Analysis Overview
SHA256
2051799f92fd036d6e1c8a9c06a4aea85a9509214cd0623c0df2fe62bd99986b
Threat Level: Known bad
The file 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot Payload
CryptBot
Danabot
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
Delays execution with timeout.exe
Modifies system certificate store
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-13 18:56
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-13 18:56
Reported
2021-05-13 19:00
Platform
win10v20210410
Max time kernel
150s
Max time network
137s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Danabot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\RUNDLL32.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RUNDLL32.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RUNDLL32.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RUNDLL32.EXE | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GehhlV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dhwefecxurd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk | C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GehhlV.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RUNDLL32.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\RUNDLL32.EXE | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\foler\olader\acppage.dll | C:\Users\Admin\AppData\Local\Temp\GehhlV.exe | N/A |
| File created | C:\Program Files (x86)\foler\olader\adprovider.dll | C:\Users\Admin\AppData\Local\Temp\GehhlV.exe | N/A |
| File created | C:\Program Files (x86)\foler\olader\acledit.dll | C:\Users\Admin\AppData\Local\Temp\GehhlV.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Windows\SysWOW64\WScript.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\RUNDLL32.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe
"C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GehhlV.exe"
C:\Users\Admin\AppData\Local\Temp\GehhlV.exe
"C:\Users\Admin\AppData\Local\Temp\GehhlV.exe"
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c IEupGZtiGuhYLuXTzhQLTFqwaOOuZUNPiXjCGSSBCwddKCJqvZSswXKrDtQRkYoManQNUcjBcfoRgKsQyNJZwvOljoY
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wqfETEXjLVywMsVMOSOTMqMbfoKWJGBLvKmxZEYKNytlIHjJAevzxyPwgRfKUwCyxxEeSBMpUtuHVBPHVqcHl
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\jINZmHHD & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ssVbyofhQLCZQhelRYdjmfZiuNwIO
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c FVUjrhucvEUGgxyWLCELpvsYHwsOsauGnWuHtDlPrcCLsSwFepwmtrKoDWEwWartbgisgbRisOINUFGOqMMidHCcjXtiYpSKsngrLJsEaUifxWgYdQwpGWNQLLydzJooVXvv
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c DrdciOcmhwdIyRoiJtcKnsZEqkIMZzbASGMMKOmiadnKOHhRZqjSqLSj
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c LxVuJATDQQnycvUFhso
