Analysis Overview
SHA256
b8d0da9ced6a8c38190e638895ad179d4f73ce78d1e7af59353babded269ae37
Threat Level: Known bad
The file 888079.dat was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
BetaBot
Downloads MZ/PE file
Sets file execution options in registry
Sets file to hidden
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Drops desktop.ini file(s)
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer Protected Mode
Kills process with taskkill
NTFS ADS
Modifies Internet Explorer settings
Modifies registry class
Modifies Internet Explorer Protected Mode Banner
Delays execution with timeout.exe
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-20 21:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-20 21:52
Reported
2021-05-20 21:55
Platform
win7v20210410
Max time kernel
149s
Max time network
149s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\log\cnvk\sbn.exe | N/A |
| N/A | N/A | C:\log\cnvk\brokerf.exe | N/A |
| N/A | N/A | C:\log\cnvk\brokerf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe | N/A |
Sets file execution options in registry
Sets file to hidden
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\q315m5mq1.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\q315m5mq1.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\q315m5mq1.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\log\cnvk\brokerf.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.09\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\log\cnvk\brokerf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1400 set thread context of 1780 | N/A | C:\log\cnvk\brokerf.exe | C:\log\cnvk\brokerf.exe |
| PID 1504 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\log\cnvk\brokerf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\log\cnvk\brokerf.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\log\cnvk\brokerf.exe | N/A |
| N/A | N/A | C:\log\cnvk\brokerf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: 33 | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe
"C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\log\cnvk\ftoris.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\log\cnvk\yioi.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 0
C:\log\cnvk\sbn.exe
"sbn.exe" e -pyu7y8y87ds8yhsd89scd99 37419879283209asda0su9jho90asdf0s9.rar
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\log\cnvk\oll.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\log\cnvk\p541seed.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1406895149-1235333697-6211268171722296216-1992013981-17122753707052267971861869376"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\log\"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\log\cnvk\brokerf.exe
brokerf.exe /start
C:\log\cnvk\brokerf.exe
brokerf.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sbn.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sbn.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\log\cnvk\brokerf.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe
/suac
C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe
"C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 172.217.20.110:80 | google.com | tcp |
| N/A | 8.8.8.8:53 | russk17.icu | udp |
| N/A | 8.8.8.8:53 | russk17.icu | udp |
| N/A | 198.12.112.202:80 | russk17.icu | tcp |
| N/A | 8.8.8.8:53 | morningstarlincoln.co.uk | udp |
| N/A | 79.170.44.146:80 | morningstarlincoln.co.uk | tcp |
| N/A | 8.8.8.8:53 | russk17.icu | udp |
| N/A | 198.12.112.202:80 | russk17.icu | tcp |
Files
