Analysis Overview
SHA256
2750d82acc17245fb3f34ceb34d12d50090626ce0bb28902dd2dcc5db924dd48
Threat Level: Known bad
The file 4698845684203520.zip was found to be: Known bad.
Malicious Activity Summary
BetaBot
Vjw0rm
Modifies firewall policy service
Drops file in Drivers directory
Blocklisted process makes network request
Sets file execution options in registry
Executes dropped EXE
Drops startup file
Checks BIOS information in registry
Loads dropped DLL
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Maps connected drives based on registry
Checks whether UAC is enabled
Suspicious use of SetThreadContext
autoit_exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Enumerates physical storage devices
NSIS installer
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer Protected Mode
Delays execution with timeout.exe
Modifies Internet Explorer settings
Creates scheduled task(s)
Modifies registry class
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer Protected Mode Banner
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-06-01 13:20
Signatures
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2021-06-01 13:20
Reported
2021-06-01 13:23
Platform
win7v20210408
Max time kernel
150s
Max time network
174s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\puttty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\ereds.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\m7ok5k9k173o5.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\m7ok5k9k173o5.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\m7ok5k9k173o5.exe\"" | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F670.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F670.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F670.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F670.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\F670.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\F670.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\F670.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\F670.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\F670.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\F670.tmp\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\F670.tmp\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\F670.tmp\ereds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1112 set thread context of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe | C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\puttty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.tmp\ereds.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1.exe
"C:\Users\Admin\AppData\Local\Temp\3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F670.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1863879230819644182-933198694-7134005292028010497118106164-365567450-504560595"
C:\Users\Admin\AppData\Local\Temp\F670.tmp\key.exe
key.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t22395.bat" "C:\Users\Admin\AppData\Local\Temp\F670.tmp\key.exe" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "411731940-2490807415911584563406711251523375688-20983821918807276301291625459"
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Users\Admin\AppData\Local\Temp\F670.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Microsoft.VisualStudio.Package.LanguageService.11.0.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
C:\Users\Admin\AppData\Local\Temp\afolder/data.dat
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ac
C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe
bb.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get Caption /format:list
C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe
"C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\F670.tmp\puttty.exe
puttty.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 4
C:\Users\Admin\AppData\Local\Temp\F670.tmp\ereds.exe
ereds.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1076
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 860
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | crackerem.ru | udp |
| N/A | 8.8.8.8:53 | www.apl.com.pk | udp |
| N/A | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 8.8.8.8:53 | kikidoyoulabme222.ru | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 8.8.8.8:53 | alldayever231.su | udp |
Files
memory/1828-59-0x0000000075801000-0x0000000075803000-memory.dmp
memory/1980-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F670.tmp\start.bat
| MD5 | f96458f7f2a09565f4b715dba1279633 |
| SHA1 | 86e808b7a0d46dcce31c2257f694d57f1391da9e |
| SHA256 | e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79 |
| SHA512 | 8da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78 |
\Users\Admin\AppData\Local\Temp\F670.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
