/tmindex.html
/LogonPoint/tmindex.html
XenApp1/auth/login.aspx
auth/silentDetection.aspx
/citrix/
/RDWeb/
/+CSCOE+/
/global-protect/
sslvpn.
/dana-na/
/my.policy
ncsecu.org
penfed.org
becu.org
schoolsfirstfcu.org
firsttechfed.com
golden1.com
alliantcreditunion.org
americafirst.com
suncoastcreditunion.com
secumd.org
safecu.org
missionfed.com
greendot.com
rbfcu.org
macu.com
dcu.org
ssfcu.org
bethpagefcu.com
starone.org
alaskausa.org
sdccu.com
aacreditunion.org
lmcu.org
teachersfcu.org
patelco.org
esl.org
onpointcu.com
logixbanking.com
psecu.com
deltacommunitycu.com
ent.com
cefcu.com
greenstate.org
unfcu.org
pffcu.org
wingsfinancial.com
iccu.comdesertfinancial.com
iccu.com
desertfinancial.com
hvfcu.org
wpcu.coop
redwoodcu.org
tcunet.com
wsecu.org
joviafinancial.com
coastal24.com
myeecu.org
gecreditunion.org
nymcu.org
affinityfcu.com
towerfcu.org
ccu.com
communityamerica.com
langleyfcu.org
credithuman.com
techcu.com
gecu.com
kfcu.org
applefcu.org
nasafcu.com
sfcu.org
genisyscu.org
unifyfcu.com
apcocu.org
firstcommunity.com
unitedfcu.com
fairwinds.org
ufcu.org
wescom.org
bcu.org
vacu.org
citadelbanking.com
servicecu.org
summitcreditunion.com
gesa.com
chevronfcu.org
traviscu.org
uwcu.org
communityfirstcu.org
ecu.org
sccu.com
bfsfcu.org
bellco.org
dfcufinancial.com
msufcu.org
members1st.org
landmarkcu.com
kinecta.org
midflorida.com
visionsfcu.org
veridiancu.org
statefarmfcu.com
tinkerfcu.org
sefcu.com
americanheritagecu.org
robinsfcu.org
canvas.org
growfinancial.org
truliantfcu.org
ascend.org
foundersfcu.com
calcoastcu.org
ucu.org
connexuscu.org
slfcu.org
numericacu.com
eecu.org
georgiasown.org
nusenda.org
tvacreditunion.com
pcu.org
msgcu.org
nuvisionfederal.com
trumarkonline.org
navigantcu.org
ornlfcu.com
jscfcu.org
lgfcu.org
elevationscu.com
gtefinancial.org
chartway.com
ecu.com
sdfcu.org
apcu.com
schools.org
metrocu.org
campuscu.com
adviacu.org
psfcu.com
andrewsfcu.org
eglinfcu.org
imcu.com
americaneagle.org
ttcu.com
vantagewest.org
empowerfcu.com
rfcu.com
capcomfcu.org
arizonafederal.org
csecreditunion.com
communityfirstfl.org
bayportcu.org
gwcu.org
wecu.com
stgeorge.com.au
imb.com.au
ing.com.au
bankofmelbourne.com.au
regionalaustraliabank.com
suncorp.com.au
regionalaustraliabank.com.au
bmo.com
cwbank.com
royalbank.com
vancity.com
servus.ca
coastcapitalsavings.com
alterna.ca
interiorsavings.com
synergycu.ca
mainstreetcu.ca
cu.com
fcu.com
robinhood.com
navyfederal.org
tboholidays.com
24x7rooms.com
adonis.com
abreuonline.com
almundo.com.ar
bonotel.com
bookohotel.com
didatravel.com
dotwconnect.com
eetglobal.com
escalabeds.com
fastpayhotels.com
getaroom.com
goglobal.travel
hoteldo.com.mx
hotelspro.com
jumbonline.com
kaluahtours.com
lci-euro.com
lotsofhotels.com
mikinet.co.uk
misterroom.com
nexustours.com
olympiaeurope.com
paximum.com
restel.es
rezserver.com
rezlive.com
sunhotels.com
totalstay.com
travco.co.uk
travellanda.com
smyrooms.com
welcomebeds.com
yalago.com
hotelbeds.com
mercadolibre.com.mx
hsbc.com.mx
bbvanetcash.mx
scotiabank.com.mx
santander.com.mx
bbva.mx
opensea.io
plantvsundead.com
axieinfinity.com
cryptocars.me
bombcrypto.io
cryptoplanes.me
cryptozoon.io
bankalhabib.com
correosprepago.es
orangebank.es
amazon.it
amazon.ca
amazon.de
amazon.com
netspend.com
online.citi.com
cloud.ibm.com
ca.ovh.com
account.alibabacloud.com
cloud.huawei.com
cloud.tencent.com
vultr.com
aws.amazon.com
portal.azure.com
digitalocean.com
console.scaleway.com
hetzner.com
linode.com
oracle.com
rackspace.com
phoenixnap.com
leaseweb.com
sso.ctl.io
ctl.io
lumen.com
paypal.com
WW_P_7
WW_P_8
https://
WW_P_
WW_P_1
links
ezstat.ru/1BfPg7
USA_1
iplis.ru/1BX4j7.png
iplis.ru/1BV4j7.mp4
USA_2
iplogger.org/1nkuM4.jpeg
iplis.ru/1BNhx7.mp3
iplis.ru/1pRXr7.txt
SetIncrement|ww_starts
false
iplis.ru/1S2Qs7.mp3
iplis.ru/1S3fd7.mp3
iplis.ru/17VHv7.mp3
iplis.ru/1GLDc7.mp3
iplis.ru/1xDsk7.mp3
iplis.ru/1xFsk7.mp3
WW_OPERA
iplis.ru/1GCuv7.pdf
iplis.ru/1lmex.mp3
iplis.ru/1Gemv7.mp3
WW_10
iplis.ru/1Gymv7.mp3
WW_11
iplis.ru/1tqHh7.mp3
WW_12
iplis.ru/1aFYp7.mp3
WW_13
iplis.ru/1cC8u7.mp3
WW_14
iplis.ru/1cN8u7.mp3
WW_15
iplis.ru/1kicy7.mp3
iplis.ru/1BMhx7.mp3
WW_16
iplis.ru/1edLy7.png
WW_17
iplis.ru/1nGPt7.png
WW_P_2
iplis.ru/1Bshv7.mp3
WW_P_3
iplis.ru/1Lgnh7.mp3
WW_P_4
iplis.ru/1vt8c7.mp3
WW_P_5
iplis.ru/1IcfD.mp3
WW_P_6
iplis.ru/1eXqs7.mp3
iplis.ru/1Unzy7.mp3
WW_18
iplis.ru/12hYs7.mp3
WW_19
iplis.ru/12d8d7.mp3
WW_20
iplis.ru/1Uvgu7.mp3
WW_21
iplis.ru/1jvTz7.mp3
browsers
Chrome:
Edge:
os_country_code
ip_country
AddExtensionStat|
net_country_code
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://91.241.19.125/pub.php?pub=one
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
http://mnbuiy.pw/adsli/note8876.exe
http://sarfoods.com/index.php
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
https://iplogger.org/2BTmf7
https://iplogger.org/2BAmf7
https://iplogger.org/2BDmf7
https://iplogger.org/2BFmf7
https://iplogger.org/2s2pg6
https://iplogger.org/2s3pg6
https://iplogger.org/2s4pg6
https://iplogger.org/2s5pg6
https://iplogger.org/2s6pg6
https://iplogger.org/2s7pg6
crypto_wallets
domain
bank_wallets
cu_bank_wallets
shop_wallets
bank_au_wallets
amazon_eu
webhosts
paypal
bank_ca_wallets
browser_vbmt
GetCryptoSleeping
45.15.156.229
85.208.136.10
94.142.138.131
94.142.138.113
208.67.104.60
cryptoWallets
status
bankWallets
cuBankWallets
shops
bankAUWallets
bankCAWallets
cryptoWallets_part1
cryptoWallets_part2
bankWallets_part1
bankWallets_part2
bankMXWallets
cryptoGames
bankPKWallets
bankESWallets
SetLoaderAnalyze|
SetIncrement|not_elevated
WinHttpConnect
WinHttpQueryHeaders
WinHttpOpen
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpCloseHandle
WinHttpSetTimeouts
InternetOpenA
InternetSetOptionA
HttpOpenRequestA
InternetConnectA
InternetOpenUrlA
HttpQueryInfoA
InternetQueryOptionA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
(PID) Process(120) R5HoX6DekP78Dzdme2dyiJty.exe
C2 (1)1.1.1.1