memory/2040-60-0x0000000076281000-0x0000000076283000-memory.dmp
memory/2040-61-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1776-62-0x0000000000000000-mapping.dmp
C:\log\cnvk\ftoris.vbs
| MD5 | 0bd7eb0367eea35fa03b8baf753e3dbf |
| SHA1 | 5d99d076b6094be05ab24b292fab8b51a81926b5 |
| SHA256 | b5b186b0c9d71d1dc7024cc0dedb17df1f052c93a33f6af0cd4651362245be7d |
| SHA512 | 1f1452a1f1ac4d1687a50f6e405fda5517f53e46fc624675320b2e2d64de6bff7b4437a5e2e081d0cd81617cec50c0c6ef1d43bdc9387154af5616dcfc2a5cb6 |
C:\log\cnvk\yioi.bat
| MD5 | b9c02e786af554bf4e548d218cb59406 |
| SHA1 | 1afcdfc05077c6fe8367e005532af76dbe890c63 |
| SHA256 | 9d5adff2c0c256bdfe6537b1064cfaf9be420434d295b4c4b506949fe6d8eafd |
| SHA512 | 6f89efa5c09ed4a44c291185b98e3c50c7bd81b2adb931daab8f526646cc59fa42b889fb870b8603f24e2ab0a46f0d6ad00bed2cc92e44827a6c854f58541243 |
memory/1068-66-0x0000000000000000-mapping.dmp
C:\log\cnvk\config.pfps
| MD5 | 74938c40bb1e343a5f7fee8ce12636fd |
| SHA1 | 102a9af450b63e4e29fcb8221b783a6f0e657fc7 |
| SHA256 | 48649028ecc8644c77faa53e2c7eb3c84811d4ff5d76965dfc123e7031bbde7f |
| SHA512 | 953425cb722318119c033293a676aac4eec93d95dbdcda727366d3cbc011c3a4e81953e300340015bd7bdbba7cfabdcaf55adc5e68ff7c18f542bb42dd7ab370 |
memory/980-68-0x0000000000000000-mapping.dmp
\log\cnvk\sbn.exe
| MD5 | 7acbec84b096b08259d9bf7f358aab7e |
| SHA1 | 00b8e3575bb33447628a90826bdc4c6b2d7e7a19 |
| SHA256 | 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c |
| SHA512 | 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23 |
C:\log\cnvk\sbn.exe
| MD5 | 7acbec84b096b08259d9bf7f358aab7e |
| SHA1 | 00b8e3575bb33447628a90826bdc4c6b2d7e7a19 |
| SHA256 | 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c |
| SHA512 | 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23 |
memory/820-71-0x0000000000000000-mapping.dmp
C:\log\cnvk\sbn.exe
| MD5 | 7acbec84b096b08259d9bf7f358aab7e |
| SHA1 | 00b8e3575bb33447628a90826bdc4c6b2d7e7a19 |
| SHA256 | 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c |
| SHA512 | 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23 |
memory/864-74-0x0000000000000000-mapping.dmp
C:\log\cnvk\oll.vbs
| MD5 | aad7b3fbdc2b543dd2cc773d89d8bc17 |
| SHA1 | 4b680e56de180c6674f86f0e228eaf7801ef182e |
| SHA256 | a0e42e327432a1fa0afb90ae4407671e9f6b6611a7db64c0f7c0cbb48c73be75 |
| SHA512 | 9eb3a9203198458a2d52ce66355446939d7bc5c6c656efe1d0e03485f1b181ce65a7ebbfceb434b2535543e61e018e83720de2f4d72303af19796f3b7c9bfdbb |
memory/1668-77-0x0000000000000000-mapping.dmp
memory/640-78-0x0000000000000000-mapping.dmp
C:\log\cnvk\p541seed.bat
| MD5 | fb6bc7bd7f1d2813765c0dd42d96d62d |
| SHA1 | c6d3306967de66dcbcd4340269a5c9ff62ede54f |
| SHA256 | ae0c4df3946ecbc710c852b300a4450197881d7077c62b7cf2b612eacf2bb6da |
| SHA512 | 572fe41b1421e16ea5a99dcf5334924c0d1bf1cf7eaf3b3961c73c906c745e144feaffb813cb26d351c3b60f32c11a6d126a066f305d792ca1808d7cd9572e7d |
memory/572-81-0x0000000000000000-mapping.dmp
memory/1648-82-0x0000000000000000-mapping.dmp
memory/1260-83-0x0000000000000000-mapping.dmp
\log\cnvk\brokerf.exe
| MD5 | 1e7da6a53a16210ffaaf28feaa1a38ad |
| SHA1 | a6559654ef5b0b5fb9b006ee7b411cf962177dba |
| SHA256 | f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3 |
| SHA512 | fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3 |
C:\log\cnvk\brokerf.exe
| MD5 | 1e7da6a53a16210ffaaf28feaa1a38ad |
| SHA1 | a6559654ef5b0b5fb9b006ee7b411cf962177dba |
| SHA256 | f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3 |
| SHA512 | fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3 |
memory/1400-87-0x0000000000000000-mapping.dmp