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c fQaXQMYuEmuOmJZzDwIPFuYQOMEDahNzKxNVeXfXCNZdKKFMbBwkJzhoRBptoxOdLMryVrsFMLjSiHuriRuQkBKsuFtAOlPiYIEYHmQzlvmXucwpcyXdgXylwLZdZQRBW
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c TmeovHqMGPeMkLDUyIhnSqDx
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c VAAzzFXwqBCuhJffCsfigAhMyLogbjSVIkAiAahlyLlpwORYXpdJhjHcjNgHvIDOJGnepoOpryeDftLdTpdgWpIcDtUNrFNvovAxfPPPxuFiltuieXNhafRmYenthwunsGcSEdqtxBUQ
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c AknYMKyRArSEqvhdKBaqiQDJhDLWJTRcwWbRquBdqGRDCgDUNNJZBQcKHOLoZooHjbDtYcdEqwZBYqiYqQpVpRTkA
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c lkcadRbldtLnWavyZmQULHHMopZjbxEsDkkypIKirOJrhBUQmrSzcGwDEIpiSkMVmzVKisWsOIQXXDnHgpNxClWXpIBAnDfSeNDUGpJiiBFMPrFqlCS
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bazfbXAmPvSkzXVpqEqyAFjwFloyeBdWKGcJxhvJIpsLIzaRovZFBNoRyaKhPcvgyWBMCkOMisvdhBakRdXFBKxXbDEeDpThNrFMSGf
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c HjnldSDDZncnbRMcCDgYGMpXboClWFzlwqYfklGFZqetNxQWdplgsdfVeAMifzHzykbvTbpaXJZGKypeaGTMctSKLejKbnfGzIYCXxrTqSdIsJkXsJPImVYqaNLQlnUmzahwuGyYDqLDN
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c zwRgzNJGibKXlpIjIBXRgYvpRKEQympxhizJZV
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c iPNkPsovVfsspGVVxEHbJpS
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c HhfKeQYhMbQeBNHSIhIANoqNskYysncXWjDCwbzydrEMQTxGXPOcAsNmhCzQRTWgwSyglyRlUCpKEhXbRai
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c JZbEntgmtCgbifLYOuvSXDBXoeVZEWZmLzEwxAPyQausgMDgCZIKVfEunmvcofUiDPLNLJDgddeFvlJcmHbFhg
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vPnDVrzXBbYNmqPCTcxxEhZJhPwWBSgUgkfYjyHkWzBibvlxKtDlTTZoPPfyebcIptmgKQfNNpnlMRkRFGkbgtqxki
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bQConYSYzXWKTOQvKcOcYDnmcjXxtryeD
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SWkqqjUTSUJWsJbHdZvLlTseNjwbTfSTukWTkJcCBtLEQmUgWvNyFSbYFojNkvZCePPuMEvGEUpuiNjhaMBvBMggOYgevHsyypCqJ
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c BsquBLIsQRWZcnVCqfBBsOdxpWCtqYkkEElpvclCGbivybkTpCojnovNwFWEoDdRGKxRhLyFyYVTGTgLLJUnQYNcibiRnFzeidQcrzFnvCumhDuoslTmI
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c QTiOfHdCBoHxLdwvwNIQbnNnOoEJqH & LsYakXYEXnGEvHrLYMdqwJpJayIqurHBTfWeNYPnroKaRTsQKbGWKGReogZufXnUQtKuLqYZWRXSYRSnNRfJvKRhbTUnYJpyKQBNpkyJnGZSJZtscBabHPnujvIRumwhIRi & fygCMGlPKZDnPDrbdMnVscAMCgDZFMpS & VwdjPLwEIchTlwDvEWWzjQUFBZbrkpYPLHTBMlAqvdIqhTajZCwPjnEyuLKPhYamvbiDowJzcVWViUsIHkrJioDjeOcwmLNnXpDQMPtYSIzsCJXjzeowUJshUUAzGI & KonXYsBWRiyQmPjKzRpIbCMDgSfWRgKalPJotLYVRudTPTRnIpiBbZcovUJywFtCvNFKurGHShQskSOxqRgIipVlzBMpwSTkeNbwhiaECmIpptWDygylsvchScsFdvGZzEfn & MiTnJyHALwgEptMNJUFslpSQNguTIPEPnoaijLIsOMuzeqiaTjKKJulDgeLxYOSWbm & qLEBYjgDbrnNNiNZvyTysXPTpqh & ZUpWDTiHfLMnxCNAQfXhkOcRDzOeVLsXYWDDTBlTquKLzcLPlfeUequkna & pttLDzOmbYpGftthytKniHZRFJbUYPayBiwOVxisEWhQwINPYNwuNTjByhyUVTB & FryirfsKXaTlxoQWVIWkOjsHUmJIgjcKcFlXDGLJcdpcZwiXvoYhXdTzMnjEGIvKWoPOXSzfWjPbrWHTsLkygoNyMRktzirMUnnRj & ZEPIdKAvdQRzjUbdcOcKeuGgWPpeCEbQGZLGdFReEfAchqUofEeKcBdTXAMB & nTMaqMhoQZQXauMFkwWUqMXBNxtISJQTfAyvOejhHZmFjNecDhMnQGALVlFGHEdioWHSqdRpOIhqhafZaJtE & seJZzAEvGFeJsvfulchvCKizAbCVGhYAMpRTYSGQhMirlsVWZTigRixHVfmWXJQaGCWoFvoaOvpQCtooBGVMuKIEPpYIaKTEWPvIcNsDLPmxYEtRudxdNtjWTsacbmZrDETNHANOgaqdlg & lyiCwdCQSCAOrcWyjPvQzKdlFDGecrVLFLifdXXNwOwkuMKaajOAOnjAOXWnKmcPGPpahGPgRIOFJyrTShKpgxWunHBzwmrCa & EsCsyLvAJuJHQITeFvPjAkSeTFychaFjhvBMdAiYMOL & bRRSmYTGMuLamAnAGqjdAvzxiiMtfQmMAwEeOjWfnZAuKojPeHaLBcdqbvLakOsVGZSbVcLxtXRBWhJYUWeHnOltLEFsADrJHEALdPUHVYGEDOrlMNbfMJvRONMsQ & TATiTaMYIyexLAiGBXAxENuOXYiIWCeDQBtyLcULbOyahsXWKokPQcPyxtlVltey & nElcwUuePWQIOBFqk & OdhNxMZLGlZAzMZfONNBIhyMqnYbGDFUZyhOOLpbvdgVrgDtInNRhJfAkBMVNBtrEtBhnkAeDfysYlJLVUOiPNHfPMDhZgKUjldYNfFbYKgXEYCqRqZSNWhRbjbLIjrgElyNTKYGgsptmJKRl & vYgRifXmAARUOLHZaxSOiiwzEcMosOBGBuQtqNrQQzpnOxDnbmddZvxgXUhLCOiMZkaIUDZFdwXNXDFpSgLRbk & tLBiymshejbnDwUDUALZXmHszftThrffNEgXzcTuZNVBAtwiXLRsMkIFrpNQcbZYWiLYNXpnHEqpDuRfhWWCjYDCVJTpIrLBN & EazrxZBaJikmwXanCnBbMXEpettqQETncHBmVpCWwTgcdvHWRpAjqdpGNlqdVBCyhNrxcTCaVEcTJpSFvooGtGbybULLpjqAspiCzjAYHiscUdXEsxTNaVwGfYXBiQpJEVBAwfjpHlYW & wluXuzOahiciAhcfZQQXHRYPbDwoJyiXtshNQDwvcdsNuaAeQTIx & ZHlksADaFJiqnrpZHmcPzCsAkJteYsP & NOyJrCmrbtPHpNHfsrpxhEObdKqHcAzhTKjJYmVyZssgMKdbwPLVoxpoqIaaCRIXLCNmAYs & ircVhmKGxCGGPnynArJfiCDoJxDlWRWrbUNyZgVBXMYZkwihbgYvgwKEAhkSVAJDFCoVKqmjiiaxEDWIjdNISAOvpoEMerFvecxITjCbPMgiIfqXdDFFNwKyNMLCcN & tCVsopgOqOdSukHNUiHcmbZJwLgUuAZwwCl & MXSNeOFQboEUuYRxOsKHDjdbVzHmOgQDqrwWfTzKRojSuzOoJEhKSCqAHcSJuywoawTeXVyUYZPxqndBEmQlwuKneBf & wKDMutAyAMkNnaMTNGAoystHgRukdcZvGkTgcrhVYlqShrLJxRKvquOJFWbfXgPtMPijnnbKzEpUdjzkyvRmKDcmbpImFYXKcWynVnlWzqevXUzaCjpBbfzoxIPgPYyxGmnxu & fHjVyKAYCDQdWaOvjyCXthJWuxVIQbcYkHWCfClJHcykbmeMFpjzSpReXfOKPSotoStfcjiKVSfIibnHaoeGlwyePUEZNmUOhqrFcNszeCbZTpUARuaGQBUuMwmBHoXvYAxuzSjFR & C:\Windows\system32\cmd < Sta.vssm
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^hSpSigSzxLDGSondFTKDkxVhNUxDcdcqRWsJEwXjjqzRIWcClcFKPiZTXVtjTfXtfCOWROMEVndkqrEQnSaqLLlJWbMIWL$" Cui.vssm
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com
Accostarmi.exe.com c
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com c
C:\Users\Admin\AppData\Local\Temp\dhwefecxurd.exe
"C:\Users\Admin\AppData\Local\Temp\dhwefecxurd.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\uluswhprg.vbs"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DHWEFE~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\DHWEFE~1.EXE
C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DHWEFE~1.DLL,XDoiLDZ4BaQ=
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\kuqfqsrpjcw.vbs"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | remdny42.top | udp |
| N/A | 34.86.24.123:80 | remdny42.top | tcp |
| N/A | 8.8.8.8:53 | morpgr04.top | udp |