Attributes
Payload (1)RisePro Telegram: https://t.me/RiseProSUPPORT
Strings (221)RisePro Telegram: https://t.me/RiseProSUPPORT
\FileZilla
\FileZil6d&
\Plugins
IndexedDB
Local
\Wallets
\History
%s %llu `&
nickname
name_on_dzB
card_num`z&
last_fou
exp_mont&
exp_year
Name: %s Nickname: %s Month: %s Year: %s Card: %s Address: %s
value
%s %s
%s %s
\Cookies
secure
FALSE
%s %s %s %s %llu %s %s
login
password
profile
download_history
bhghoamapcdpbohphigoooaddinpkbai
Jaxx Liberty Extension
fihkakfobkmkjojpchpfgcmhfjnmnfpi
nkddgncdjgjfcddamfgcmfnlhccnimig
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
MathWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
NiftyWallet
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
Oxygen
PaliWallet
Bolt X
ForboleX
XDEFI Wallet
Maiar DeFi Wallet
KardiaChain
coin98
Terra
Harmony
Exodus_E
Keplr
Sollet
AuroWallet
PolymeshWallet
ICONex
EVER Wallet
Rabby
BraveWallet
WavesKeeper
Solflare
CyanoWallet
TezBox
Temple
Braavos wallet
Eth and Polk Web3 Wallet
OKX Wallet
Sender Wallet
Hashpack
Eternl
GeroWallet
Pontem Aptos Wallet
Petra Aptos Wallet
Opera Wallet
EMartian Aptos Wallet
Finnie
Leap Terra Wallet
Trust Wallet
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
Trezor Password Manager
logins
Web Data
autofill
History
Local State
cards
cookies
history
Login Data
]5u构\SeaMonkey
\K-Meleon
\Google\Chrome\U
\Battle.net
\Steam
ion\dium\User Data
\Cenaldi\User Data
\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
\CatalinaGroup\Citrio\User Data
\Comodo\Dragon\User Data
\Comdh\UUser Data
\CocCoc\Browser\User Data
\Uran\User Data
rule_folder
%DESKTOP%
%DOCUMENTS%
%APPDATA%
%RECENT%
\tdata
vaultcli.dll
VaultEnumerateItems
VaultEnumerateVaults
SELECT url FROM moz_places WHERE (`id` =
\cookies.sqlite
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory;
\Quantum_Certs
SELECT name FROM sqlite_master WHERE type='table';
0ogins
username
email
y%
e> Extension
erwdnLe=  N
Vleile
\Network
\Network
SELECT tab_url, target_path FROM downloads
SELECT action_url, origin_url, username_value, password_value FROM logins
api.myip.com
An uncaught exception occurred_ip0_1. The type was unknown so no information was available.
An uncaught exception occurred_ip0_2. The type was unknown so no information was available.
country
An uncaught exception occurred_ip1. The type was unknown so no information was available.
demoInfo
An uncaught exception occurred_ip2. The type was unknown so no information was available.
iso_code
names
An uncaught exception occurred_ip4:
An uncaught exception occurred_ip4. The type was unknown so no information was available.
1.1.1.1
DisableBehaviorMonitoring
VBoxSF
SYSTEM\CurrentControlSet\Services\vmhgfs
\atomic\Local Storage
\Atomic
\Electrum\wallets
\Electrum
\Exodus\exodus.wallet
\Exodus
\Electrum-LTC\wallets
\ElectrumLTC
\Monero
\com.liberty.jaxx
\IndexedDB
\Session Storage
\Jaxx\Local Storage
\Jaxx
\Coinomi\Coinomi\wallets
\Coinomi
\Armory
\WalletWasabi\Client\Wallets
\Wasabi
\Bither\bither.db
\Bither
\Binance
\Guarda
Dogecoin
Anoncoin
DashCore
Franko
Freicoin
IOCoin
Infinitecoin
Megacoin
Mincoin
Primecoin
YACoin
Zcash
devcoin
Litecoin
\wallet.dat
\wallets
\Authy
\information.txt
Unknown
WINHTTP.dll
WinHttpConnect
WinHttpQueryDataAvailable
WinHttpReceiveResponse
InternetSetOptionA
HttpOpenRequestA
InternetOpenUrlA
InternetQueryOptionA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
(PID) Process(3808) ojV0JrxnSblsaOx9Devk9uUU.exe
C2 (8)http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
45.15.156.229
94.131.106.196
5.181.80.133
94.142.138.131
94.142.138.113
208.67.104.60
Attributes
Payload (36)https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
http://mnbuiy.pw/adsli/note8876.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
https://iplogger.org/2BTmf7
https://iplogger.org/2BAmf7
https://iplogger.org/2BDmf7
https://iplogger.org/2BFmf7
https://iplogger.org/2s2pg6
https://iplogger.org/2s3pg6
https://iplogger.org/2s4pg6
https://iplogger.org/2s5pg6
https://iplogger.org/2s6pg6
https://iplogger.org/2s7pg6
Strings (823)Snowman+under_a_sn0wdrift_forgot_the_Snow_Maiden
iplogger.org/1nhuM4.js
SOFTWARE\LilFreske
Installed
SOFTWARE\LilFreskeUS
IsWow64Process
GetModuleHandleA
LoadLibraryA
SetPriorityClass
Sleep
GetTempPathA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
CreateThread
CloseHandle
VirtualAlloc
VirtualFree
OpenProcess
TerminateProcess
GetUserGeoID
ntdll.dll
NtQuerySystemInformation
RtlGetVersion
Shell32.dll
ShellExecuteA
SHGetFolderPathA
Advapi32.dll
RegOpenKeyExA
RegSetValueExA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegQueryValueExA
RegEnumKeyExA
ConvertSidToStringSidA
LookupAccountNameA
WINHTTP.dll
wininet.dll
GetComputerNameA
VerSetConditionMask
VerifyVersionInfoW
GetGeoInfoA
GetCurrentProcess
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
GetCurrentProcessId
CreateToolhelp32Snapshot
Process32First
Process32Next
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
User32.dll
CharToOemA
//Minor Policy
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
Exclusions_Extensions
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
SOFTWARE\Policies\Microsoft\Windows Defender
DisableAntiSpyware
DisableRoutinelyTakingAction
SOFTWARE\Policies\Microsoft\Windows\System
EnableSmartScreen
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
DisableBehaviorMonitoring
DisableOnAccessProtection
DisableScanOnRealtimeEnable
DisableRealtimeMonitoring
DisableIOAVProtection
DisableRawWriteNotification
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows Server
Windows 10
Windows 8.1
Windows 8
Windows 7
Windows Vista
Windows XP
(x64)
(x32)
explorer.exe
current
children
SOFTWARE\Classes\ms-settings\Shell\Open\command
DelegateExecute
\ComputerDefaults.exe
SOFTWARE\Classes
ms-settings\Shell\Open\command
ms-settings\Shell\Open
ms-settings\Shell
ms-settings
data=
/api/firegate.php
Error!