\log\cnvk\brokerf.exe
| MD5 | 1e7da6a53a16210ffaaf28feaa1a38ad |
| SHA1 | a6559654ef5b0b5fb9b006ee7b411cf962177dba |
| SHA256 | f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3 |
| SHA512 | fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3 |
C:\log\cnvk\brokerf.exe
| MD5 | 1e7da6a53a16210ffaaf28feaa1a38ad |
| SHA1 | a6559654ef5b0b5fb9b006ee7b411cf962177dba |
| SHA256 | f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3 |
| SHA512 | fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3 |
memory/1780-89-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1780-90-0x00000000004015C6-mapping.dmp
C:\log\cnvk\brokerf.exe
| MD5 | 1e7da6a53a16210ffaaf28feaa1a38ad |
| SHA1 | a6559654ef5b0b5fb9b006ee7b411cf962177dba |
| SHA256 | f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3 |
| SHA512 | fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3 |
memory/1780-94-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1368-93-0x0000000000000000-mapping.dmp
memory/1780-95-0x0000000001CD0000-0x0000000001D36000-memory.dmp
memory/1780-96-0x0000000000340000-0x000000000034D000-memory.dmp
memory/1780-97-0x0000000000330000-0x0000000000331000-memory.dmp
memory/1688-98-0x0000000000000000-mapping.dmp
memory/400-99-0x0000000000000000-mapping.dmp
memory/804-100-0x0000000000000000-mapping.dmp
memory/1084-101-0x0000000000000000-mapping.dmp
memory/1084-103-0x0000000074B51000-0x0000000074B53000-memory.dmp
memory/1084-108-0x0000000077AA0000-0x0000000077C20000-memory.dmp
memory/1084-109-0x0000000000160000-0x00000000002AD000-memory.dmp
memory/1084-107-0x00000000003E0000-0x00000000003EC000-memory.dmp
memory/1780-105-0x0000000000890000-0x000000000089C000-memory.dmp
memory/1780-104-0x00000000005D0000-0x00000000005D1000-memory.dmp
memory/1780-112-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/804-114-0x00000000009D0000-0x0000000000B1D000-memory.dmp
memory/572-115-0x00000000020A0000-0x00000000021ED000-memory.dmp
memory/1084-116-0x0000000000A20000-0x0000000000A22000-memory.dmp
\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe
| MD5 | 1e7da6a53a16210ffaaf28feaa1a38ad |
| SHA1 | a6559654ef5b0b5fb9b006ee7b411cf962177dba |
| SHA256 | f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3 |
| SHA512 | fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3 |
memory/1504-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe
| MD5 | 1e7da6a53a16210ffaaf28feaa1a38ad |
| SHA1 | a6559654ef5b0b5fb9b006ee7b411cf962177dba |
| SHA256 | f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3 |
| SHA512 | fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3 |
C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe
| MD5 | 1e7da6a53a16210ffaaf28feaa1a38ad |
| SHA1 | a6559654ef5b0b5fb9b006ee7b411cf962177dba |
| SHA256 | f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3 |
| SHA512 | fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3 |
\Users\Admin\AppData\Local\Temp\geueci1ous7.exe
| MD5 | 07f2ddc571ace474d3d7c0e5efd051a2 |
| SHA1 | ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8 |
| SHA256 | 4524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f |
| SHA512 | 4d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e |
C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe
| MD5 | 07f2ddc571ace474d3d7c0e5efd051a2 |
| SHA1 | ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8 |
| SHA256 | 4524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f |
| SHA512 | 4d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e |
memory/1760-122-0x0000000000000000-mapping.dmp