| N/A | 35.233.146.63:80 | morpgr04.top | tcp |
| N/A | 8.8.8.8:53 | sulnom06.top | udp |
| N/A | 35.245.17.142:80 | sulnom06.top | tcp |
| N/A | 35.245.17.142:80 | sulnom06.top | tcp |
| N/A | 8.8.8.8:53 | STdhNwXWzEatZzwrHlyziLBmJ.STdhNwXWzEatZzwrHlyziLBmJ | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | 2no.co | udp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 8.8.8.8:53 | sosoprojects.com | udp |
| N/A | 45.91.67.130:80 | sosoprojects.com | tcp |
| N/A | 198.23.140.71:80 | 198.23.140.71 | tcp |
| N/A | 184.95.51.183:443 | tcp | |
| N/A | 8.8.8.8:53 | iplogger.org | udp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 184.95.51.175:443 | tcp | |
| N/A | 192.210.198.12:443 | tcp | |
| N/A | 184.95.51.180:443 | tcp | |
| N/A | 205.185.216.42:80 | tcp |
Files
memory/3972-115-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/3972-114-0x0000000002190000-0x0000000002271000-memory.dmp
memory/2152-116-0x0000000000000000-mapping.dmp
memory/2740-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GehhlV.exe
| MD5 | 0fb9fbf27b45086cba4d0a15874d3dee |
| SHA1 | 1fe439a37e9c0ca3e0e482fb0ae7b6a952aaa034 |
| SHA256 | c1fdb10bed225a17fa4ae546b604ecfed99d0d21ff30c7f00a56be36e0afa0c0 |
| SHA512 | 41fed73ba21d181c87731bfebcb3c0dcb4b7f6c3c1c73706bac24c7b90a4ef01b2a5e85c09f8541a6f7e4b795bcde54ac4b03be838525534c73e6ed82e29b456 |
C:\Users\Admin\AppData\Local\Temp\GehhlV.exe
| MD5 | 0fb9fbf27b45086cba4d0a15874d3dee |
| SHA1 | 1fe439a37e9c0ca3e0e482fb0ae7b6a952aaa034 |
| SHA256 | c1fdb10bed225a17fa4ae546b604ecfed99d0d21ff30c7f00a56be36e0afa0c0 |
| SHA512 | 41fed73ba21d181c87731bfebcb3c0dcb4b7f6c3c1c73706bac24c7b90a4ef01b2a5e85c09f8541a6f7e4b795bcde54ac4b03be838525534c73e6ed82e29b456 |
\Users\Admin\AppData\Local\Temp\nsj4388.tmp\UAC.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
| MD5 | bd29fc84fee8bc98447357cf04a713cc |
| SHA1 | a39d55f64f00c21c63ae9ad2fa0f8afae1ed1e35 |
| SHA256 | 8f0db90c0106f6f180a4dd3213e34d84b1ffbb14bdb758282135690d7177d588 |
| SHA512 | f389ab08b7bbc3953a504ddcb6f27f2ff8ede6e04a4a0179961a84e88f5013fc3c10c614adf158147b22b1b5793762392fb59ba9021c5c85cb964920f146de36 |
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
| MD5 | bd29fc84fee8bc98447357cf04a713cc |
| SHA1 | a39d55f64f00c21c63ae9ad2fa0f8afae1ed1e35 |
| SHA256 | 8f0db90c0106f6f180a4dd3213e34d84b1ffbb14bdb758282135690d7177d588 |
| SHA512 | f389ab08b7bbc3953a504ddcb6f27f2ff8ede6e04a4a0179961a84e88f5013fc3c10c614adf158147b22b1b5793762392fb59ba9021c5c85cb964920f146de36 |
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
| MD5 | 6c311fa5ed6a64505b088720ebf3b34e |
| SHA1 | 652824b7a1f61734950a9cba746b9f8c2603f3c2 |
| SHA256 | 16290f3297dc9101274d6f67d33b714948197fdb31f32e322d9240205212195a |
| SHA512 | ef0201e56722d950e4375c796d084f05eb7811227e483c83524637f50c5c0211ae7f7ec3994f6e559184fa73c43da6e5e70a0c8c5db606b0c064546a79696de4 |