C:\Users\Admin\AppData\Local\Temp\F670.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/268-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F670.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/868-67-0x0000000000000000-mapping.dmp
memory/1768-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ytmp\t22395.bat
| MD5 | 9843a9b32e52e7f03b5a4ee184e0ebf6 |
| SHA1 | 1b3a353b8ad0e84c77acb2b6c5b2ce1795b73013 |
| SHA256 | 059516ecde0f1e20cb6093de828cc09d7618f801b524fd5f3c554f8dcde5a229 |
| SHA512 | 5f223854a27d71b8bab9419f5c8ede111e7c148ad35b25fe73b30013d4af38b59634791d1e42a350a61f03489fdd8260b84e39744d8e685696e05e9e8ec4f1c9 |
memory/1696-70-0x0000000000000000-mapping.dmp
memory/1460-71-0x0000000000000000-mapping.dmp
memory/1412-72-0x0000000000000000-mapping.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 336e4a90c6f8fa6b544a19457d63b7ed |
| SHA1 | 1b99a8bfd814f281f27aeb36be1fe06df454ef4a |
| SHA256 | 598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4 |
| SHA512 | b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690 |
\Users\Admin\AppData\Local\Temp\F670.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
C:\Users\Admin\AppData\Local\Temp\F670.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
\Users\Admin\AppData\Local\Temp\F670.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/1364-77-0x0000000000000000-mapping.dmp
memory/1676-79-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F670.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
memory/316-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
memory/1364-85-0x00000000008C0000-0x00000000008C1000-memory.dmp
memory/316-87-0x0000000077120000-0x0000000077121000-memory.dmp
memory/316-88-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\spc_player.dll
| MD5 | 41afbf49ba7f6ee164f31faa2cd38e15 |
| SHA1 | 4a9aeebf6e2a3c459629662b4e3d72fe210da63f |
| SHA256 | 50d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387 |
| SHA512 | a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe |
\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1112-93-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/112-96-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1552-98-0x0000000000000000-mapping.dmp
memory/316-97-0x00000000750C0000-0x00000000750C1000-memory.dmp
memory/1364-99-0x0000000007060000-0x0000000007061000-memory.dmp
memory/1364-101-0x0000000007065000-0x0000000007076000-memory.dmp
\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1944-102-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1944-103-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F670.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1944-106-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1944-108-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1944-109-0x0000000000240000-0x000000000024D000-memory.dmp
memory/1944-110-0x00000000004C0000-0x00000000004C1000-memory.dmp
memory/1944-111-0x0000000001DD0000-0x0000000001DDC000-memory.dmp
memory/1364-112-0x0000000007076000-0x0000000007077000-memory.dmp
memory/1944-107-0x00000000002E0000-0x0000000000346000-memory.dmp
memory/1668-113-0x0000000000000000-mapping.dmp
memory/1668-115-0x0000000070D11000-0x0000000070D13000-memory.dmp
memory/1668-121-0x00000000003E0000-0x00000000003EC000-memory.dmp
memory/1668-117-0x00000000001E0000-0x00000000002E2000-memory.dmp
memory/1668-116-0x0000000076F90000-0x0000000077110000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F670.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
\Users\Admin\AppData\Local\Temp\F670.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/976-125-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F670.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/2020-127-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\F670.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/976-131-0x0000000000130000-0x0000000000131000-memory.dmp
memory/1944-129-0x00000000004E0000-0x00000000004E1000-memory.dmp
memory/316-133-0x0000000004130000-0x000000000428C000-memory.dmp
memory/316-132-0x00000000042B0000-0x00000000043B2000-memory.dmp
memory/316-135-0x0000000004130000-0x000000000428C000-memory.dmp
memory/316-134-0x00000000044C0000-0x00000000044CC000-memory.dmp
memory/1364-140-0x00000000007D0000-0x00000000007D1000-memory.dmp
memory/1364-139-0x00000000007E0000-0x00000000007EC000-memory.dmp
memory/1364-137-0x0000000007960000-0x0000000007A62000-memory.dmp
memory/1212-136-0x0000000002A10000-0x0000000002A16000-memory.dmp
memory/1580-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F670.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
\Users\Admin\AppData\Local\Temp\F670.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
C:\Users\Admin\AppData\Local\Temp\F670.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
\Users\Admin\AppData\Local\Temp\F670.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/1580-147-0x0000000001EF0000-0x0000000001EF1000-memory.dmp