memory/440-126-0x00000000025A0000-0x00000000025A6000-memory.dmp
memory/1272-127-0x0000000002960000-0x0000000002966000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-20 21:52
Reported
2021-05-20 21:55
Platform
win10v20210408
Max time kernel
149s
Max time network
146s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\log\cnvk\sbn.exe | N/A |
| N/A | N/A | C:\log\cnvk\brokerf.exe | N/A |
| N/A | N/A | C:\log\cnvk\brokerf.exe | N/A |
Sets file execution options in registry
Sets file to hidden
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\39931771.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\39931771.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\log\cnvk\brokerf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\log\cnvk\brokerf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2228 set thread context of 2820 | N/A | C:\log\cnvk\brokerf.exe | C:\log\cnvk\brokerf.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\log\cnvk\brokerf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\log\cnvk\brokerf.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\log\cnvk\brokerf.exe | N/A |
| N/A | N/A | C:\log\cnvk\brokerf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: 33 | N/A | C:\log\cnvk\brokerf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe
"C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\log\cnvk\ftoris.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\log\cnvk\yioi.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 0
C:\log\cnvk\sbn.exe
"sbn.exe" e -pyu7y8y87ds8yhsd89scd99 37419879283209asda0su9jho90asdf0s9.rar
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\log\cnvk\oll.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\log\cnvk\p541seed.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\log\"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\log\cnvk\brokerf.exe
brokerf.exe /start
C:\log\cnvk\brokerf.exe
brokerf.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sbn.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sbn.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\log\cnvk\brokerf.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | update.microsoft.com | udp |
| N/A | 8.8.8.8:53 | russk18.icu | udp |
| N/A | 8.8.8.8:53 | russk19.icu | udp |
| N/A | 8.8.8.8:53 | russk20.icu | udp |
| N/A | 8.8.8.8:53 | russk21.icu | udp |
| N/A | 8.8.8.8:53 | moscow13.at | udp |
Files
memory/668-114-0x0000000000790000-0x000000000083E000-memory.dmp
memory/3808-115-0x0000000000000000-mapping.dmp
C:\log\cnvk\ftoris.vbs
| MD5 | 0bd7eb0367eea35fa03b8baf753e3dbf |
| SHA1 | 5d99d076b6094be05ab24b292fab8b51a81926b5 |
| SHA256 | b5b186b0c9d71d1dc7024cc0dedb17df1f052c93a33f6af0cd4651362245be7d |
| SHA512 | 1f1452a1f1ac4d1687a50f6e405fda5517f53e46fc624675320b2e2d64de6bff7b4437a5e2e081d0cd81617cec50c0c6ef1d43bdc9387154af5616dcfc2a5cb6 |
C:\log\cnvk\yioi.bat
| MD5 | b9c02e786af554bf4e548d218cb59406 |
| SHA1 | 1afcdfc05077c6fe8367e005532af76dbe890c63 |
| SHA256 | 9d5adff2c0c256bdfe6537b1064cfaf9be420434d295b4c4b506949fe6d8eafd |
| SHA512 | 6f89efa5c09ed4a44c291185b98e3c50c7bd81b2adb931daab8f526646cc59fa42b889fb870b8603f24e2ab0a46f0d6ad00bed2cc92e44827a6c854f58541243 |
memory/560-118-0x0000000000000000-mapping.dmp
C:\log\cnvk\config.pfps
| MD5 | 74938c40bb1e343a5f7fee8ce12636fd |
| SHA1 | 102a9af450b63e4e29fcb8221b783a6f0e657fc7 |
| SHA256 | 48649028ecc8644c77faa53e2c7eb3c84811d4ff5d76965dfc123e7031bbde7f |
| SHA512 | 953425cb722318119c033293a676aac4eec93d95dbdcda727366d3cbc011c3a4e81953e300340015bd7bdbba7cfabdcaf55adc5e68ff7c18f542bb42dd7ab370 |
