Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
FakturaPDF.exe
|
PE32+ executable (console) x86-64, for MS Windows
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Roaming\windows2\adobe.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Roaming\windows2\pcicapi.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loca[1].htm
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\windows2\AudioCapture.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\windows2\CLIENT32.INI
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\windows2\HTCTL32.DLL
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\windows2\NSM.LIC
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\windows2\NSM.ini
|
Non-ISO extended-ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\windows2\PCICHEK.DLL
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\windows2\PCICL32.DLL
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\windows2\TCCTL32.DLL
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\windows2\msvcr100.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\windows2\nskbfltr.inf
|
Windows setup INFormation
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\windows2\nsm_vpro.ini
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\Downloads\a548abd1-cf3c-4579-93c3-c166c739b011.tmp
|
PDF document, version 1.6, 1 pages
|
dropped
|
||
|
C:\Users\user\Downloads\downloaded.pdf (copy)
|
PDF document, version 1.6, 1 pages
|
dropped
|
||
|
C:\Users\user\Downloads\downloaded.pdf.crdownload
|
PDF document, version 1.6, 1 pages
|
dropped
|
||
|
C:\Users\user\Downloads\ef70ca9d-439a-4153-aec7-5fb33aa59474.tmp
|
PDF document, version 1.6
|
dropped
|
||
|
Chrome Cache Entry: 131
|
PDF document, version 1.6, 1 pages
|
downloaded
|
||
|
Chrome Cache Entry: 132
|
HTML document, ASCII text
|
downloaded
|
There are 11 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\AppData\Roaming\windows2\adobe.exe
|
"C:\Users\user\AppData\Roaming\windows2\adobe.exe"
|
|
|
|
C:\Users\user\Desktop\FakturaPDF.exe
|
"C:\Users\user\Desktop\FakturaPDF.exe"
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\cmd.exe
|
"cmd" /C start https://sx.ytmv5.ru.com/Faktura.pdf
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Program Files\Google\Chrome\Application\chrome.exe
|
"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://sx.ytmv5.ru.com/Faktura.pdf
|
||
|
C:\Program Files\Google\Chrome\Application\chrome.exe
|
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US
--service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=2032,i,5830766051537790093,8353723363880984051,262144
--disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction
/prefetch:8
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://51.38.106.86/fakeurl.htm
|
51.38.106.86
|
|
|
|
https://sx.ytmv5.ru.com/Faktura.pdf
|
|
||
|
https://sx.ytmv5.ru.com/Faktura.pdfL
|
unknown
|
|
|
|
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
|
unknown
|
||
|
http://www.netsupportsoftware.com
|
unknown
|
||
|
http://www.pci.co.uk/support
|
unknown
|
||
|
http://%s/testpage.htmwininet.dll
|
unknown
|
||
|
http://www.netsupportschool.com/tutor-assistant.asp118
|
unknown
|
||
|
https://sectigo.com/CPS0
|
unknown
|
||
|
http://geo.netsupportsoftware.com/location/loca.asp
|
172.67.68.212
|
||
|
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
|
unknown
|
||
|
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
|
unknown
|
||
|
http://ocsp.sectigo.com0
|
unknown
|
||
|
http://www.pci.co.uk/supportsupport
|
unknown
|
||
|
file:///C:/Users/user/Downloads/downloaded.pdf
|
|||
|
http://ocsp.thawte.com0
|
unknown
|
||
|
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
|
unknown
|
||
|
http://geo.netsupportsoftware.com/location/loca.asp;
|
unknown
|
||
|
http://geo.netsupportsoftware.com/location/loca.aspR
|
unknown
|
||