memory/1980-148-0x0000000001D60000-0x0000000002871000-memory.dmp
memory/976-150-0x0000000004670000-0x0000000004772000-memory.dmp
memory/1364-154-0x0000000007077000-0x0000000007078000-memory.dmp
memory/976-152-0x0000000000A40000-0x0000000000A4C000-memory.dmp
memory/1828-149-0x00000000027B0000-0x00000000033FA000-memory.dmp
memory/1668-155-0x0000000000B60000-0x0000000000B62000-memory.dmp
memory/1364-156-0x0000000007078000-0x0000000007079000-memory.dmp
memory/1580-157-0x00000000050F0000-0x00000000051F2000-memory.dmp
memory/1580-159-0x00000000020D0000-0x00000000020DC000-memory.dmp
memory/288-161-0x0000000000000000-mapping.dmp
memory/288-163-0x00000000001C0000-0x00000000002C2000-memory.dmp
memory/268-171-0x0000000002A00000-0x0000000002A0C000-memory.dmp
memory/288-169-0x00000000021B0000-0x00000000021B1000-memory.dmp
memory/268-167-0x0000000003060000-0x0000000003CAA000-memory.dmp
\Users\Admin\AppData\Local\Temp\F670.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/1364-173-0x0000000000000000-mapping.dmp
memory/1364-175-0x00000000001C0000-0x00000000002C2000-memory.dmp
memory/1364-177-0x0000000000460000-0x000000000046C000-memory.dmp
\Users\Admin\AppData\Local\Temp\F670.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/1364-180-0x0000000002300000-0x0000000002301000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2021-06-01 13:20
Reported
2021-06-01 13:22
Platform
win10v20210410
Max time kernel
150s
Max time network
148s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\puttty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\ereds.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\73951kqs1.exe\"" | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\73951kqs1.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\73951kqs1.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\puttty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\puttty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3088 set thread context of 1272 | N/A | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1.exe
"C:\Users\Admin\AppData\Local\Temp\3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1.exe"
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\key.exe
key.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t953.bat" "C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\key.exe" "
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Microsoft.VisualStudio.Package.LanguageService.11.0.exe
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
C:\Users\Admin\AppData\Local\Temp\afolder/data.dat
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get Caption /format:list
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe
bb.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe
"C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\puttty.exe
puttty.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 4
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\ereds.exe
ereds.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1800
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 804
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | crackerem.ru | udp |
| N/A | 35.205.61.67:80 | crackerem.ru | tcp |
| N/A | 8.8.8.8:53 | www.apl.com.pk | udp |
| N/A | 203.124.43.228:80 | www.apl.com.pk | tcp |
| N/A | 203.124.43.228:443 | www.apl.com.pk | tcp |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 104.215.148.63:80 | microsoft.com | tcp |
| N/A | 8.8.8.8:53 | kikidoyoulabme222.ru | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
Files
memory/1700-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\start.bat
| MD5 | f96458f7f2a09565f4b715dba1279633 |
| SHA1 | 86e808b7a0d46dcce31c2257f694d57f1391da9e |
| SHA256 | e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79 |
| SHA512 | 8da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78 |
memory/2600-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/2692-118-0x0000000000000000-mapping.dmp
memory/184-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ytmp\t953.bat
| MD5 | 4d84381705b6baeca99dfb68d4db5099 |
| SHA1 | 30a2434b4efcfecf164da04a78275554f35bc303 |
| SHA256 | 8bbe0c6d87e7e8616e9ccc71e7b707ec3bfd66a1534ae4fc9163afa5cb3ffb39 |
| SHA512 | 1199ce63495c2855721b7ded59aa1fb1b1032efc7c9c326ee6ce7a9348aeb00fed89af1eeff1cc83f699cedf54e3008b0b6fa1bc1896ecd2ebecbebaa5a024d7 |
memory/1276-122-0x0000000000000000-mapping.dmp
memory/1840-123-0x0000000000000000-mapping.dmp
memory/3720-124-0x0000000000000000-mapping.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 336e4a90c6f8fa6b544a19457d63b7ed |
| SHA1 | 1b99a8bfd814f281f27aeb36be1fe06df454ef4a |
| SHA256 | 598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4 |
| SHA512 | b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690 |
memory/3480-126-0x0000000000000000-mapping.dmp
