Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

rU6YAgkoAw.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\ffmpeg.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libEGL.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libGLESv2.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\vk_swiftshader.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\build.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\ffmpeg.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\libEGL.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\libGLESv2.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\main.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\vk_swiftshader.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\vulkan-1.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\start.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

modified

C:\Users\user\AppData\Local\Temp\svchost (3).exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

dropped

C:\Users\user\AppData\Roaming\svchos.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost (3).exe_6b3b463e962e5c2699281581d7029176619de8_1f2af782_f4cf4be7-b06a-43e0-bb0f-166f851b48d0\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE36.tmp.dmp

Mini DuMP crash report, 16 streams, Thu Mar 28 16:04:41 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0A8.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC107.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

dropped

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rU6YAgkoAw.exe.log

CSV text

dropped

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\start.exe.log

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchos.exe.log

CSV text

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\LICENSE.electron.txt

ASCII text

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\LICENSES.chromium.html

HTML document, ASCII text

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\chrome_100_percent.pak

data

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\chrome_200_percent.pak

data

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\d3dcompiler_47.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\icudtl.dat

data

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\resources.pak

data

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\snapshot_blob.bin

data

dropped

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\v8_context_snapshot.bin

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\LICENSE.electron.txt

ASCII text

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\LICENSES.chromium.html

HTML document, ASCII text

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\chrome_100_percent.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\chrome_200_percent.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\d3dcompiler_47.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\icudtl.dat

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\af.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\am.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\ar.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\bg.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\bn.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\ca.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\cs.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\da.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\de.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\el.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\en-GB.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\en-US.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\es-419.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\es.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\et.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\fa.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\fi.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\fil.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\fr.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\gu.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\he.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\hi.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\hr.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\hu.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\id.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\it.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\ja.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\kn.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\ko.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\lt.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\lv.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\ml.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\mr.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\ms.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\nb.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\nl.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\pl.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\pt-BR.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\pt-PT.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\ro.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\ru.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\sk.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\sl.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\sr.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\sv.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\sw.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\ta.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\te.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\th.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\tr.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\uk.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\ur.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\vi.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\zh-CN.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\locales\zh-TW.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\resources.pak

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\resources\app.asar

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\resources\elevate.exe

PE32 executable (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\snapshot_blob.bin

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\v8_context_snapshot.bin

data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\vk_swiftshader_icd.json

JSON data

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\app-64.7z

7-zip archive data, version 0.4

dropped

C:\Users\user\AppData\Local\Temp\nspBED4.tmp\nsis7z.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\tmpD46E.tmp.bat

DOS batch file, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\main\503039a5-5054-49bb-b89c-9fcea481f63f.tmp

JSON data

dropped

C:\Users\user\AppData\Roaming\main\Local State (copy)

JSON data

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

\Device\Null

ASCII text, with CRLF line terminators, with overstriking

dropped

There are 101 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\rU6YAgkoAw.exe

"C:\Users\user\Desktop\rU6YAgkoAw.exe"

C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe

"C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe"

C:\Users\user\AppData\Local\Temp\svchost (3).exe

"C:\Users\user~1\AppData\Local\Temp\svchost (3).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Users\user\AppData\Local\Temp\build.exe

"C:\Users\user~1\AppData\Local\Temp\build.exe"

C:\Users\user\AppData\Local\Temp\start.exe

"C:\Users\user~1\AppData\Local\Temp\start.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD46E.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"'

C:\Users\user\AppData\Roaming\svchos.exe

"C:\Users\user\AppData\Roaming\svchos.exe"

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe

C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe

"C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe

"C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\main" --mojo-platform-channel-handle=2148 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7424 -s 1184

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\timeout.exe

timeout 3

There are 8 hidden processes, click here to show them.

URLs

Name

Malicious

https://doh.cox.net/dns-querydot.cox.net68.105.28.1168.105.28.122001:578:3f::30

unknown

https://www.google.com/chrome/privacy/eula_text.htmlInasimamiwa

unknown

https://support.google.com/chrome/answer/6098869

unknown

https://dns10.quad9.net/dns-query

unknown

https://www.google.com/chrome/privacy/eula_text.html

unknown

https://chromium.dns.nextdns.io

unknown

http://www.unicode.org/copyright.html

unknown

https://doh.familyshield.opendns.com/dns-query

unknown

https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u

unknown

https://doh.cleanbrowsing.org/doh/security-filter

unknown

https://dns.google/dns-query

unknown

https://public.dns.iij.jp/

unknown

https://chrome.google.com/webstore?hl=el

unknown

https://passwords.google.comCompte

unknown

https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/Cloudflare

unknown

https://photos.google.com/settings?referrer=CHROME_NTP

unknown

https://doh.cox.net/dns-query

unknown

https://myactivity.google.com/

unknown

https://perfetto.dev/docs/contributing/getting-started#community).No

unknown

https://dns11.quad9.net/dns-querydns11.quad9.net9.9.9.11149.112.112.112620:fe::112620:fe::fe:11Pd