|
http://127.0.0.1RESUMEPRINTING
|
unknown
|
||
|
http://%s/testpage.htm
|
unknown
|
||
|
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
|
unknown
|
||
|
http://127.0.0.1
|
unknown
|
||
|
http://%s/fakeurl.htm
|
unknown
|
||
|
http://geo.netsupportsoftware.com/location/loca.asp&
|
unknown
|
||
|
https://sx.ytmv5.ru.com/windows_files.zip
|
unknown
|
||
|
http://crl.thawte.com/ThawteTimestampingCA.crl0
|
unknown
|
||
|
https://sx.ytmv5.ru.com/favicon.ico
|
109.123.227.60
|
||
|
http://geo.netsupportsoftware.com/location/loca.aspnd
|
unknown
|
||
|
https://sx.ytmv5.ru.com/windows_files.zipadobe.exeFailed
|
unknown
|
||
|
http://geo.netsupportsoftware.com/location/loca.asp4
|
unknown
|
||
|
http://www.netsupportschool.com/tutor-assistant.asp
|
unknown
|
||
|
http://geo.netsupportsoftware.com/location/loca.aspn
|
unknown
|
There are 23 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
sx.ytmv5.ru.com
|
109.123.227.60
|
|
|
|
geo.netsupportsoftware.com
|
172.67.68.212
|
||
|
www.google.com
|
142.250.186.132
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
192.168.2.6
|
unknown
|
unknown
|
|
|
|
51.38.106.86
|
unknown
|
France
|
|
|
|
109.123.227.60
|
sx.ytmv5.ru.com
|
Czech Republic
|
|
|
|
172.67.68.212
|
geo.netsupportsoftware.com
|
United States
|
||
|
192.168.2.16
|
unknown
|
unknown
|
||
|
192.168.2.5
|
unknown
|
unknown
|
||
|
239.255.255.250
|
unknown
|
Reserved
|
||
|
142.250.186.132
|
www.google.com
|
United States
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
20498F24000
|
heap
|
page read and write
|
||
|
11000
|
unkown
|
page execute read
|
||
|
1127A000
|
unkown
|
page readonly
|
||
|
CB9000
|
heap
|
page read and write
|
||
|
7FF76289D000
|
unkown
|
page write copy
|
||
|
11001000
|
unkown
|
page execute read
|
||
|
A10000
|
heap
|
page read and write
|
||
|
1190000
|
heap
|
page read and write
|
||
|
D32000
|
heap
|
page read and write
|
||
|
20498E8E000
|
heap
|
page read and write
|
||
|
7FF7626A1000
|
unkown
|
page execute and read and write
|
||
|
20498E8C000
|
heap
|
page read and write
|
||
|
6BDB0000
|
unkown
|
page readonly
|
||
|
10722000
|
unkown
|
page read and write
|
||
|
20498E4C000
|
heap
|
page read and write
|
||
|
11B0000
|
heap
|
page read and write
|
||
|
1180000
|
heap
|
page read and write
|
||
|
2A40000
|
heap
|
page read and write
|
||
|
10000
|
unkown
|
page readonly
|
||
|
6BD71000
|
unkown
|
page execute read
|
||
|
299E000
|
stack
|
page read and write
|
||
|
CED000
|
heap
|
page read and write
|
||
|
4E1F000
|
stack
|
page read and write
|
||
|
7FF7627FD000
|
unkown
|
page execute and write copy
|
||
|
20498E8B000
|
heap
|
page read and write
|
||
|
6FD74000
|
unkown
|
page read and write
|
||
|
D35000
|
heap
|
page read and write
|
||
|
CE2000
|
heap
|
page read and write
|
||
|
BE0000
|
heap
|
page read and write
|
||
|
4F1F000
|
stack
|
page read and write
|
||
|
11188000
|
unkown
|
page readonly
|
||
|
6FD81000
|
unkown
|
page execute read
|
||
|
20498EE7000
|
heap
|
page read and write
|
||
|
2049AE70000
|
heap
|
page read and write
|
||
|
C50000
|
heap
|
page read and write
|
||
|
C20000
|
heap
|
page read and write
|
||
|
D2F000
|
heap
|
page read and write
|
||
|
D27000
|
heap
|
page read and write
|
||
|
2B4E000
|
stack
|
page read and write
|
||
|
D3E000
|
heap
|
page read and write
|
||
|
D07000
|
heap
|
page read and write
|
||
|
20498F01000
|
heap
|
page read and write
|
||
|
34CA000
|
heap
|
page read and write
|
||
|
20498EEC000
|
heap
|
page read and write
|
||
|
6FD79000
|
unkown
|
page readonly
|
||
|
A00000
|
heap
|
page read and write
|
||
|
1130000
|
heap
|
page read and write
|
||
|
11B6000
|
heap
|
page read and write
|
||
|
20498E9C000
|
heap
|
page read and write
|
||
|
34C0000
|
heap
|
page read and write
|
||
|
6FCC0000
|
unkown
|
page readonly
|
||
|
7FF7628DB000
|
unkown
|