memory/3428-128-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
memory/2976-131-0x0000000000000000-mapping.dmp
memory/3480-132-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3428-134-0x0000000077D90000-0x0000000077D91000-memory.dmp
memory/3428-135-0x0000000002290000-0x0000000002291000-memory.dmp
memory/3428-136-0x00000000766B0000-0x00000000766B1000-memory.dmp
memory/3828-137-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\spc_player.dll
| MD5 | 41afbf49ba7f6ee164f31faa2cd38e15 |
| SHA1 | 4a9aeebf6e2a3c459629662b4e3d72fe210da63f |
| SHA256 | 50d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387 |
| SHA512 | a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe |
memory/3480-139-0x00000000074A0000-0x00000000074A1000-memory.dmp
memory/3480-140-0x0000000007190000-0x0000000007191000-memory.dmp
memory/3480-141-0x0000000007193000-0x0000000007195000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/3568-144-0x0000000000000000-mapping.dmp
memory/1272-146-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1272-147-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/3088-142-0x0000000000000000-mapping.dmp
memory/3480-150-0x0000000007195000-0x0000000007196000-memory.dmp
memory/1272-149-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1272-154-0x0000000002660000-0x000000000266C000-memory.dmp
memory/1272-151-0x0000000002120000-0x0000000002186000-memory.dmp
memory/1272-153-0x0000000002630000-0x0000000002631000-memory.dmp
memory/1272-152-0x0000000000590000-0x000000000059D000-memory.dmp
memory/3148-155-0x0000000000000000-mapping.dmp
memory/3148-156-0x0000000000010000-0x000000000044F000-memory.dmp
memory/3148-157-0x0000000002D00000-0x0000000002E02000-memory.dmp
memory/3148-161-0x00000000048F0000-0x00000000048F1000-memory.dmp
memory/2120-163-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/2156-165-0x0000000000000000-mapping.dmp
memory/2120-167-0x0000000003120000-0x0000000003121000-memory.dmp
memory/3428-168-0x0000000002FE0000-0x00000000030E2000-memory.dmp
memory/3428-170-0x0000000003270000-0x0000000003271000-memory.dmp
memory/2120-171-0x0000000005570000-0x0000000005672000-memory.dmp
memory/4200-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
C:\Users\Admin\AppData\Local\Temp\1AF0.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/4200-178-0x0000000002260000-0x0000000002261000-memory.dmp
memory/1700-177-0x0000000003570000-0x0000000003672000-memory.dmp
memory/1700-180-0x0000000004F20000-0x0000000004F21000-memory.dmp
memory/3148-182-0x0000000004910000-0x0000000004A9E000-memory.dmp
memory/4044-181-0x0000000003160000-0x0000000003262000-memory.dmp
memory/4292-183-0x0000000000000000-mapping.dmp
memory/4292-184-0x0000000005A50000-0x0000000005B52000-memory.dmp
memory/3480-187-0x0000000007EE0000-0x0000000007FE2000-memory.dmp
memory/2600-188-0x0000000003AF0000-0x0000000003BF2000-memory.dmp
memory/184-191-0x00000000036A0000-0x00000000037A2000-memory.dmp
memory/4564-194-0x0000000000000000-mapping.dmp
memory/4200-195-0x00000000057F0000-0x00000000058F2000-memory.dmp
memory/4564-198-0x0000000005930000-0x0000000005A32000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-06-01 13:20
Reported
2021-06-01 13:23
Platform
win10v20210408
Max time kernel
151s
Max time network
140s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\puttty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\ereds.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\w5s55ko173cea3.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\w5s55ko173cea3.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\w5s55ko173cea3.exe\"" | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\ereds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4092 set thread context of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd.exe
"C:\Users\Admin\AppData\Local\Temp\1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\95FC.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd.exe"
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\key.exe
key.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Microsoft.VisualStudio.Package.LanguageService.11.0.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t8885.bat" "C:\Users\Admin\AppData\Local\Temp\95FC.tmp\key.exe" "
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
C:\Users\Admin\AppData\Local\Temp\afolder/data.dat
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get Caption /format:list
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe
bb.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe
"C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\puttty.exe
puttty.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 4
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\ereds.exe
ereds.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1428
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1256