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
| MD5 | 6c311fa5ed6a64505b088720ebf3b34e |
| SHA1 | 652824b7a1f61734950a9cba746b9f8c2603f3c2 |
| SHA256 | 16290f3297dc9101274d6f67d33b714948197fdb31f32e322d9240205212195a |
| SHA512 | ef0201e56722d950e4375c796d084f05eb7811227e483c83524637f50c5c0211ae7f7ec3994f6e559184fa73c43da6e5e70a0c8c5db606b0c064546a79696de4 |
memory/2372-123-0x0000000000000000-mapping.dmp
memory/2104-121-0x0000000000000000-mapping.dmp
memory/1848-127-0x0000000000000000-mapping.dmp
memory/3456-128-0x0000000000000000-mapping.dmp
memory/4072-129-0x0000000000000000-mapping.dmp
memory/8-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jINZmHHD\files_\SYSTEM~1.TXT
| MD5 | 63516ce8f886fdb92eb743f69aee96a7 |
| SHA1 | bbb39b5f15fa01ca7c432f4929608ff55a61d2c6 |
| SHA256 | b1417c58ee548d12a989d3904892bb8b193d01e55dfbb3ba08afc22ee87c3a29 |
| SHA512 | cd779b013bc70f2fe533e173d66e30841be404de222f2564b04f6c2a9ea4dd8d7940099e36adbb9195080b9ee38b55e014d700292dd425afc9233028eac6e9cd |
C:\Users\Admin\AppData\Local\Temp\jINZmHHD\files_\SCREEN~1.JPG
| MD5 | 532e149a1a83113069c2658c86ab09dc |
| SHA1 | 3fb52647cde8d12601901f59f0c4264daa241415 |
| SHA256 | 8bd8b5117d2349005e8369e6974450d0f4d827dc990ee34e1442a9cba1d8a6f4 |
| SHA512 | 1fbc793bf2b353e60a8f13c70138b6c9d779f6a72b5d2cfae20a0aee6792d20ae166cbbf3d24b246d91953cc747a8d7cd5488a71b81ca74b97cca3b08b0a84cd |
C:\Users\Admin\AppData\Local\Temp\jINZmHHD\FTHNWM~1.ZIP
| MD5 | 0d9d171d4a1245fafbb5cc365ea12f5f |
| SHA1 | 94900ef3149bb970b3034e11b1dd591a0c545d02 |
| SHA256 | d041163f35cfad45ca85ec799355cd2e554170238f9b87d97dcf5dd2f394f3e4 |
| SHA512 | 13c073320432c47be9d70276b7406c2c8183a0bc91cff1670e669371258834f9d3c67a87898f3d1e8b40e68dc39f338f6b87a46b3ae546e56e4987e5417cc60c |
C:\Users\Admin\AppData\Local\Temp\jINZmHHD\_Files\_INFOR~1.TXT
| MD5 | 8afcfa153a909c214fd7e501ccaa66f7 |
| SHA1 | 671aadb4efe8a31d1f5a2bcd4953707b469a3315 |
| SHA256 | af95d4674b129c548a2fec22c56fab86df0962fa3676319266fd498ef697f5c0 |
| SHA512 | 5a50edd51fced143d5bfec733d3c016090af00509d73670a353d16f0ba282e969cac691ee19dab2f907a665d00ff461c984d250080cd687fa9888a22bdf5e352 |
C:\Users\Admin\AppData\Local\Temp\jINZmHHD\_Files\_SCREE~1.JPE
| MD5 | 532e149a1a83113069c2658c86ab09dc |
| SHA1 | 3fb52647cde8d12601901f59f0c4264daa241415 |
| SHA256 | 8bd8b5117d2349005e8369e6974450d0f4d827dc990ee34e1442a9cba1d8a6f4 |
| SHA512 | 1fbc793bf2b353e60a8f13c70138b6c9d779f6a72b5d2cfae20a0aee6792d20ae166cbbf3d24b246d91953cc747a8d7cd5488a71b81ca74b97cca3b08b0a84cd |
C:\Users\Admin\AppData\Local\Temp\jINZmHHD\WPUQNV~1.ZIP
| MD5 | d79b771233e7d3653fbabc21159551d9 |
| SHA1 | 9eb0818287a19111a81c9a9670371d93445be29f |
| SHA256 | 55be9a519b37a0a8fc8a6e1a5384c6514c1b2a9f02cac39d4c24aa58701283dd |
| SHA512 | b98d20f62666fa43ea1f06c5b14567c0ceec03708a36689c9926e321f0049bbef0eb7e0358026f719a885135bbb555c608106dcbbde63ea91bc95ef691bdee19 |