page write copy
|
||
|
111D5000
|
unkown
|
page read and write
|
||
|
A95000
|
heap
|
page read and write
|
||
|
20498EF0000
|
heap
|
page read and write
|
||
|
112F2000
|
unkown
|
page readonly
|
||
|
20498DD0000
|
heap
|
page read and write
|
||
|
7FF7627EB000
|
unkown
|
page execute and read and write
|
||
|
2E1E000
|
stack
|
page read and write
|
||
|
11000000
|
unkown
|
page readonly
|
||
|
CED000
|
heap
|
page read and write
|
||
|
20498EEC000
|
heap
|
page read and write
|
||
|
A90000
|
heap
|
page read and write
|
||
|
C6A000
|
heap
|
page read and write
|
||
|
1134000
|
heap
|
page read and write
|
||
|
20498EED000
|
heap
|
page read and write
|
||
|
347B000
|
stack
|
page read and write
|
||
|
6FD80000
|
unkown
|
page readonly
|
||
|
CEB000
|
heap
|
page read and write
|
||
|
6FCC1000
|
unkown
|
page execute read
|
||
|
7FF762877000
|
unkown
|
page write copy
|
||
|
7FF76289D000
|
unkown
|
page read and write
|
||
|
34C4000
|
heap
|
page read and write
|
||
|
D60000
|
heap
|
page read and write
|
||
|
6FD82000
|
unkown
|
page readonly
|
||
|
20498F00000
|
heap
|
page read and write
|
||
|
AA53AED000
|
stack
|
page read and write
|
||
|
D3A000
|
heap
|
page read and write
|
||
|
6FD84000
|
unkown
|
page readonly
|
||
|
CAC000
|
heap
|
page read and write
|
||
|
20498F00000
|
heap
|
page read and write
|
||
|
20498E77000
|
heap
|
page read and write
|
||
|
BF0000
|
heap
|
page read and write
|
||
|
2049AB70000
|
heap
|
page read and write
|
||
|
2E50000
|
heap
|
page read and write
|
||
|
AA541FE000
|
stack
|
page read and write
|
||
|
20498E10000
|
remote allocation
|
page read and write
|
||
|
D32000
|
heap
|
page read and write
|
||
|
2E34000
|
heap
|
page read and write
|
||
|
CC2000
|
heap
|
page read and write
|
||
|
20499085000
|
heap
|
page read and write
|
||
|
20498F00000
|
heap
|
page read and write
|
||
|
6BDB9000
|
unkown
|
page write copy
|
||
|
2A2E000
|
stack
|
page read and write
|
||
|
6FD83000
|
unkown
|
page read and write
|
||
|
F5F000
|
stack
|
page read and write
|
||
|
CDF000
|
heap
|
page read and write
|
||
|
C28000
|
heap
|
page read and write
|
||
|
117E000
|
stack
|
page read and write
|
||
|
20498E67000
|
heap
|
page read and write
|
||
|
AA542FF000
|
stack
|
page read and write
|
||
|
20498E10000
|
remote allocation
|
page read and write
|
||
|
A5E000
|
stack
|
page read and write
|
||
|
337F000
|
stack
|
page read and write
|
||
|
20498E40000
|
heap
|
page read and write
|
||
|
20498EEF000
|
heap
|
page read and write
|
||
|
CC2000
|
heap
|
page read and write
|
||
|
D35000
|
heap
|
page read and write
|
||
|
20498E76000
|
heap
|
page read and write
|
||
|
AA53AE1000
|
stack
|
page read and write
|
||
|
7FF762875000
|
unkown
|
page execute and write copy
|
||
|
CDB000
|
heap
|
page read and write
|
||
|
20498E8F000
|
heap
|
page read and write
|
||
|
CBE000
|
heap
|
page read and write
|
||
|
11000
|
unkown
|
page execute read
|
||
|
CC1000
|
heap
|
page read and write
|
||
|
10714000
|
unkown
|
page read and write
|
||
|
AA53AFC000
|
stack
|
page read and write
|
||
|
2E44000
|
heap
|
page read and write
|
||
|
109D000
|
stack
|
page read and write
|
||
|
112A6000
|
unkown
|
page readonly
|
||
|
10712000
|
unkown
|
page write copy
|
||
|
2049AB71000
|
heap
|
page read and write
|
||
|
111EA000
|
unkown
|
page readonly
|
||
|
10724000
|
unkown
|
page readonly
|
||
|
20498E9C000
|
heap
|
page read and write
|
||
|
CC1000
|
heap
|
page read and write
|
||
|
CD7000
|
heap
|
page read and write
|
||
|
20498E79000
|
heap
|
page read and write
|
||
|
D35000
|
heap
|
page read and write
|
||
|
20498E79000
|
heap
|
page read and write
|
||
|
10701000
|
unkown
|
page execute read
|
||
|
2049AC70000
|
heap
|
page read and write
|
||
|
20498EF0000
|
heap
|
page read and write
|
||
|
20498EF5000
|
heap
|
page read and write
|
||
|
D43000
|
heap