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | crackerem.ru | udp |
| N/A | 8.8.8.8:53 | www.apl.com.pk | udp |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 8.8.8.8:53 | alldayever231.su | udp |
| N/A | 8.8.8.8:53 | tarssdsfdfsdr23.ru | udp |
| N/A | 8.8.8.8:53 | tantarantantan23.ru | udp |
| N/A | 8.8.8.8:53 | kdfrghdkfj34.ru | udp |
Files
memory/3832-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\start.bat
| MD5 | f96458f7f2a09565f4b715dba1279633 |
| SHA1 | 86e808b7a0d46dcce31c2257f694d57f1391da9e |
| SHA256 | e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79 |
| SHA512 | 8da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78 |
memory/1248-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/212-119-0x0000000000000000-mapping.dmp
memory/2912-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/940-123-0x0000000000000000-mapping.dmp
memory/2616-124-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ytmp\t8885.bat
| MD5 | d1eda75f9fbd43adf17b57ead3ddc7f3 |
| SHA1 | 784583f368296fd4030592c0d0a1c15a10abf1a4 |
| SHA256 | ed8e34e8a81ca21de6cde249cd2eacd81ed799ba1a78f7e5b8069b987da06aeb |
| SHA512 | 3eb9673725f7d5185748455495dff2cb45c794d49b6d77d806746514edb98a565692f1a7a3e65ee8e7402f1a8663061259f7bed34432c75a0b538a21aeade264 |
memory/2260-126-0x0000000000000000-mapping.dmp
memory/2204-127-0x0000000000000000-mapping.dmp
memory/3392-128-0x0000000000000000-mapping.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 336e4a90c6f8fa6b544a19457d63b7ed |
| SHA1 | 1b99a8bfd814f281f27aeb36be1fe06df454ef4a |
| SHA256 | 598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4 |
| SHA512 | b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690 |
memory/3584-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
memory/2912-132-0x0000000000010000-0x0000000000011000-memory.dmp
memory/3584-135-0x00000000023D0000-0x00000000023D1000-memory.dmp
memory/3584-134-0x0000000077030000-0x0000000077031000-memory.dmp
memory/3584-136-0x0000000074B40000-0x0000000074B41000-memory.dmp
memory/2912-137-0x0000000006F70000-0x0000000006F71000-memory.dmp
memory/3904-138-0x0000000000000000-mapping.dmp
memory/4092-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/580-142-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\spc_player.dll
| MD5 | 41afbf49ba7f6ee164f31faa2cd38e15 |
| SHA1 | 4a9aeebf6e2a3c459629662b4e3d72fe210da63f |
| SHA256 | 50d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387 |
| SHA512 | a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe |
memory/744-145-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/744-143-0x0000000000400000-0x0000000000435000-memory.dmp
memory/744-148-0x0000000000400000-0x0000000000435000-memory.dmp
memory/744-149-0x0000000002100000-0x0000000002166000-memory.dmp
memory/2912-147-0x0000000006F73000-0x0000000006F75000-memory.dmp
memory/2912-152-0x0000000007220000-0x0000000007221000-memory.dmp
memory/744-154-0x00000000024B0000-0x00000000024BD000-memory.dmp
memory/4064-153-0x0000000000000000-mapping.dmp
memory/744-156-0x0000000002660000-0x000000000266C000-memory.dmp
memory/744-155-0x0000000002630000-0x0000000002631000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/4064-161-0x0000000000B70000-0x0000000000FAF000-memory.dmp
memory/4064-162-0x0000000003260000-0x0000000003362000-memory.dmp
memory/2300-159-0x0000000000000000-mapping.dmp
memory/2892-157-0x0000000000000000-mapping.dmp
memory/2912-166-0x0000000006F75000-0x0000000006F76000-memory.dmp
memory/744-167-0x0000000002650000-0x0000000002651000-memory.dmp
memory/2892-169-0x00000000014F0000-0x00000000014F1000-memory.dmp
memory/3584-170-0x0000000005350000-0x0000000005452000-memory.dmp
memory/3584-172-0x00000000031F0000-0x00000000031F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/4084-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\95FC.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/3832-176-0x0000000003860000-0x0000000003962000-memory.dmp
memory/852-178-0x00000000032D0000-0x00000000033D2000-memory.dmp
memory/2892-179-0x0000000005530000-0x0000000005632000-memory.dmp
memory/4084-177-0x0000000000B00000-0x0000000000B01000-memory.dmp
memory/4064-182-0x0000000004CF0000-0x0000000004E7E000-memory.dmp
memory/2912-183-0x0000000007C50000-0x0000000007D52000-memory.dmp
memory/4104-186-0x0000000000000000-mapping.dmp
memory/4200-187-0x0000000000000000-mapping.dmp
memory/4084-188-0x0000000005920000-0x0000000005A22000-memory.dmp
memory/4104-191-0x00000000056C0000-0x00000000057C2000-memory.dmp
memory/4104-193-0x0000000003A10000-0x0000000003A11000-memory.dmp
memory/1248-194-0x0000000003C00000-0x0000000003D02000-memory.dmp
memory/2616-197-0x0000000003420000-0x0000000003522000-memory.dmp
memory/4200-200-0x0000000005790000-0x0000000005892000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2021-06-01 13:20
Reported
2021-06-01 13:22
Platform
win10v20210410