unknown

https://doh.quickline.ch/dns-query

unknown

https://www.nic.cz/odvr/

unknown

https://chrome-devtools-frontend.appspot.com/

unknown

https://developers.google.com/speed/public-dns/privacy

unknown

https://dns11.quad9.net/dns-query

unknown

https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/

unknown

https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl

unknown

https://passwords.google.comAkaunti

unknown

https://chromeenterprise.google/policies/#BrowserSwitcherUrlList

unknown

https://passwords.google.com

unknown

https://www.nic.cz/odvr/CZ.NIC

unknown

https://policies.google.com/

unknown

https://doh-02.spectrum.com/dns-query

unknown

https://www.google.com/chrome/privacy/eula_text.htmlGestionat

unknown

https://public.dns.iij.jp/dns-queryIijUShttps://nextdns.io/privacyNextDNShttps://chromium.dns.nextdn

unknown

https://www.quad9.net/home/privacy/Quad9

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://perfetto.dev/docs/contributing/getting-started#community).

unknown

https://public.dns.iij.jp/IIJ

unknown

https://chromeenterprise.google/policies/#BrowserSwitcherEnabled

unknown

https://dns10.quad9.net/dns-querydns10.quad9.net9.9.9.10149.112.112.102620:fe::102620:fe::fe:10

unknown

https://chrome.google.com/webstore?hl=caS

unknown

https://cleanbrowsing.org/privacyCleanBrowsing

unknown

https://nextdns.io/privacy

unknown

https://odvr.nic.cz/doh

unknown

https://chrome.google.com/webstore/category/extensions

unknown

https://doh.cleanbrowsing.org/doh/family-filter

unknown

https://support.google.com/chromebook?p=app_intent

unknown

https://doh.xfinity.com/dns-query

unknown

https://alekberg.net/privacyalekberg.net

unknown

https://cleanbrowsing.org/privacy

unknown

https://www.quad9.net/home/privacy/

unknown

https://developers.google.com/speed/public-dns/privacyGoogle

unknown

https://chrome.cloudflare-dns.com/dns-queryone.one.one.one1dot1dot1dot1.cloudflare-dns.com1.1.1.11.0

unknown

https://dns64.dns.google/dns-query

unknown

http://upx.sf.net

unknown

https://doh.cleanbrowsing.org/doh/adult-filter

unknown

https://doh.opendns.com/dns-query

unknown

https://doh-01.spectrum.com/dns-query

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

https://dns.quad9.net/dns-query

unknown

https://www.cisco.com/c/en/us/about/legal/privacy-full.html

unknown

https://chrome.google.com/webstore?hl=el&category=theme81https://myactivity.google.com/myactivity/?u

unknown

https://dns.quad9.net/dns-querydns.quad9.netdns9.quad9.net9.9.9.9149.112.112.1122620:fe::fe2620:fe::

unknown

https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl

unknown

https://dns.sb/privacy/DNS.SBhttps://doh.dns.sb/dns-query

unknown

https://chrome.cloudflare-dns.com/dns-query

unknown

https://odvr.nic.cz/dohodvr.nic.cz185.43.135.1193.17.47.12001:148f:fffe::12001:148f:ffff::1

unknown

http://93.123.39.68/order.exe

93.123.39.68

https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebC

unknown

https://public.dns.iij.jp/dns-query

unknown

https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist

unknown

https://chrome.google.com/webstore?hl=swUmeondoa

unknown

https://dns.sb/privacy/

unknown

https://doh.dns.sb/dns-query

unknown

https://support.google.com/chrome/a/?p=block_warn

unknown

https://alekberg.net/privacy

unknown

https://dnsnl.alekberg.net/dns-query

unknown

https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist

unknown

There are 69 hidden URLs, click here to show them.

Domains

Name

Malicious

leetboy.dynuddns.net

185.196.11.223

Details

Name:	leetboy.dynuddns.net
IP:	185.196.11.223
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

rentry.co

104.21.95.148

cosmicdust.zip

192.236.232.25

cosmoplanets.net

172.67.142.111

blue.o7lab.me

94.156.66.112

Details

Name:	blue.o7lab.me
IP:	94.156.66.112
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

windowsupdatebg.s.llnwi.net

69.164.0.128

IPs

Domain

Country

Malicious

185.196.11.223

leetboy.dynuddns.net

Switzerland

Details

IP:	185.196.11.223
TargetID:	32
Current Path:	C:\Users\user\AppData\Roaming\svchos.exe
Country:	Switzerland
Countrycode:	CHE
ASN number:	42624
ASN name:	SIMPLECARRIERCH
Private:	false
Domain:	leetboy.dynuddns.net

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

93.123.39.68

unknown

Bulgaria

Details

IP:	93.123.39.68
TargetID:	0
Current Path:	C:\Users\user\Desktop\rU6YAgkoAw.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

94.156.66.112

blue.o7lab.me

Bulgaria

Details

IP:	94.156.66.112
TargetID:	18
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	31420
ASN name:	TERASYST-ASBG
Private:	false
Domain:	blue.o7lab.me

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

192.236.232.25

cosmicdust.zip

United States

172.67.142.111

cosmoplanets.net

United States

104.21.95.148

rentry.co

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rU6YAgkoAw_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\ActiveMovie\devenum

Version