|
page read and write
|
||
|
CFF000
|
heap
|
page read and write
|
||
|
CDB000
|
heap
|
page read and write
|
||
|
20498E67000
|
heap
|
page read and write
|
||
|
7FF7626A0000
|
unkown
|
page readonly
|
||
|
2D50000
|
unclassified section
|
page read and write
|
||
|
20498E76000
|
heap
|
page read and write
|
||
|
20498DA0000
|
heap
|
page read and write
|
||
|
10700000
|
unkown
|
page readonly
|
||
|
20498E46000
|
heap
|
page read and write
|
||
|
BD0000
|
heap
|
page read and write
|
||
|
D3A000
|
heap
|
page read and write
|
||
|
20498EEB000
|
heap
|
page read and write
|
||
|
2C4E000
|
stack
|
page read and write
|
||
|
20498F00000
|
heap
|
page read and write
|
||
|
7FF7628DB000
|
unkown
|
page read and write
|
||
|
7FF7626A0000
|
unkown
|
page readonly
|
||
|
D2F000
|
heap
|
page read and write
|
||
|
12000
|
unkown
|
page readonly
|
||
|
2049AC71000
|
heap
|
page read and write
|
||
|
2D4E000
|
stack
|
page read and write
|
||
|
6FD76000
|
unkown
|
page write copy
|
||
|
6BD70000
|
unkown
|
page readonly
|
||
|
2E30000
|
heap
|
page read and write
|
||
|
2E40000
|
heap
|
page read and write
|
||
|
D22000
|
heap
|
page read and write
|
||
|
D00000
|
heap
|
page read and write
|
||
|
111E4000
|
unkown
|
page read and write
|
||
|
20498DB0000
|
heap
|
page read and write
|
||
|
CDB000
|
heap
|
page read and write
|
||
|
20498F24000
|
heap
|
page read and write
|
||
|
D24000
|
heap
|
page read and write
|
||
|
20499080000
|
heap
|
page read and write
|
||
|
10000
|
unkown
|
page readonly
|
||
|
501E000
|
stack
|
page read and write
|
||
|
6BDBA000
|
unkown
|
page read and write
|
||
|
C25000
|
heap
|
page read and write
|
||
|
D27000
|
heap
|
page read and write
|
||
|
10DB000
|
stack
|
page read and write
|
||
|
D32000
|
heap
|
page read and write
|
||
|
12000
|
unkown
|
page readonly
|
||
|
34BC000
|
stack
|
page read and write
|
||
|
6BDC0000
|
unkown
|
page readonly
|
||
|
CE4000
|
heap
|
page read and write
|
||
|
111E000
|
stack
|
page read and write
|
||
|
7FF7627ED000
|
unkown
|
page execute and read and write
|
||
|
20498F00000
|
heap
|
page read and write
|
||
|
D49000
|
heap
|
page read and write
|
||
|
D03000
|
heap
|
page read and write
|
||
|
CFE000
|
heap
|
page read and write
|
||
|
D00000
|
heap
|
page read and write
|
||
|
9F0000
|
heap
|
page read and write
|
||
|
552E000
|
stack
|
page read and write
|
||
|
20498E69000
|
heap
|
page read and write
|
||
|
12000
|
unkown
|
page readonly
|
||
|
1124E000
|
unkown
|
page readonly
|
||
|
7FF762876000
|
unkown
|
page execute and read and write
|
||
|
562F000
|
stack
|
page read and write
|
||
|
6BDBE000
|
unkown
|
page read and write
|
||
|
7FF762873000
|
unkown
|
page execute and read and write
|
||
|
2E59000
|
heap
|
page read and write
|
||
|
20498E10000
|
remote allocation
|
page read and write
|
||
|
2049AFF2000
|
heap
|
page read and write
|
||
|
D3E000
|
heap
|
page read and write
|
||
|
889000
|
stack
|
page read and write
|
||
|
C60000
|
heap
|
page read and write
|
||
|
10710000
|
unkown
|
page readonly
|
||
|
C6E000
|
heap
|
page read and write
|
||
|
20498E9B000
|
heap
|
page read and write
|
||
|
20498EFC000
|
heap
|
page read and write
|
||
|
20498F24000
|
heap
|
page read and write
|
||
|
D21000
|
heap
|
page read and write
|
||
|
98B000
|
stack
|
page read and write
|
||
|
29EC000
|
stack
|
page read and write
|
||
|
AA53BFF000
|
stack
|
page read and write
|
||
|
511D000
|
stack
|
page read and write
|
||
|
D27000
|
heap
|
page read and write
|
||
|
7FF762877000
|
unkown
|
page read and write
|
||
|
D2C000
|
heap
|
page read and write
|
There are 204 hidden memdumps, click here to show them.
DOM / HTML
|
URL
|
Malicious
|
|
|---|---|---|
|
https://sx.ytmv5.ru.com/Faktura.pdf
|
|
|
|
file:///C:/Users/user/Downloads/downloaded.pdf
|
||
|
file:///C:/Users/user/Downloads/downloaded.pdf
|