Max time kernel
150s
Max time network
148s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\amtemu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcrobatDC.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcrobatDC.js | C:\Windows\System32\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\koa35m5o79g7e.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\koa35m5o79g7e.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\koa35m5o79g7e.exe\"" | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4248 set thread context of 4296 | N/A | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\AcrobatDC.js | C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe | N/A |
| File created | C:\Windows\amtemu.exe | C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe | N/A |
| File opened for modification | C:\Windows\amtemu.exe | C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe | N/A |
| File created | C:\Windows\AcrobatDC.js | C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe
"C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\AcrobatDC.js"
C:\Windows\amtemu.exe
"C:\Windows\amtemu.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Windows\AcrobatDC.js
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FB04.tmp\start.bat" C:\Windows\amtemu.exe"
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe
key.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Microsoft.VisualStudio.Package.LanguageService.11.0.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t7747.bat" "C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe" "
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
C:\Users\Admin\AppData\Local\Temp\afolder/data.dat
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get Caption /format:list
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe
bb.exe
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe
"C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exe
puttty.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 4
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exe
ereds.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 2376
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1536
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | uploadp2p.publicvm.com | udp |
| N/A | 185.134.114.39:42023 | uploadp2p.publicvm.com | tcp |
| N/A | 8.8.8.8:53 | crackerem.ru | udp |
| N/A | 35.205.61.67:80 | crackerem.ru | tcp |
| N/A | 8.8.8.8:53 | www.apl.com.pk | udp |
| N/A | 203.124.43.228:80 | www.apl.com.pk | tcp |
| N/A | 203.124.43.228:443 | www.apl.com.pk | tcp |
| N/A | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| N/A | 52.185.71.28:80 | windowsupdate.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | kikidoyoulabme222.ru | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 185.134.114.39:42023 | uploadp2p.publicvm.com | tcp |
| N/A | 185.134.114.39:42023 | uploadp2p.publicvm.com | tcp |
| N/A | 185.134.114.39:42023 | uploadp2p.publicvm.com | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 185.134.114.39:42023 | uploadp2p.publicvm.com | tcp |
| N/A | 185.134.114.39:42023 | uploadp2p.publicvm.com | tcp |
Files
memory/420-114-0x0000000000000000-mapping.dmp
C:\Windows\AcrobatDC.js
| MD5 | 9369231125c086e3761ec5238ce71020 |
| SHA1 | e92d312f660e360a460b9eb182ea68a2f5068f95 |
| SHA256 | 600b88a21f553bd0e719af4601bde53de7bd7e7e09dfe56032f88ac54e34d58f |
| SHA512 | 57874d89812731a5daf656965c7ed86b37143265f53a5bad27716d12b38bc675d4fd31d3e360fc744d5d868483033bd0a514fca94afac7ee6ce3a2277a166ce4 |
memory/1784-116-0x0000000000000000-mapping.dmp
C:\Windows\amtemu.exe
| MD5 | 88124e4aba906259af28a466774431ea |
| SHA1 | fbc1c27e0d7177238ec99481ffa7d839d1f51594 |
| SHA256 | 1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd |
| SHA512 | cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d |
C:\Windows\amtemu.exe
| MD5 | 88124e4aba906259af28a466774431ea |
| SHA1 | fbc1c27e0d7177238ec99481ffa7d839d1f51594 |
| SHA256 | 1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd |
| SHA512 | cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d |
memory/3516-119-0x0000000000000000-mapping.dmp
memory/1632-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\start.bat
| MD5 | f96458f7f2a09565f4b715dba1279633 |
| SHA1 | 86e808b7a0d46dcce31c2257f694d57f1391da9e |
| SHA256 | e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79 |
| SHA512 | 8da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78 |
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/1296-124-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/3844-122-0x0000000000000000-mapping.dmp
memory/1640-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/3400-129-0x0000000000000000-mapping.dmp
memory/2192-128-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ytmp\t7747.bat
| MD5 | 7924b9cf2a621e979dfbdecc7abc5b8b |
