Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip (copy)
|
Zip archive data, at least v1.0 to extract, compression method=deflate
|
dropped
|
 |
|
|
C:\Users\user\AppData\Local\Temp\unarchiver.log
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDPluginSDK503.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDSDK503.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDSDK503.zip.md5.rtf
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDSDKext503.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDTimePluginSDK503.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDToken503.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDToken503.zip.md5.rtf
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDTokenDocs503.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDTokenDocs503.zip.md5.rtf
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDTranslations503.zip
|
Zip archive data, at least v1.0 to extract, compression method=deflate
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDUSBSDK503.zip
|
Zip archive data, at least v1.0 to extract, compression method=deflate
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDUtils503.zip
|
Zip archive data, at least v1.0 to extract, compression method=deflate
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDUtils503.zip.md5.rtf
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSASecurIDWebSDK503.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\RSAWebAgentTemplates.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_base_open_source_copyright_license_information.pdf.md5.rtf
|
ASCII text, with very long lines (327)
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_gplv3_open_source_copyright_license_information.pdf.md5.rtf
|
ASCII text, with very long lines (328)
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_quickstart.pdf.md5.rtf
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken500Win_release_notes.pdf.md5.rtf
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken501Win_release_notes.pdf.md5.rtf
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken502Win_admin.pdf.md5.rtf
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SecurIDToken502Win_release_notes.pdf.md5.rtf
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\SoftwareTokenProvisioning_admin.pdf.md5.rtf
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay\testSDK.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\Downloads\88aafe29-d2bf-4362-aaf9-3d4001f95ec3.tmp
|
Zip archive data, at least v1.0 to extract, compression method=deflate
|
dropped
|
||
|
C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip.crdownload
|
Zip archive data, at least v1.0 to extract, compression method=deflate
|
dropped
|
There are 19 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Google\Chrome\Application\chrome.exe
|
"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
|
|
|
|
C:\Program Files\Google\Chrome\Application\chrome.exe
|
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US
--service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1880,i,8629211986149783283,5582461857598252456,262144
--disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction
/prefetch:8
|
|
|
|
C:\Program Files\Google\Chrome\Application\chrome.exe
|
"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://download.rsa.com/tokens/windows/RSASecurIDSoftwareToken5.0.3x64.zip"
|
|
|
|
C:\Windows\SysWOW64\unarchiver.exe
|
"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip"
|
||
|
C:\Windows\SysWOW64\7za.exe
|
"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xwtrs2ls.aay" "C:\Users\user\Downloads\RSASecurIDSoftwareToken5.0.3x64.zip"
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
142.250.186.35
|
unknown
|
United States
|
||
|
1.1.1.1
|
unknown
|
Australia
|
||
|
239.255.255.250
|
unknown
|
Reserved
|
||
|
108.138.26.32
|
unknown
|
United States
|
||
|
142.250.185.100
|
unknown
|
United States
|
||
|
192.168.2.4
|
unknown
|
unknown
|
||
|
142.250.185.238
|
unknown
|
United States
|
||
|
172.217.16.195
|
unknown
|
United States
|
||
|
66.102.1.84
|
unknown
|
United States
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2C7B000
|
trusted library allocation
|
page read and write
|
||
|
FE0000