memory/192-120-0x0000000000000000-mapping.dmp
memory/208-121-0x0000000000000000-mapping.dmp
C:\log\cnvk\sbn.exe
| MD5 | 7acbec84b096b08259d9bf7f358aab7e |
| SHA1 | 00b8e3575bb33447628a90826bdc4c6b2d7e7a19 |
| SHA256 | 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c |
| SHA512 | 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23 |
memory/2872-123-0x0000000000000000-mapping.dmp
C:\log\cnvk\oll.vbs
| MD5 | aad7b3fbdc2b543dd2cc773d89d8bc17 |
| SHA1 | 4b680e56de180c6674f86f0e228eaf7801ef182e |
| SHA256 | a0e42e327432a1fa0afb90ae4407671e9f6b6611a7db64c0f7c0cbb48c73be75 |
| SHA512 | 9eb3a9203198458a2d52ce66355446939d7bc5c6c656efe1d0e03485f1b181ce65a7ebbfceb434b2535543e61e018e83720de2f4d72303af19796f3b7c9bfdbb |
memory/1308-125-0x0000000000000000-mapping.dmp
memory/1192-126-0x0000000000000000-mapping.dmp
C:\log\cnvk\p541seed.bat
| MD5 | fb6bc7bd7f1d2813765c0dd42d96d62d |
| SHA1 | c6d3306967de66dcbcd4340269a5c9ff62ede54f |
| SHA256 | ae0c4df3946ecbc710c852b300a4450197881d7077c62b7cf2b612eacf2bb6da |
| SHA512 | 572fe41b1421e16ea5a99dcf5334924c0d1bf1cf7eaf3b3961c73c906c745e144feaffb813cb26d351c3b60f32c11a6d126a066f305d792ca1808d7cd9572e7d |
memory/1724-128-0x0000000000000000-mapping.dmp
memory/1592-129-0x0000000000000000-mapping.dmp
memory/1828-130-0x0000000000000000-mapping.dmp
memory/2228-131-0x0000000000000000-mapping.dmp
C:\log\cnvk\brokerf.exe
| MD5 | 1e7da6a53a16210ffaaf28feaa1a38ad |
| SHA1 | a6559654ef5b0b5fb9b006ee7b411cf962177dba |
| SHA256 | f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3 |
| SHA512 | fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3 |
C:\log\cnvk\brokerf.exe
| MD5 | 1e7da6a53a16210ffaaf28feaa1a38ad |
| SHA1 | a6559654ef5b0b5fb9b006ee7b411cf962177dba |
| SHA256 | f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3 |
| SHA512 | fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3 |
memory/2820-134-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2820-135-0x00000000004015C6-mapping.dmp
C:\log\cnvk\brokerf.exe
| MD5 | 1e7da6a53a16210ffaaf28feaa1a38ad |
| SHA1 | a6559654ef5b0b5fb9b006ee7b411cf962177dba |
| SHA256 | f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3 |
| SHA512 | fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3 |
memory/528-137-0x0000000000000000-mapping.dmp
memory/2820-139-0x00000000021A0000-0x0000000002206000-memory.dmp
memory/2820-140-0x0000000000440000-0x00000000004EE000-memory.dmp
memory/2820-138-0x0000000000400000-0x0000000000435000-memory.dmp
memory/192-141-0x0000000000000000-mapping.dmp
memory/2840-142-0x0000000000000000-mapping.dmp
memory/512-143-0x0000000000000000-mapping.dmp
memory/668-144-0x0000000000000000-mapping.dmp
memory/2820-146-0x0000000002660000-0x000000000266C000-memory.dmp
memory/2820-145-0x0000000000910000-0x0000000000911000-memory.dmp
memory/668-147-0x0000000000810000-0x0000000000C4F000-memory.dmp
memory/668-148-0x0000000000490000-0x00000000005DD000-memory.dmp
memory/668-149-0x0000000002DA0000-0x0000000002ED6000-memory.dmp
memory/668-150-0x0000000002DA0000-0x0000000002ED6000-memory.dmp
memory/668-152-0x0000000004660000-0x0000000004661000-memory.dmp
C:\log\cnvk\sbn.exe
| MD5 | 7acbec84b096b08259d9bf7f358aab7e |
| SHA1 | 00b8e3575bb33447628a90826bdc4c6b2d7e7a19 |
| SHA256 | 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c |
| SHA512 | 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23 |
memory/1724-155-0x0000000003B50000-0x0000000003C9D000-memory.dmp
memory/668-156-0x0000000006090000-0x0000000006092000-memory.dmp