Analysis Overview
SHA256
e138114de7be8b668de032a3bacf123dc855eead36d2765689c990cf1951771c
Threat Level: Known bad
The file c3c4e97a92372bba5299301c96a20a15 was found to be: Known bad.
Malicious Activity Summary
Osiris
Executes dropped EXE
Reads user/profile data of local email clients
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
JavaScript code in executable
Looks up external IP address via web service
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-10-26 07:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-10-26 07:09
Reported
2020-10-26 07:37
Platform
win7
Max time kernel
151s
Max time network
147s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks installed software on the system
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1508 set thread context of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe |
| PID 1168 set thread context of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe | C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe
"C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe"
C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe
"C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe"
C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe
"C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe
"C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | telete.in | udp |
| N/A | 195.201.225.248:443 | telete.in | tcp |
| N/A | 8.8.8.8:53 | ourmainpriority.com | udp |
| N/A | 104.28.11.180:443 | ourmainpriority.com | tcp |
| N/A | 104.28.11.180:443 | ourmainpriority.com | tcp |
| N/A | 93.184.220.29:80 | ocsp.digicert.com | tcp |
| N/A | 188.166.39.33:80 | 188.166.39.33 | tcp |
| N/A | 8.8.8.8:53 | crl.verisign.com | udp |
| N/A | 72.21.91.29:80 | crl.verisign.com | tcp |
| N/A | 193.23.244.244:80 | 193.23.244.244 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.126.66:443 | api.ipify.org | tcp |
| N/A | 54.36.120.156:80 | 54.36.120.156 | tcp |
| N/A | 176.10.99.205:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 91.228.53.86:80 | 91.228.53.86 | tcp |
| N/A | 176.231.1.110:443 | tcp | |
| N/A | 149.56.94.218:80 | 149.56.94.218 | tcp |
| N/A | 82.221.131.5:80 | 82.221.131.5 | tcp |
| N/A | 45.76.115.159:80 | 45.76.115.159 | tcp |
| N/A | 104.194.228.240:80 | 104.194.228.240 | tcp |
| N/A | 104.244.75.53:80 | 104.244.75.53 | tcp |
| N/A | 185.220.102.4:443 | tcp | |
| N/A | 139.162.63.125:80 | 139.162.63.125 | tcp |
| N/A | 188.240.210.20:80 | 188.240.210.20 | tcp |
| N/A | 127.0.0.1:32767 | tcp |
Files
memory/1508-0-0x00000000740D0000-0x00000000747BE000-memory.dmp
memory/1508-1-0x00000000012F0000-0x00000000012F1000-memory.dmp
memory/1508-3-0x0000000001260000-0x00000000012BF000-memory.dmp
memory/1508-4-0x0000000000280000-0x000000000028C000-memory.dmp
memory/1948-5-0x0000000000400000-0x0000000000493000-memory.dmp
memory/1948-6-0x000000000043FBEE-mapping.dmp
memory/1948-7-0x0000000000400000-0x0000000000493000-memory.dmp
memory/324-8-0x000007FEF7E20000-0x000007FEF809A000-memory.dmp
\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | f964811b68f9f1487c2b41e1aef576ce |
| SHA1 | b423959793f14b1416bc3b7051bed58a1034025f |
| SHA256 | 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7 |
| SHA512 | 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4 |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
| MD5 | 02cc7b8ee30056d5912de54f1bdfc219 |
| SHA1 | a6923da95705fb81e368ae48f93d28522ef552fb |
| SHA256 | 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5 |
| SHA512 | 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5 |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
| MD5 | eae9273f8cdcf9321c6c37c244773139 |
| SHA1 | 8378e2a2f3635574c106eea8419b5eb00b8489b0 |
| SHA256 | a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc |
| SHA512 | 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097 |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
| MD5 | 4e8df049f3459fa94ab6ad387f3561ac |
| SHA1 | 06ed392bc29ad9d5fc05ee254c2625fd65925114 |
| SHA256 | 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871 |
| SHA512 | 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6 |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe
| MD5 | 99d68a607e7e290918e62a39a2c61dd4 |
| SHA1 | 123d4c41034119cde4e9e9efcbe415bef60d0508 |