memory/3864-137-0x0000000000000000-mapping.dmp
memory/3852-138-0x0000000000000000-mapping.dmp
memory/1060-139-0x0000000000000000-mapping.dmp
memory/1704-140-0x0000000000000000-mapping.dmp
memory/1844-141-0x0000000000000000-mapping.dmp
memory/4080-142-0x0000000000000000-mapping.dmp
memory/3608-143-0x0000000000000000-mapping.dmp
memory/1056-144-0x0000000000000000-mapping.dmp
memory/3948-145-0x0000000000000000-mapping.dmp
memory/1224-146-0x0000000000000000-mapping.dmp
memory/2588-147-0x0000000000000000-mapping.dmp
memory/2284-148-0x0000000000000000-mapping.dmp
memory/3572-149-0x0000000000000000-mapping.dmp
memory/3972-150-0x0000000000000000-mapping.dmp
memory/1176-151-0x0000000000000000-mapping.dmp
memory/3952-152-0x0000000000000000-mapping.dmp
memory/612-153-0x0000000000000000-mapping.dmp
memory/2384-154-0x0000000000000000-mapping.dmp
memory/1812-155-0x0000000000000000-mapping.dmp
memory/4020-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.vssm
| MD5 | 78c1f7fd878aa3bac159fcbf2fa59238 |
| SHA1 | 309c32a10a06d6473128bde5709504da3311226a |
| SHA256 | 323e0634bc5626cbe9d26f8bdf2e00d9f05ccbdff3c8bb88f5cbdc8de9d95001 |
| SHA512 | 6eadf36a37805ef7f74832727ca0f8ce575b91429bb73245256bd1ba2bd18f8d2e98595db8cace4a557cbb326060d4108aa7caaac9456a4e82c3ff270027060f |
memory/3856-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 6c311fa5ed6a64505b088720ebf3b34e |
| SHA1 | 652824b7a1f61734950a9cba746b9f8c2603f3c2 |
| SHA256 | 16290f3297dc9101274d6f67d33b714948197fdb31f32e322d9240205212195a |
| SHA512 | ef0201e56722d950e4375c796d084f05eb7811227e483c83524637f50c5c0211ae7f7ec3994f6e559184fa73c43da6e5e70a0c8c5db606b0c064546a79696de4 |
memory/3972-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 6c311fa5ed6a64505b088720ebf3b34e |
| SHA1 | 652824b7a1f61734950a9cba746b9f8c2603f3c2 |
| SHA256 | 16290f3297dc9101274d6f67d33b714948197fdb31f32e322d9240205212195a |
| SHA512 | ef0201e56722d950e4375c796d084f05eb7811227e483c83524637f50c5c0211ae7f7ec3994f6e559184fa73c43da6e5e70a0c8c5db606b0c064546a79696de4 |
memory/1076-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cui.vssm
| MD5 | 96080b01e1b6d1c87114fb3d0bc3d40c |
| SHA1 | e29f2223ca01654b8557badcf2471a249530cf3e |
| SHA256 | 1458082b0697e952f547ddf8116889b5dc31c0e25fb9f018e19fd3164ca05c63 |
| SHA512 | 71395222d76348934f547b26d9421bd863007d0dc971dc67caa394e35b8ba48990e9bea90c9c22c5f986514a1be85a8777131283219176cca5fc850c0d99b30e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Levandosi.vssm
| MD5 | 53d0a2e57922779ba9d991079f621fe2 |
| SHA1 | 6fc9f210c63c8b65aa09444dc3ead625b02f6c7e |
| SHA256 | b3502ba2b7ec8897f7e018a20a5d73cb385746f28aaf1da4ef37f4d0874db90a |
| SHA512 | 1930c2a9d2f7d739176387207ddf3ed9665bd565a3dd4c5d1dcdab4752fa29c9967f912e71ca2d580d2ae92d0470bd634228e062b0c3726e47cfd3efcb1e8421 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