onlyType
ext_url
cfg_url
ipinfo.io/widget
country
company
Google LLC
db-ip.com
data-api-key="
/self
countryCode
organization
www.maxmind.com/geoip/v2.1/city/me
iso_code
traits
GetIP
api.ipgeolocation.io/ipgeo?include=hostname&ip=
country_code2
/api/tracemap.php
http://
15.5pnp.10.lock
Guest Profile
System Profile
\Google\Chrome\Application
(x86)\Google\Chrome\Application
SOFTWARE\Google\Chrome\BLBeacon
version
\resources.pak
SOFTWARE\Google\Chrome\PreferenceMACs
\Google\Chrome\User Data\
\Secure Preferences
filter_browsers
chrome
browser
use_open_browser
extensions
settings
install_time
\Extensions\
\u003C
protection
extensions.settings.
super_mac
chrome.exe
ChromeRegistryHashStoreValidationSeed
\extensions.settings
SOFTWARE\Google\Chrome\PreferenceMACs\
\chrome.exe
\Microsoft\Edge\Application
(x86)\Microsoft\Edge\Application
SOFTWARE\Microsoft\Edge\BLBeacon
SOFTWARE\Microsoft\Edge\PreferenceMACs
\Microsoft\Edge\User Data\
msedge.exe
SOFTWARE\Microsoft\Edge\PreferenceMACs\
\msedge.exe
\Roaming
\atomic
\Atomic Wallet
\com.liberty.jaxx
\Electrum
\Exodus
\MultiDoge
\Monero
\binance.chain
\Binance
\Metamask
\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
sorare.com
yobit.net
zb.com
binance.com
huobi.com
okex.com
hitbtc.com
bitfinex.com
kraken.com
bitstamp.net
payoneer.com
bittrex.com
bittrex.zendesk.com
gate.io
exmo.com
yobit.io
bitflyer.com
poloniex.com
kucoin.com
coinone.co.kr
localbitcoins.com
korbit.co.kr
cex.io
luno.com
bitkonan.com
jubi.com
koinex.in
koineks.com
kuna.io
koinim.com
kiwi-coin.com
leoxchange.com
lykke.com
localtrade.cc
magnr.com
lbank.info
itbit.com
gemini.com
gdax.com
gatehub.net
satoshitango.com
foxbit.com.br
flowbtc.com.br
exx.com
exrates.me
excambriorex.com
ezbtc.ca
infinitycoin.exchange
tdax.com
stex.com
vbtc.exchange
coinmarketcap.com
vwlpro.com
nocks.com
nlexch.com
novaexchange.com
mynxt.info
nzbcx.com
nevbit.com
mixcoins.com
mr.exchange
neraex.pro
dsx.uk
okcoin.com
liquid.com
quoine.com
quadrigacx.com
rightbtc.com
rippex.net
ripplefox.com
qryptos.com
ore.bz
openledger.info
omnidex.io
paribu.com
paymium.com
dcexchange.ru
dcexe.com
bitmex.com
funpay.ru
bitmaszyna.pl
bitonic.nl
bitpanda.com
bitsblockchain.net
bitmarket.net
bitlish.com
bitfex.trade
blockchain.com
blockchain.info
cryptofresh.com
btcmarkets.net
braziliex.com
btc-trade.com.ua
btc-alpha.com
bitspark.io
bitso.com
bittylicious.com
altcointrader.co.za
arenabitcoin.com
allcoin.com
796.com
abucoins.com
aidosmarket.com
bitcointrade.com
bitcointoyou.com
bitbanktrade.jp
big.one
bcex.ca
bitconnect.co
coinsbank.com
coinsecure.in
coinsquare.com
coinspot.io
coinsmarkets.com
crypto-bridge.org
dcex.com
dabtc.com
decentrex.com
deribit.com
dgtmarket.com
btcturk.com
btcxindia.com
bt.cx
bitstarcoin.com
coincheck.com
coinmate.io
coingi.com
coinnest.co.kr
coinrail.co.kr
coinpit.io
coingather.com
coinfloor.co.uk
coinegg.com
coincorner.com
coinexchange.io
pancakeswap.finance
coinbase.com
livecoin.net
mercatox.com
cryptobridge.freshdesk.com
volabit.com
tradeogre.com
bitkub.com
uphold.com
wallet.uphold.com
login.blockchain.com
tidex.com
coinome.com
coinpayments.net
bitmax.io
bitbank.cc
independentreserve.com
bitmart.com
cryptopia.co.nz
cryptonator.com
advcash.com
my.dogechain.info
spectrocoin.com
exir.io
exir.tech
coinbene.com
bitforex.com
gopax.co.kr
catex.io
vindax.com
coineal.com
maicoin.com
finexbox.com
etherflyer.com
bx.in.th
bitopro.com
citex.co.kr
coinzo.com
atomars.com
coinfinit.com
bitker.com
dobitrade.com
btcexa.com
satowallet.com
cpdax.com
trade.io
btcnext.io
exmarkets.com
btc-exchange.com
chaoex.com
jex.com
therocktrading.com
gdac.com
southxchange.com
tokens.net
fexpro.net
btcbox.co.jp
coinmex.com
cryptology.com
cointiger.com
cashierest.com
coinbit.co.kr
mxc.com
bilaxy.com
coinall.com
coindeal.com
omgfin.com
oceanex.pro
bithumb.com
ftx.com
shortex.net
coin.z.com
fcoin.com
fatbtc.com
tokenize.exchange
simex.global
instantbitex.com
\Login Data
SOFTWARE\BraveSoftware\Brave-Browser\PreferenceMACs
\BraveSoftware\Brave-Browser\User Data\
SOFTWARE\CryptoTab Browser\PreferenceMACs
\CryptoTab Browser\User Data\
\Opera Software\Opera Stable
ascendex.com
crypto.com
coins.ph
coins.th
dogechain.info
miningpoolhub.com
/vpn/index.html
portal/webclient
remote/login
/vpn/tmindex.html
/LogonPoint/tmindex.html
XenApp1/auth/login.aspx
auth/silentDetection.aspx
/citrix/
/RDWeb/
/+CSCOE+/
/global-protect/
sslvpn.