| SHA256 | 6646f55e728910bca16b6905710282e723ad8a0b617f64a47d3acb1d23e0b36a |
| SHA512 | c3a4fbd359d7783686972fa7c0636658c4610062c749362fab9f35a5775920b3cd7963dc8cce43bd14a2954001ca55328bc1b9ebbaf0b3333ce5a76eb1212502 |
memory/1168-18-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe
| MD5 | 99d68a607e7e290918e62a39a2c61dd4 |
| SHA1 | 123d4c41034119cde4e9e9efcbe415bef60d0508 |
| SHA256 | 6646f55e728910bca16b6905710282e723ad8a0b617f64a47d3acb1d23e0b36a |
| SHA512 | c3a4fbd359d7783686972fa7c0636658c4610062c749362fab9f35a5775920b3cd7963dc8cce43bd14a2954001ca55328bc1b9ebbaf0b3333ce5a76eb1212502 |
memory/1168-22-0x0000000073460000-0x0000000073B4E000-memory.dmp
memory/1096-21-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe
| MD5 | 99d68a607e7e290918e62a39a2c61dd4 |
| SHA1 | 123d4c41034119cde4e9e9efcbe415bef60d0508 |
| SHA256 | 6646f55e728910bca16b6905710282e723ad8a0b617f64a47d3acb1d23e0b36a |
| SHA512 | c3a4fbd359d7783686972fa7c0636658c4610062c749362fab9f35a5775920b3cd7963dc8cce43bd14a2954001ca55328bc1b9ebbaf0b3333ce5a76eb1212502 |
memory/1168-23-0x0000000001240000-0x0000000001241000-memory.dmp
memory/1488-25-0x0000000000000000-mapping.dmp
memory/1168-26-0x0000000000620000-0x0000000000689000-memory.dmp
\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe
| MD5 | 99d68a607e7e290918e62a39a2c61dd4 |
| SHA1 | 123d4c41034119cde4e9e9efcbe415bef60d0508 |
| SHA256 | 6646f55e728910bca16b6905710282e723ad8a0b617f64a47d3acb1d23e0b36a |
| SHA512 | c3a4fbd359d7783686972fa7c0636658c4610062c749362fab9f35a5775920b3cd7963dc8cce43bd14a2954001ca55328bc1b9ebbaf0b3333ce5a76eb1212502 |
memory/1644-30-0x0000000000401698-mapping.dmp
memory/1644-29-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe
| MD5 | 99d68a607e7e290918e62a39a2c61dd4 |
| SHA1 | 123d4c41034119cde4e9e9efcbe415bef60d0508 |
| SHA256 | 6646f55e728910bca16b6905710282e723ad8a0b617f64a47d3acb1d23e0b36a |
| SHA512 | c3a4fbd359d7783686972fa7c0636658c4610062c749362fab9f35a5775920b3cd7963dc8cce43bd14a2954001ca55328bc1b9ebbaf0b3333ce5a76eb1212502 |
memory/1644-32-0x0000000000400000-0x000000000045A000-memory.dmp
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
memory/1056-38-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 78b2aefae202698c6705fabe2320eaa8 |
| SHA1 | d7fb7cd5b8dd7033bc381fcbf8ceeff829eb879d |
| SHA256 | cb5076a1daf1c24f0bb5749d27b1d7b72d91f26d2542effd0dca24f39e296349 |
| SHA512 | 6a089e421ebf57b5617dc0422d91063d2562f87946887aba0aa0b88f7359673cf1bd5b6b2b69e5226c9d3abae9164c78266558cd467ff5b39d8c27de9df4291c |
memory/1644-41-0x0000000000370000-0x000000000038F000-memory.dmp
memory/1644-42-0x0000000000390000-0x0000000000391000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-10-26 07:09
Reported
2020-10-26 07:37
Platform
win10
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Osiris
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks installed software on the system
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3980 set thread context of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe |
| PID 976 set thread context of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe | C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe
"C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe"
C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe
"C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe"
C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe
"C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe"
C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe
"C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe
"C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe"
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | telete.in | udp |
| N/A | 195.201.225.248:443 | telete.in | tcp |
| N/A | 8.8.8.8:53 | ourmainpriority.com | udp |
| N/A | 104.28.11.180:443 | ourmainpriority.com | tcp |
| N/A | 104.28.11.180:443 | ourmainpriority.com | tcp |
| N/A | 8.238.20.126:80 | ctldl.windowsupdate.com | tcp |
| N/A | 93.184.220.29:80 | ocsp.digicert.com | tcp |
| N/A | 188.166.39.33:80 | 188.166.39.33 | tcp |
| N/A | 199.58.81.140:80 | 199.58.81.140 | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.182.194:443 | api.ipify.org | tcp |
| N/A | 179.43.158.176:80 | 179.43.158.176 | tcp |
| N/A | 88.99.97.214:443 | tcp | |
| N/A | 8.8.8.8:53 | time-a.nist.gov | udp |