memory/3868-167-0x0000000000000000-mapping.dmp
memory/2160-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\c
| MD5 | 53d0a2e57922779ba9d991079f621fe2 |
| SHA1 | 6fc9f210c63c8b65aa09444dc3ead625b02f6c7e |
| SHA256 | b3502ba2b7ec8897f7e018a20a5d73cb385746f28aaf1da4ef37f4d0874db90a |
| SHA512 | 1930c2a9d2f7d739176387207ddf3ed9665bd565a3dd4c5d1dcdab4752fa29c9967f912e71ca2d580d2ae92d0470bd634228e062b0c3726e47cfd3efcb1e8421 |
memory/428-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
memory/2372-171-0x0000000000470000-0x000000000051E000-memory.dmp
memory/2372-172-0x0000000000400000-0x0000000000461000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sollevano.vssm
| MD5 | d46182d5fa89cdd99dd85bfa54dda4cf |
| SHA1 | 6af1008ccac5a8294c6c6137b123a4f556297939 |
| SHA256 | aaa19826a095af70d3c587266241d19a33ae36a44b7d210af77a9dd98706a302 |
| SHA512 | 20cfaedb9218ef42f44152781e9e94cfb8b07748e1f3ce586aadb06828b9daeffc6e45ca5b482f65d12c3d0eb80d1d622663863d6a3b400d357dbddbbbd810b0 |
memory/3972-174-0x0000000002070000-0x0000000002096000-memory.dmp
memory/3972-175-0x0000000000400000-0x0000000000461000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
memory/428-177-0x0000000001360000-0x0000000001361000-memory.dmp
memory/2760-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dhwefecxurd.exe
| MD5 | 2f264d1c365a690f634075fff1e9da5e |
| SHA1 | aa342d4a8bbc81440e04375f65a9213b10d0bcdb |
| SHA256 | bd4f17e7a821c16c6563f996e10ec7d95e52f4f9ffed0c0b0026c80bf0d4b080 |
| SHA512 | 5e59a462abe7064bd348c58b3bf23480a35ef989cb0ff533f8830c9d2fec29de8f7963e38a3f9c7352ab0df8043c50d8e2eb3f739d32e02ca6b902c9b3272fed |
C:\Users\Admin\AppData\Local\Temp\dhwefecxurd.exe
| MD5 | 2f264d1c365a690f634075fff1e9da5e |
| SHA1 | aa342d4a8bbc81440e04375f65a9213b10d0bcdb |
| SHA256 | bd4f17e7a821c16c6563f996e10ec7d95e52f4f9ffed0c0b0026c80bf0d4b080 |
| SHA512 | 5e59a462abe7064bd348c58b3bf23480a35ef989cb0ff533f8830c9d2fec29de8f7963e38a3f9c7352ab0df8043c50d8e2eb3f739d32e02ca6b902c9b3272fed |
memory/3844-181-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\uluswhprg.vbs
| MD5 | 0a761e935f74c1fb17a79e241b4b945c |
| SHA1 | 803751220ccd6cf2d19c93c7d8cb227ce0707272 |
| SHA256 | e4eaf92d7f3ffcc4bd2f6a5ae3d1edadce78cf8b6e2347df045d4fa0aeac0336 |
| SHA512 | 37d91f570131acf0511bdccd816b03be2758d7e66c78e0792736426a5ac6b4e50794dc511e61c7892ca92857b944338f6c9a8a3c70def05de4e072c7d4f6339e |
memory/2760-183-0x0000000002F90000-0x0000000003697000-memory.dmp
memory/2760-185-0x0000000000C60000-0x0000000000DAA000-memory.dmp
memory/2760-184-0x0000000000400000-0x0000000000B14000-memory.dmp
memory/3952-186-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DHWEFE~1.DLL
| MD5 | 7ac078a4c0a0c82464f31418b512cad7 |
| SHA1 | edafdb4391106484521c3a76890690ee525a9d68 |