/dana-na/
/my.policy
ncsecu.org
penfed.org
becu.org
schoolsfirstfcu.org
firsttechfed.com
golden1.com
alliantcreditunion.org
americafirst.com
suncoastcreditunion.com
secumd.org
safecu.org
missionfed.com
greendot.com
rbfcu.org
macu.com
dcu.org
ssfcu.org
bethpagefcu.com
starone.org
alaskausa.org
sdccu.com
aacreditunion.org
lmcu.org
teachersfcu.org
patelco.org
esl.org
onpointcu.com
logixbanking.com
psecu.com
deltacommunitycu.com
ent.com
cefcu.com
greenstate.org
unfcu.org
pffcu.org
wingsfinancial.com
iccu.comdesertfinancial.com
iccu.com
desertfinancial.com
hvfcu.org
wpcu.coop
redwoodcu.org
tcunet.com
wsecu.org
joviafinancial.com
coastal24.com
myeecu.org
gecreditunion.org
nymcu.org
affinityfcu.com
towerfcu.org
ccu.com
communityamerica.com
langleyfcu.org
credithuman.com
techcu.com
gecu.com
kfcu.org
applefcu.org
nasafcu.com
sfcu.org
genisyscu.org
unifyfcu.com
apcocu.org
firstcommunity.com
unitedfcu.com
fairwinds.org
ufcu.org
wescom.org
bcu.org
vacu.org
citadelbanking.com
servicecu.org
summitcreditunion.com
gesa.com
chevronfcu.org
traviscu.org
uwcu.org
communityfirstcu.org
ecu.org
sccu.com
bfsfcu.org
bellco.org
dfcufinancial.com
msufcu.org
members1st.org
landmarkcu.com
kinecta.org
midflorida.com
visionsfcu.org
veridiancu.org
statefarmfcu.com
tinkerfcu.org
sefcu.com
americanheritagecu.org
robinsfcu.org
canvas.org
growfinancial.org
truliantfcu.org
ascend.org
foundersfcu.com
calcoastcu.org
ucu.org
connexuscu.org
slfcu.org
numericacu.com
eecu.org
georgiasown.org
nusenda.org
tvacreditunion.com
pcu.org
msgcu.org
nuvisionfederal.com
trumarkonline.org
navigantcu.org
ornlfcu.com
jscfcu.org
lgfcu.org
elevationscu.com
gtefinancial.org
chartway.com
ecu.com
sdfcu.org
apcu.com
schools.org
metrocu.org
campuscu.com
adviacu.org
psfcu.com
andrewsfcu.org
eglinfcu.org
imcu.com
americaneagle.org
ttcu.com
vantagewest.org
empowerfcu.com
rfcu.com
capcomfcu.org
arizonafederal.org
csecreditunion.com
communityfirstfl.org
bayportcu.org
gwcu.org
wecu.com
stgeorge.com.au
imb.com.au
ing.com.au
bankofmelbourne.com.au
regionalaustraliabank.com
suncorp.com.au
regionalaustraliabank.com.au
bmo.com
cwbank.com
royalbank.com
vancity.com
servus.ca
coastcapitalsavings.com
alterna.ca
interiorsavings.com
synergycu.ca
mainstreetcu.ca
cu.com
fcu.com
robinhood.com
navyfederal.org
tboholidays.com
24x7rooms.com
adonis.com
abreuonline.com
almundo.com.ar
bonotel.com
bookohotel.com
didatravel.com
dotwconnect.com
eetglobal.com
escalabeds.com
fastpayhotels.com
getaroom.com
goglobal.travel
hoteldo.com.mx
hotelspro.com
jumbonline.com
kaluahtours.com
lci-euro.com
lotsofhotels.com
mikinet.co.uk
misterroom.com
nexustours.com
olympiaeurope.com
paximum.com
restel.es
rezserver.com
rezlive.com
sunhotels.com
totalstay.com
travco.co.uk
travellanda.com
smyrooms.com
welcomebeds.com
yalago.com
hotelbeds.com
mercadolibre.com.mx
hsbc.com.mx
bbvanetcash.mx
scotiabank.com.mx
santander.com.mx
bbva.mx
opensea.io
plantvsundead.com
axieinfinity.com
cryptocars.me
bombcrypto.io
cryptoplanes.me
cryptozoon.io
bankalhabib.com
correosprepago.es
orangebank.es
amazon.it
amazon.ca
amazon.de
amazon.com
netspend.com
online.citi.com
cloud.ibm.com
ca.ovh.com
account.alibabacloud.com
cloud.huawei.com
cloud.tencent.com
vultr.com
aws.amazon.com
portal.azure.com
digitalocean.com
console.scaleway.com
hetzner.com
linode.com
oracle.com
rackspace.com
phoenixnap.com
leaseweb.com
sso.ctl.io
ctl.io
lumen.com
paypal.com
WW_P_7
WW_P_8
https://
WW_P_
WW_P_1
links
ezstat.ru/1BfPg7
USA_1
iplis.ru/1BX4j7.png
iplis.ru/1BV4j7.mp4
USA_2
iplogger.org/1nkuM4.jpeg
iplis.ru/1BNhx7.mp3
iplis.ru/1pRXr7.txt
SetIncrement|ww_starts
false
iplis.ru/1S2Qs7.mp3
iplis.ru/1S3fd7.mp3
iplis.ru/17VHv7.mp3
iplis.ru/1GLDc7.mp3
iplis.ru/1xDsk7.mp3
iplis.ru/1xFsk7.mp3
WW_OPERA
iplis.ru/1GCuv7.pdf
iplis.ru/1lmex.mp3
iplis.ru/1Gemv7.mp3
WW_10
iplis.ru/1Gymv7.mp3
WW_11
iplis.ru/1tqHh7.mp3
WW_12
iplis.ru/1aFYp7.mp3
WW_13
iplis.ru/1cC8u7.mp3
WW_14
iplis.ru/1cN8u7.mp3
WW_15
iplis.ru/1kicy7.mp3
iplis.ru/1BMhx7.mp3
WW_16
iplis.ru/1edLy7.png
WW_17
iplis.ru/1nGPt7.png
WW_P_2
iplis.ru/1Bshv7.mp3
WW_P_3
iplis.ru/1Lgnh7.mp3
WW_P_4
iplis.ru/1vt8c7.mp3
WW_P_5
iplis.ru/1IcfD.mp3
WW_P_6
iplis.ru/1eXqs7.mp3
iplis.ru/1Unzy7.mp3
WW_18
iplis.ru/12hYs7.mp3
WW_19
iplis.ru/12d8d7.mp3
WW_20
iplis.ru/1Uvgu7.mp3
WW_21
iplis.ru/1jvTz7.mp3
browsers
Chrome:
Edge:
os_country_code
ip_country
AddExtensionStat|
net_country_code
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