| N/A | 129.6.15.28:13 | time-a.nist.gov | tcp |
| N/A | 185.130.44.108:80 | 185.130.44.108 | tcp |
| N/A | 109.70.100.7:80 | 109.70.100.7 | tcp |
| N/A | 193.105.73.80:443 | 193.105.73.80 | tcp |
| N/A | 119.59.110.192:80 | 119.59.110.192 | tcp |
| N/A | 199.249.230.159:80 | 199.249.230.159 | tcp |
| N/A | 176.107.176.31:443 | tcp | |
| N/A | 51.81.82.247:80 | 51.81.82.247 | tcp |
| N/A | 80.241.214.102:80 | 80.241.214.102 | tcp |
| N/A | 127.0.0.1:32767 | tcp |
Files
memory/3980-0-0x0000000073880000-0x0000000073F6E000-memory.dmp
memory/3980-1-0x0000000000050000-0x0000000000051000-memory.dmp
memory/3980-3-0x0000000004D80000-0x0000000004DDF000-memory.dmp
memory/3980-4-0x0000000000BD0000-0x0000000000BDC000-memory.dmp
memory/2472-5-0x0000000000400000-0x0000000000493000-memory.dmp
memory/2472-6-0x000000000043FBEE-mapping.dmp
memory/2472-7-0x0000000000400000-0x0000000000493000-memory.dmp
\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | f964811b68f9f1487c2b41e1aef576ce |
| SHA1 | b423959793f14b1416bc3b7051bed58a1034025f |
| SHA256 | 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7 |
| SHA512 | 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4 |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
| MD5 | 02cc7b8ee30056d5912de54f1bdfc219 |
| SHA1 | a6923da95705fb81e368ae48f93d28522ef552fb |
| SHA256 | 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5 |
| SHA512 | 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5 |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
| MD5 | eae9273f8cdcf9321c6c37c244773139 |
| SHA1 | 8378e2a2f3635574c106eea8419b5eb00b8489b0 |
| SHA256 | a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc |
| SHA512 | 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097 |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
| MD5 | 4e8df049f3459fa94ab6ad387f3561ac |
| SHA1 | 06ed392bc29ad9d5fc05ee254c2625fd65925114 |
| SHA256 | 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871 |
| SHA512 | 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6 |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
memory/976-15-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe
| MD5 | 99d68a607e7e290918e62a39a2c61dd4 |
| SHA1 | 123d4c41034119cde4e9e9efcbe415bef60d0508 |
| SHA256 | 6646f55e728910bca16b6905710282e723ad8a0b617f64a47d3acb1d23e0b36a |
| SHA512 | c3a4fbd359d7783686972fa7c0636658c4610062c749362fab9f35a5775920b3cd7963dc8cce43bd14a2954001ca55328bc1b9ebbaf0b3333ce5a76eb1212502 |
memory/1344-18-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe
| MD5 | 99d68a607e7e290918e62a39a2c61dd4 |
| SHA1 | 123d4c41034119cde4e9e9efcbe415bef60d0508 |
| SHA256 | 6646f55e728910bca16b6905710282e723ad8a0b617f64a47d3acb1d23e0b36a |
| SHA512 | c3a4fbd359d7783686972fa7c0636658c4610062c749362fab9f35a5775920b3cd7963dc8cce43bd14a2954001ca55328bc1b9ebbaf0b3333ce5a76eb1212502 |
memory/976-19-0x0000000071B20000-0x000000007220E000-memory.dmp
memory/976-20-0x0000000000730000-0x0000000000731000-memory.dmp
memory/3992-22-0x0000000000000000-mapping.dmp
memory/976-23-0x0000000005420000-0x0000000005489000-memory.dmp
memory/400-25-0x0000000000400000-0x000000000045A000-memory.dmp
memory/400-26-0x0000000000401698-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1kKgdlbttN.exe
| MD5 | 99d68a607e7e290918e62a39a2c61dd4 |
| SHA1 | 123d4c41034119cde4e9e9efcbe415bef60d0508 |
| SHA256 | 6646f55e728910bca16b6905710282e723ad8a0b617f64a47d3acb1d23e0b36a |
| SHA512 | c3a4fbd359d7783686972fa7c0636658c4610062c749362fab9f35a5775920b3cd7963dc8cce43bd14a2954001ca55328bc1b9ebbaf0b3333ce5a76eb1212502 |
memory/400-28-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1868-29-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
| MD5 | b4cd27f2b37665f51eb9fe685ec1d373 |
| SHA1 | 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0 |
| SHA256 | 91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581 |
| SHA512 | e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e |
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
| MD5 | 991b03a6f0d2865cb9bf4f0ef0f901d1 |
| SHA1 | 32edc9adf12412f564b300bc7d6c880b00cc5418 |
| SHA256 | 40b68130258b5502d8a01a6104d22967847903ab683a15c5a729bd795b9653fa |
| SHA512 | ca8ba7418ec906865b84e24f75133d14306f715f65f1075de98d3e52ccf3d66e7abb88df507fbdabde9b18cb509c2f959b460820c85e126f1d3d03c4e601a61f |