| SHA256 | 8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418 |
| SHA512 | e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507 |
\Users\Admin\AppData\Local\Temp\DHWEFE~1.DLL
| MD5 | 7ac078a4c0a0c82464f31418b512cad7 |
| SHA1 | edafdb4391106484521c3a76890690ee525a9d68 |
| SHA256 | 8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418 |
| SHA512 | e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507 |
memory/3952-190-0x0000000004480000-0x0000000004A45000-memory.dmp
\Users\Admin\AppData\Local\Temp\DHWEFE~1.DLL
| MD5 | 7ac078a4c0a0c82464f31418b512cad7 |
| SHA1 | edafdb4391106484521c3a76890690ee525a9d68 |
| SHA256 | 8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418 |
| SHA512 | e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507 |
memory/3952-191-0x0000000004B90000-0x0000000004B91000-memory.dmp
memory/740-192-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\DHWEFE~1.DLL
| MD5 | 7ac078a4c0a0c82464f31418b512cad7 |
| SHA1 | edafdb4391106484521c3a76890690ee525a9d68 |
| SHA256 | 8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418 |
| SHA512 | e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507 |
\Users\Admin\AppData\Local\Temp\DHWEFE~1.DLL
| MD5 | 7ac078a4c0a0c82464f31418b512cad7 |
| SHA1 | edafdb4391106484521c3a76890690ee525a9d68 |
| SHA256 | 8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418 |
| SHA512 | e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507 |
memory/740-195-0x0000000004710000-0x0000000004CD5000-memory.dmp
memory/3952-196-0x0000000004F41000-0x00000000055A0000-memory.dmp
memory/3952-197-0x0000000000800000-0x00000000008AE000-memory.dmp
memory/740-198-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4EEC.tmp
| MD5 | 149c2823b7eadbfb0a82388a2ab9494f |
| SHA1 | 415fe979ce5fd0064d2557a48745a3ed1a3fbf9c |
| SHA256 | 06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869 |
| SHA512 | f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe |
memory/740-200-0x0000000005371000-0x00000000059D0000-memory.dmp
memory/4012-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\kuqfqsrpjcw.vbs
| MD5 | b34178d6d2e5d6c37d7c35afaaf25d26 |
| SHA1 | 108c81007bb7056f4262dfe3129d36a58c966e0b |
| SHA256 | 61e3ead41f5f8d9a72fe5e959fb4a4a64f33c73fb098d7431014c676b0d814c5 |
| SHA512 | 98e24935ff5aa875dbd34541b5bde166487b2bea99f80f7b604a0dc35a379cfa69d2edf225853b0eabed63d21c2534380a6602c8eb9e78e519530ec261061c91 |
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-13 18:56
Reported
2021-05-13 19:00
Platform
win7v20210410
Max time kernel
7s
Max time network
9s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe
"C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"
Network
Files
memory/1200-59-0x00000000768B1000-0x00000000768B3000-memory.dmp
memory/1200-60-0x0000000001D30000-0x0000000001E11000-memory.dmp
memory/1200-61-0x0000000000400000-0x00000000004E5000-memory.dmp