https://vk.com/doc746114504_647280734?hash=Doz4iot4bg0WOvZC8ZMInERV5U1fmjrKZZhl7jf6wBE&dl=G42DMMJRGQ2TANA:1661413506:vGfIf9YivGqE9gd11wvm9KZLzv9DMwdM9Wp0LmcsAhz&api=1&no_preview=1
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://91.241.19.125/pub.php?pub=one
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
http://mnbuiy.pw/adsli/note8876.exe
http://sarfoods.com/index.php
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
https://iplogger.org/2BTmf7
https://iplogger.org/2BAmf7
https://iplogger.org/2BDmf7
https://iplogger.org/2BFmf7
https://iplogger.org/2s2pg6
https://iplogger.org/2s3pg6
https://iplogger.org/2s4pg6
https://iplogger.org/2s5pg6
https://iplogger.org/2s6pg6
https://iplogger.org/2s7pg6
crypto_wallets
domain
bank_wallets
cu_bank_wallets
shop_wallets
bank_au_wallets
amazon_eu
webhosts
paypal
bank_ca_wallets
browser_vbmt
GetCryptoSleeping
45.15.156.229
94.131.106.196
5.181.80.133
94.142.138.131
94.142.138.113
208.67.104.60
cryptoWallets
status
bankWallets
cuBankWallets
shops
bankAUWallets
bankCAWallets
cryptoWallets_part1
cryptoWallets_part2
bankWallets_part1
bankWallets_part2
bankMXWallets
cryptoGames
bankPKWallets
bankESWallets
SetLoaderAnalyze|
SetIncrement|not_elevated
WinHttpConnect
WinHttpQueryHeaders
WinHttpOpen
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpCloseHandle
WinHttpSetTimeouts
InternetOpenA
InternetSetOptionA
HttpOpenRequestA
InternetConnectA
InternetOpenUrlA
HttpQueryInfoA
InternetQueryOptionA
HttpSendRequestA
InternetReadFile
InternetCloseHandle

Amadey

(PID) Process(4024) pdates.exe
C2 (1)http://77.91.68.61
Version3.86
Options
Drop directoryS-%lu-
Drop name%-lu
Strings (119)-%lu
925e7e99c5
pdates.exe
SCHTASKS
/Create /SC MINUTE /MO 1 /TN
/TR "
" /F
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Startup
Rem
cmd /C RMDIR /s/q
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rundll32
/Delete /TN "
Programs
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%USERPROFILE%
\App
POST
GET
id=
&vs=
&sd=
&os=
&bi=
&ar=
&pc=
&un=
&dm=
&av=
&lv=
&og=
cred.dll|clip.dll|
d1
e1
e0
Main
http://
https://
exe
dll
cmd
ps1
<c>
<d>
Plugins/
+++
#
|
&unit=
=
shell32.dll
kernel32.dll
GetNativeSystemInfo
ProgramData\
AVAST Software
Avira
Kaspersky Lab
ESET
Panda Security
Doctor Web
AVG
360TotalSecurity
Bitdefender
Norton
Sophos
Comodo
WinDefender
0123456789
rb
wb
Content-Type: multipart/form-data; boundary=----
------
Content-Disposition: form-data; name="data"; filename="
" Content-Type: application/octet-stream
------
--
?scr=1
.jpg
Content-Type: application/x-www-form-urlencoded
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
ComputerName
abcdefghijklmnopqrstuvwxyz0123456789-_
-unicode-
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
SYSTEM\ControlSet001\Services\BasicDisplay\Video
VideoID
\0000
DefaultSettings.XResolution
DefaultSettings.YResolution
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
2019
2022
2016
CurrentBuild
&&
echo Y|CACLS "
" /P "
:N"
CACLS "
" /P "
:R" /E
:F" /E
&&Exit
..\
\
:::
rundll32.exe
/k
"taskkill /f /im "
" && timeout 1 && del
&& Exit"
" && ren
&&
Powershell.exe
-executionpolicy remotesigned -File "
"

RedLine

(PID) Process(3308) Rwxly.exe
C2 (1)46.149.77.25:8599
Botnet12
Err_msg
Auth_valuec46d7c526a45729e5f4c39fca6e505c1
US (14)
net.tcp://
/
localhost
c46d7c526a45729e5f4c39fca6e505c1
Authorization
ns1
AyU3ESwmOFspGS5SIg4oQyYEAkICNQVZ
ADUnWQ==
Mandarines
(PID) Process(3184) LsVVLk6Q1eT5PlFVIJKbBmAD.exe
C2 (1)185.225.74.51:44767
Botnetrt234
Err_msg
Auth_value2072b7d82b626e586e10513f81db6ca9
US (14)
net.tcp://
/
localhost
2072b7d82b626e586e10513f81db6ca9
Authorization
ns1
ACEEXiUOBAwtPF1XAzZXXiQwIkUtKwpWAwJeUg==
LhsyFiQeHEg=
Mucoid
(PID) Process(3012) gkcQkWMasTFMI_T_QznizcEC.exe
C2 (1)176.123.9.85:16482
Botnet
Err_msgYT&TEAM LOGS
Auth_value63cc484234216dace4114bc03617721b
US (137)
Search
Reflection
Ammo
Function
Info
Roaming
UNKNOWN
cFileStreamredFileStreamit_cFileStreamardFileStreams
FileStream
\
ToString
os_crypt
encrypted_key
Network\
Inner
Unknown
:
Read
Kill
Microsoft
GetDirectories
MSObject12
EnumerateDirectories
String.Replace
String.Remove
net.tcp://
/
localhost
63cc484234216dace4114bc03617721b
Authorization
ns1
ACEXRy0GLA00NEFBOQsLWDsTCEc6MQYV
GiMlGDcpPzYtHjc5IVEIPQ==
Mutuality
MSValue3
EnumerateFiles
ExpandEnvironmentVariables
MSValue2
MSValue1
FullName
Replace
Directory
wa
l
et
d
a
t
.