|
heap
|
page read and write
|
||
|
4DFF000
|
stack
|
page read and write
|
||
|
6CC000
|
stack
|
page read and write
|
||
|
C70000
|
heap
|
page read and write
|
||
|
10F0000
|
heap
|
page execute and read and write
|
||
|
3C21000
|
trusted library allocation
|
page read and write
|
||
|
C0E000
|
stack
|
page read and write
|
||
|
F20000
|
trusted library allocation
|
page read and write
|
||
|
2C5C000
|
trusted library allocation
|
page read and write
|
||
|
523E000
|
stack
|
page read and write
|
||
|
F4C000
|
trusted library allocation
|
page execute and read and write
|
||
|
2C75000
|
trusted library allocation
|
page read and write
|
||
|
B5D000
|
stack
|
page read and write
|
||
|
2C5A000
|
trusted library allocation
|
page read and write
|
||
|
7C9000
|
stack
|
page read and write
|
||
|
513E000
|
stack
|
page read and write
|
||
|
C95000
|
heap
|
page read and write
|
||
|
12B0000
|
trusted library allocation
|
page execute and read and write
|
||
|
CC7000
|
heap
|
page read and write
|
||
|
C5E000
|
heap
|
page read and write
|
||
|
7EF50000
|
trusted library allocation
|
page execute and read and write
|
||
|
F40000
|
trusted library allocation
|
page read and write
|
||
|
10EF000
|
stack
|
page read and write
|
||
|
A30000
|
heap
|
page read and write
|
||
|
BC0000
|
heap
|
page read and write
|
||
|
2C6A000
|
trusted library allocation
|
page read and write
|
||
|
A85000
|
heap
|
page read and write
|
||
|
F77000
|
trusted library allocation
|
page execute and read and write
|
||
|
F32000
|
trusted library allocation
|
page execute and read and write
|
||
|
BA0000
|
heap
|
page read and write
|
||
|
CC0000
|
heap
|
page read and write
|
||
|
C50000
|
heap
|
page read and write
|
||
|
2C92000
|
trusted library allocation
|
page read and write
|
||
|
F1E000
|
stack
|
page read and write
|
||
|
C40000
|
heap
|
page read and write
|
||
|
F7B000
|
trusted library allocation
|
page execute and read and write
|
||
|
12C0000
|
heap
|
page read and write
|
||
|
F42000
|
trusted library allocation
|
page execute and read and write
|
||
|
4FBD000
|
stack
|
page read and write
|
||
|
C47000
|
heap
|
page read and write
|
||
|
2C83000
|
trusted library allocation
|
page read and write
|
||
|
2C50000
|
trusted library allocation
|
page read and write
|
||
|
4FFE000
|
stack
|
page read and write
|
||
|
F62000
|
trusted library allocation
|
page execute and read and write
|
||
|
BFE000
|
stack
|
page read and write
|
||
|
50FD000
|
stack
|
page read and write
|
||
|
C3E000
|
stack
|
page read and write
|
||
|
7CB000
|
stack
|
page read and write
|
||
|
2C86000
|
trusted library allocation
|
page read and write
|
||
|
12A0000
|
trusted library allocation
|
page read and write
|
||
|
2C8C000
|
trusted library allocation
|
page read and write
|
||
|
B9D000
|
stack
|
page read and write
|
||
|
537E000
|
stack
|
page read and write
|
||
|
A80000
|
heap
|
page read and write
|
||
|
F8F000
|
stack
|
page read and write
|
||
|
FBE000
|
stack
|
page read and write
|
||
|
2C21000
|
trusted library allocation
|
page read and write
|
||
|
F4A000
|
trusted library allocation
|
page execute and read and write
|
||
|
C2E000
|
heap
|
page read and write
|
||
|
E1E000
|
stack
|
page read and write
|
||
|
C80000
|
trusted library allocation
|
page read and write
|
||
|
C90000
|
heap
|
page read and write
|
||
|
BB0000
|
heap
|
page read and write
|
||
|
7C6000
|
stack
|
page read and write
|
||
|
C20000
|
heap
|
page read and write
|
||
|
4EBD000
|
stack
|
page read and write
|
||
|
2930000
|
trusted library allocation
|
page read and write
|
||
|
108F000
|
stack
|
page read and write
|
||
|
C2B000
|
heap
|
page read and write
|
||
|
CA0000
|
trusted library allocation
|
page read and write
|
||
|
2830000
|
heap
|
page read and write
|
||
|
F3A000
|
trusted library allocation
|
page execute and read and write
|
||
|
A5C000
|
stack
|
page read and write
|
||
|
4CFE000
|
stack
|
page read and write
|
||
|
A40000
|
heap
|
page read and write
|
||
|
F6A000
|
trusted library allocation
|
page execute and read and write
|
||
|
2C7E000
|
trusted library allocation
|
page read and write
|
||
|
527E000
|
stack
|
page read and write
|
There are 69 hidden memdumps, click here to show them.