*wallet*
_
T
e
gr
am
ex
\TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata
Environment
\Discord\Local Storage\leveldb
*.loSystem.Collections.Genericg
System.Collections.Generic
1
String
MyG
string.Replace
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl
serviceInterface.Extension
ProldCharotonVoldCharPN
oldChar
nSystem.CollectionspvoSystem.Collections*
System.Collections
EngSubs
ElevatedDiagnostics\Reports
-
AddRange
%
(
UNIQUE
"
FileStream.IO
string.Empty
uint
UnmanagedType
hKey
pszProperty
Encoding
bMasterKey
{0}
|
https://api.ip.sb/ip
80
81
0.0.0.0
SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor
System.Windows.Forms
roSystem.Linqot\CISystem.LinqMV2
System.Linq
SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller
AdapterRAM
Name
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente
System.Management
SerialNumber
SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId='
System.Text.RegularExpressions
'
FileSystem
SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId='
System.
ExecutablePath
[
]
Concat0 MConcatb oConcatr Concat0
Concat
SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem
Memory
{0}{1}{2}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
_[

GCleaner

(PID) Process(352) FJSpacer727.exe
C2 (4)45.12.253.564
5.12.253.724
5.12.253.98
45.12.253.75
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
88
Malicious processes
44
Suspicious processes
7

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start inject drop and start drop and start drop and start drop and start drop and start drop and start firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs winrar.exe no specs file.exe no specs #PRIVATELOADER file.exe raserver.exe no specs 5tdwxadxnln46px4_wwz9eny.exe #PRIVATELOADER 8pfshrvyh5mfvaoimo7gxtif.exe yhrdrwsvcvjyduokv52ycmvj.exe #FABOOKIE dvnxvnz2mo1srhahzmgycmzn.exe n4ud_1rketviec_tloprig7n.exe je37xsl0a0j_wxmvjs2wluys.exe no specs #REDLINE brzu4woqln7pt86wtxzkszbq.exe #PRIVATELOADER hxgpspimyzgulj4b1yb_ldsv.exe #REDLINE cnwaoxsbzjk8jle0dtvq4hfv.exe #REDLINE v0ftatds3qwsbtygmbdmnu9w.exe #PRIVATELOADER r5hox6dekp78dzdme2dyijty.exe gzoue3y4gqpigvbroyetccwk.exe #PRIVATELOADER ojv0jrxnsblsaox9devk9uuu.exe 5tdwxadxnln46px4_wwz9eny.exe.tmp qpvv5vyiay5kwarulh6wodyi.exe #ARKEI yxrwall2kikfalf5fh2gv7sp.exe msiexec.exe no specs v1894336.exe v4110462.exe a2470491.exe no specs net.exe no specs #GCLEANER fjspacer727.exe net1.exe no specs b8kdsqc.exe no specs b0673562.exe #AMADEY pdates.exe c5709934.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs cacls.exe no specs cacls.exe no specs #ARKEI applaunch.exe no specs #VIDAR applaunch.exe cmd.exe no specs cacls.exe no specs cacls.exe no specs #ARKEI 坣确䕺㔸㍣㙮䜵砸㕣 no specs #REDLINE q0u87.exe #REDLINE d1674499.exe raserver.exe no specs #ARKEI vo1i.exe no specs #SMOKE explorer.exe raserver.exe no specs #REDLINE rwxly.exe #REDLINE applaunch.exe cmd.exe no specs taskkill.exe no specs pdates.exe no specs rundll32.exe no specs #PRIVATELOADER zofv32kal39s4m0d2meeupfl.exe schtasks.exe no specs schtasks.exe no specs raserver.exe no specs pdates.exe no specs okzd8p0fz39inrydogpsse1s.exe no specs dtzq7jbnj9zjzlevgeut6vzu.exe lfxfpgck0bjhnrb3o8mbl7ji.exe rx36naoum7ilsesvjv2i8rk1.exe no specs hydqznhitzafvzkg309hdxim.exe #REDLINE lsvvlk6q1et5plfvijkbbmad.exe no7uynfoxprqi_rmxmdwotri.exe #REDLINE gkcqkwmastfmi_t_qznizcec.exe #REDLINE pgcu43d1tyixcryvumhpsskc.exe #PRIVATELOADER vqqi2ktay7mhw6lto7zp_ud7.exe dtzq7jbnj9zjzlevgeut6vzu.exe.tmp msiexec.exe no specs cmd.exe no specs #REDLINE applaunch.exe work.exe dwa.exe net.exe no specs #GCLEANER fjspacer727.exe

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Users\admin\Pictures\Minor Policy\R5HoX6DekP78Dzdme2dyiJty.exe" C:\Users\admin\Pictures\Minor Policy\R5HoX6DekP78Dzdme2dyiJty.exe
File.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
Microsoft Office Installer
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\pictures\minor policy\r5hox6dekp78dzdme2dyijty.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
PrivateLoader
(PID) Process(120) R5HoX6DekP78Dzdme2dyiJty.exe
C2 (1)1.1.1.1
Attributes
Payload (1)RisePro Telegram: https://t.me/RiseProSUPPORT
Strings (221)RisePro Telegram: https://t.me/RiseProSUPPORT
\FileZilla
\FileZil6d&
\Plugins
IndexedDB
Local
\Wallets
\History
%s %llu `&
nickname
name_on_dzB
card_num`z&
last_fou
exp_mont&
exp_year
Name: %s Nickname: %s Month: %s Year: %s Card: %s Address: %s
value
%s %s
%s %s
\Cookies
secure
FALSE
%s %s %s %s %llu %s %s
login
password
profile
download_history
bhghoamapcdpbohphigoooaddinpkbai
Jaxx Liberty Extension
fihkakfobkmkjojpchpfgcmhfjnmnfpi
nkddgncdjgjfcddamfgcmfnlhccnimig
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
MathWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
NiftyWallet
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
Oxygen
PaliWallet
Bolt X
ForboleX
XDEFI Wallet
Maiar DeFi Wallet
KardiaChain
coin98
Terra
Harmony
Exodus_E
Keplr
Sollet
AuroWallet
PolymeshWallet
ICONex
EVER Wallet
Rabby
BraveWallet
WavesKeeper
Solflare
CyanoWallet
TezBox
Temple
Braavos wallet
Eth and Polk Web3 Wallet
OKX Wallet
Sender Wallet
Hashpack
Eternl
GeroWallet
Pontem Aptos Wallet
Petra Aptos Wallet
Opera Wallet
EMartian Aptos Wallet
Finnie
Leap Terra Wallet
Trust Wallet
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
Trezor Password Manager
logins
Web Data
autofill
History
Local State
cards
cookies
history
Login Data
]5u构\SeaMonkey
\K-Meleon
\Google\Chrome\U
\Battle.net
\Steam
ion\dium\User Data
\Cenaldi\User Data
\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
\CatalinaGroup\Citrio\User Data
\Comodo\Dragon\User Data
\Comdh\UUser Data
\CocCoc\Browser\User Data
\Uran\User Data
rule_folder
%DESKTOP%
%DOCUMENTS%
%APPDATA%
%RECENT%
\tdata
vaultcli.dll
VaultEnumerateItems
VaultEnumerateVaults
SELECT url FROM moz_places WHERE (`id` =
\cookies.sqlite
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory;
\Quantum_Certs
SELECT name FROM sqlite_master WHERE type='table';
0ogins
username
email
y%
e> Extension
erwdnLe=  N
Vleile
\Network
\Network
SELECT tab_url, target_path FROM downloads
SELECT action_url, origin_url, username_value, password_value FROM logins
api.myip.com
An uncaught exception occurred_ip0_1. The type was unknown so no information was available.
An uncaught exception occurred_ip0_2. The type was unknown so no information was available.
country
An uncaught exception occurred_ip1. The type was unknown so no information was available.
demoInfo
An uncaught exception occurred_ip2. The type was unknown so no information was available.
iso_code
names
An uncaught exception occurred_ip4:
An uncaught exception occurred_ip4. The type was unknown so no information was available.
1.1.1.1
DisableBehaviorMonitoring
VBoxSF
SYSTEM\CurrentControlSet\Services\vmhgfs
\atomic\Local Storage
\Atomic
\Electrum\wallets
\Electrum
\Exodus\exodus.wallet
\Exodus
\Electrum-LTC\wallets
\ElectrumLTC
\Monero
\com.liberty.jaxx
\IndexedDB
\Session Storage
\Jaxx\Local Storage
\Jaxx
\Coinomi\Coinomi\wallets
\Coinomi
\Armory
\WalletWasabi\Client\Wallets
\Wasabi
\Bither\bither.db
\Bither
\Binance
\Guarda
Dogecoin
Anoncoin
DashCore
Franko
Freicoin
IOCoin
Infinitecoin
Megacoin
Mincoin
Primecoin
YACoin
Zcash
devcoin
Litecoin
\wallet.dat
\wallets
\Authy
\information.txt
Unknown
WINHTTP.dll
WinHttpConnect
WinHttpQueryDataAvailable
WinHttpReceiveResponse
InternetSetOptionA
HttpOpenRequestA
InternetOpenUrlA
InternetQueryOptionA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
352"C:\Program Files (x86)\FJSpacer727\FJSpacer727.exe" C:\Program Files (x86)\FJSpacer727\FJSpacer727.exe
dTZq7JbnJ9ZJZLevGEut6vzU.exe.tmp
User:
admin
Company:
CWTuning Software
Integrity Level:
HIGH
Description:
WinTuning Auto Shutdown
Exit code:
0
Version:
1.2.7.27
GCleaner
(PID) Process(352) FJSpacer727.exe
C2 (4)45.12.253.564
5.12.253.724
5.12.253.98
45.12.253.75
764"C:\Users\admin\Pictures\Minor Policy\qpvV5vyiay5KWARulh6wodYi.exe" C:\Users\admin\Pictures\Minor Policy\qpvV5vyiay5KWARulh6wodYi.exe
File.exe
User:
admin
Company:
HPI
Integrity Level:
HIGH
Description:
Launches HP Installer.
Exit code:
0
Version:
5.0.3.9707
Modules
Images
c:\users\admin\pictures\minor policy\qpvv5vyiay5kwarulh6wodyi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
964"C:\Users\admin\Pictures\Minor Policy\oKzd8P0fz39iNryDOgPSse1S.exe" C:\Users\admin\Pictures\Minor Policy\oKzd8P0fz39iNryDOgPSse1S.exeZOfV32Kal39s4M0d2MeEupfL.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\pictures\minor policy\okzd8p0fz39inrydogpsse1s.exe
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
972"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1964.7.2102132650\969028662" -childID 5 -isForBrowser -prefsHandle 3960 -prefMapHandle 3968 -prefsLen 28807 -prefMapSize 242647 -jsInitHandle 900 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf503064-aef2-4d81-be78-209843c080f0} 1964 "\\.\pipe\gecko-crash-server-pipe.1964" 3948 22620658 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\xul.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\nsi.dll
1224CACLS "pdates.exe" /P "admin:R" /EC:\Windows\SysWOW64\cacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\cacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
1376C:\Windows\system32\RAServer.exe /offerraupdateC:\Windows\System32\raserver.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Remote Assistance COM Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\raserver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1380"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1964.6.2068945707\1100288274" -childID 4 -isForBrowser -prefsHandle 3816 -prefMapHandle 3820 -prefsLen 28807 -prefMapSize 242647 -jsInitHandle 900 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0f4181b-8dbc-46b6-9316-b07fe3fe2db0} 1964 "\\.\pipe\gecko-crash-server-pipe.1964" 3832 2261f758 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\ucrtbase.dll
1468C:\Users\admin\AppData\Local\Temp\IXP000.TMP\v1894336.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\v1894336.exe
n4UD_1RkeTViEc_TLOPrIg7n.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.17763.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\v1894336.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1468"C:\Windows\System32\msiexec.exe" /Y .\F4GD.2 C:\Windows\SysWOW64\msiexec.exeRX36NaoUm7ILsEsVJV2i8rK1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
2147943514
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
Total events
34 224
Read events
33 039
Write events
1 092
Delete events
93

Modification events

(PID) Process:(1880) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000004329E97B6122001987843D096C8D7A04278E955BA77E90F0EC21D5D5110C6099000000000E8000000002000020000000979BE7A559B305B7CFE1C5A5F5F59641FC60FE2130924CA918663525F927FE5F30000000D041206B4D7669F5545B3619830833DC14F9F449298E4B7C310BBBF83CEC0952F599785F4280E6066545B563DEA47E8A40000000E0D17684D5528603741776DB5671F0B8DF327589EF3FB4B1A699172343201C10052A85BDBE5A2A1E74B751F0F987A3DC9F48BA562021363FAF8E9C8FFE10450F
(PID) Process:(1964) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
0000000000000000
(PID) Process:(1964) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
1
(PID) Process:(1880) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:308046O0NS4N39PO
Value:
00000000050000000A000000478E0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF301EC0CB9F2FD70100000000
(PID) Process:(1880) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000009F000000A8000000DD5A54001300000003000000E0FB04007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C0063006D0064002E006500780065000000D3FD0000000000AE01765DB00000560000000000000020F18E020000000098830200FE07570098DBEA0200000000D7728E020000000060FA0E08000000002C5E93FDFE07000000000000000000000300000057000000D0C72D000000000048DE96FDFE07000098DBEA020000000080DBEA02000000000700000000000000E00A180800000000000000000000000030022800000000000000000000000000166193FDFE07000000000000000000008000098900000000C041D50700000000E04A8E020000000098DBEA020000000080DBEA02000000000000000000000000DF5C1AFFFE0700000000000000000000010000000000000010638E0200000000280C6D77000000003002280000000000DF5C1AFFFE070000D807280000000000700228000000000020F18E0200000000010000000000000080FCB80700000000AFBD95FDFE070000070000000000000002000000000000002859D3FDFE070000A07D280000000000E04A8E02000000009C7F28000000000050252B00000000007B5C17FFFE070000E04A8E0200000000000000000000000000000000000000002859D3FDFE070000C8037C77100000001B000000C95F05007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E00650078006500000000000000FE221EFEFE07000060000100000000008202000000000000820200000000000001FFFFFF000000006A00A603000000008C00A60300000000B8ACA6030000000050DFE3020000000000010001010000000001E302000000004CE2E3020000000094DFE302000000000000000009090900090909090009111100000000000000008202000000000000820200000000000001000000000000008202000000000000DB9B5A77000000006000010000000000000000000000000000000000000000000000000000000000110000000300000071B504007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C0063006D0064002E006500780065000000D3FDFE0700000000000000000000F012D2020000000000000000000000000000000000000000F012D2020000000012C2D2FDFE070000010000000000000000000000000000000000000000000000F012D2020000000000000000000000000000000000000000000000000000000018000000875519007B00310041004300310034004500370037002D0030003200450037002D0034004500350044002D0042003700340034002D003200450042003100410045003500310039003800420037007D005C007400610073006B006D00670072002E006500780065000000008000000000542D86FEFE070000000000000000000068007002000000005C00010000000000000000000000000000002D0000000000EB1AA47700000000680070020000000000000000FE07000028258FFEFE070000A00D380000000000180070020000000000000000000000000100000000000000BF1D86FEFE07000010DEDE020000000000B88B020000000000000000000000003B9483FDFE070000D0088B020000000008007002000000005C00010000000000869A807700000000BC45FA8157B00000820200000000000000000000000000005C000100000000000000000000000000820200000000000002000000000000005C000100000000000000000000000000820200000000000080A64BFF00000000C8123DFF00000000D0088B020000000001000000000000000F0000C00000000048E3FA8157B00000820200000000000001000000000000008202000000000000DB9B8077000000005C00010000000000000000000000000000000000000000000100000000000000000000000000000081020000000000000000000000000000000000000000000000000000
(PID) Process:(1964) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1964) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000096000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1964) firefox.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\155\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1880) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\155\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1964) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
90
Suspicious files
467
Text files
444
Unknown types
32

Dropped files

PID
Process
Filename
Type
1964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\webappsstore.sqlite-wal
MD5:
SHA256:
1964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\cookies.sqlite-walbinary
MD5:A9F247CE54C5D4FD48B4F0A383F04617
SHA256:4032C3F66AAB58FAB0414E35ED115BAAB667C382050E4B35BACAF6179E9E31DC
1964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\compatibility.initext
MD5:C6998EF9E767E571FE74299C971B9C98
SHA256:69C387E1BE9E3C5A5BE3B767F5734E7E31755B67C3F6F409D175FB9265D53F2E
1964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\ls-archive-tmp.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
1964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20230710165010text
MD5:54B371CDF53423CFCDCF5DFC5CFC9824
SHA256:4DD87495E67B722F248A1128384D66C42F3D7F1A576A4F44A223887DE9613BCC
1964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\cookies.sqlite-shmbinary
MD5:5F5BBD22F5643B5C92C55002C6683D64
SHA256:6F939AEF7311E0D63A4B069E5CA4DAB108D5FCA1ADDD7E6C905E343240EF55D7
1964firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.jsonbinary
MD5:E812E56D0B6EDF84B4A0B959F53E239F
SHA256:D55B72651CD0C5B834EAA29BA778BE7EDC357C16163A77AE778DCD61E85C3582
1964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\nltxvmn2.default\storage.sqlite-journalbinary
MD5:1D7F1F97A96642B0005543400E917D00
SHA256:66E7AD97B004A478B8D5B6591B415E51513981D85E29DB8D750F3951D84E8F87
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
105
TCP/UDP connections
247
DNS requests
188
Threats
334

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1964
firefox.exe
GET
2.22.61.56:80
http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip
unknown
whitelisted
1964
firefox.exe
GET
2.22.61.56:80
http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip
unknown
whitelisted
1964
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
US
text
90 b
whitelisted
1964
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
US
text
8 b
whitelisted
1964
firefox.exe
POST
2.16.241.8:80
http://r3.o.lencr.org/
unknown
shared
1964
firefox.exe
POST
200
2.16.241.8:80
http://r3.o.lencr.org/
unknown
binary
503 b
shared
1964
firefox.exe
POST
200
2.16.241.8:80
http://r3.o.lencr.org/
unknown
binary
503 b
shared
1964
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
1964
firefox.exe
POST
200
2.16.241.8:80
http://r3.o.lencr.org/
unknown
binary
503 b
shared
3284
File.exe
GET
200
94.142.138.113:80
http://94.142.138.113/api/tracemap.php
RU
text
15 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1964
firefox.exe
35.201.103.21:443
normandy.cdn.mozilla.net
GOOGLE
US
unknown
4
System
192.168.100.255:137
whitelisted
1964
firefox.exe
103.92.235.17:443
lineart.in
Ovi Hosting Pvt Ltd
IN
suspicious
1964
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
1964
firefox.exe
34.211.118.46:443
shavar.services.mozilla.com
AMAZON-02
US
unknown
1964
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
malicious
1964
firefox.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1964
firefox.exe
34.117.237.239:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
suspicious
1964
firefox.exe
35.244.181.201:443
aus5.mozilla.org
GOOGLE
US
suspicious
1964
firefox.exe
3.229.237.11:443
spocs.getpocket.com
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
lineart.in
  • 103.92.235.17
suspicious
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
example.org
  • 93.184.216.34
whitelisted
contile.services.mozilla.com
  • 34.117.237.239
whitelisted
ipv4only.arpa
  • 192.0.0.171
  • 192.0.0.170
whitelisted
spocs.getpocket.com
  • 3.229.237.11
  • 34.193.43.112
  • 3.229.85.40
  • 54.88.103.11
shared
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com
  • 54.88.103.11
  • 3.229.85.40
  • 34.193.43.112
  • 3.229.237.11
shared
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
Device Retrieving External IP Address Detected
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 8
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
A Network Trojan was detected
ET MALWARE Single char EXE direct download likely trojan (multiple families)
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
15 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://lineart.in/download/File_pass1234.7z