| SHA1 | 1477d9c23f7e42bfb4121f2c59bb7cdd9ba34c78 |
| SHA256 | 06db46f2d9ba954de03cda1ef98e2f4a014e699db40311364a21a5a46453fe80 |
| SHA512 | dec6089bc2f912b6364409bda5c709453745af2cf410728abed071040fe009aea8941efdb8673eb0ae53c81396cbcfbc04077b582913a342db3cc5ae2c695d65 |
memory/1972-132-0x0000000000000000-mapping.dmp
memory/296-134-0x0000000000000000-mapping.dmp
memory/1640-133-0x00000000008A0000-0x00000000008A1000-memory.dmp
memory/1296-136-0x0000000000000000-mapping.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 336e4a90c6f8fa6b544a19457d63b7ed |
| SHA1 | 1b99a8bfd814f281f27aeb36be1fe06df454ef4a |
| SHA256 | 598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4 |
| SHA512 | b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690 |
memory/2812-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
memory/812-140-0x0000000000000000-mapping.dmp
memory/1640-141-0x00000000073B0000-0x00000000073B1000-memory.dmp
memory/1640-142-0x00000000073B3000-0x00000000073B5000-memory.dmp
memory/2812-143-0x0000000077490000-0x0000000077491000-memory.dmp
memory/2812-144-0x00000000023A0000-0x00000000023A1000-memory.dmp
memory/2812-145-0x0000000074BC0000-0x0000000074BC1000-memory.dmp
\Users\Admin\AppData\Local\Temp\spc_player.dll
| MD5 | 41afbf49ba7f6ee164f31faa2cd38e15 |
| SHA1 | 4a9aeebf6e2a3c459629662b4e3d72fe210da63f |
| SHA256 | 50d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387 |
| SHA512 | a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe |
memory/1640-146-0x0000000007780000-0x0000000007781000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/4264-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/4248-148-0x0000000000000000-mapping.dmp
memory/4296-152-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4296-153-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1640-155-0x00000000073B5000-0x00000000073B6000-memory.dmp
memory/4296-156-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4296-157-0x00000000006D0000-0x0000000000736000-memory.dmp
memory/4296-158-0x0000000000440000-0x000000000058A000-memory.dmp
memory/4296-159-0x0000000000740000-0x0000000000741000-memory.dmp
memory/4296-160-0x0000000000B00000-0x0000000000B0C000-memory.dmp
memory/4368-161-0x0000000000000000-mapping.dmp
memory/4368-162-0x0000000000380000-0x00000000007BF000-memory.dmp
memory/4368-163-0x0000000003000000-0x0000000003102000-memory.dmp
memory/4368-164-0x0000000002C50000-0x0000000002C5D000-memory.dmp
memory/4368-167-0x0000000004B30000-0x0000000004B31000-memory.dmp
memory/4456-171-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/4440-169-0x0000000000000000-mapping.dmp
memory/4440-173-0x0000000000EB0000-0x0000000000F5E000-memory.dmp
memory/2812-176-0x0000000003100000-0x0000000003101000-memory.dmp
memory/2812-174-0x0000000004840000-0x0000000004942000-memory.dmp
memory/1640-177-0x00000000079C0000-0x0000000007AC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/4692-178-0x0000000000000000-mapping.dmp
memory/4440-181-0x0000000005160000-0x0000000005262000-memory.dmp
memory/1632-184-0x00000000039C0000-0x0000000003AC2000-memory.dmp
memory/1784-188-0x0000000003170000-0x0000000003272000-memory.dmp
memory/4692-187-0x0000000002530000-0x0000000002531000-memory.dmp
memory/1632-186-0x00000000055C0000-0x00000000055C1000-memory.dmp
memory/4368-189-0x0000000004B50000-0x0000000004CDE000-memory.dmp
memory/4832-190-0x0000000000000000-mapping.dmp
memory/4692-191-0x0000000005920000-0x0000000005A22000-memory.dmp
memory/4832-194-0x0000000005910000-0x0000000005A12000-memory.dmp
memory/3844-197-0x0000000003AF0000-0x0000000003BF2000-memory.dmp
memory/2192-200-0x0000000003D10000-0x0000000003E12000-memory.dmp
memory/1296-203-0x0000000000000000-mapping.dmp
memory/1296-204-0x0000000005910000-0x0000000005A12000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2021-06-01 13:20
Reported
2021-06-01 13:22
Platform
win7v20210408
Max time kernel
151s
Max time network
150s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsc5033.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\o3w9137i7cc9.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\o3w9137i7cc9.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\o3w9137i7cc9.exe\"" | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\nsc5033.tmp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1548 set thread context of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\d33647e9d09ffe352d2d6c6db4d48c11f2c04c4aab3deb0fd4c48a65cb47385a.exe
"C:\Users\Admin\AppData\Local\Temp\d33647e9d09ffe352d2d6c6db4d48c11f2c04c4aab3deb0fd4c48a65cb47385a.exe"
C:\Users\Admin\AppData\Local\Temp\nsc5033.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\nsc5033.tmp\setup.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B76D.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\nsc5033.tmp\setup.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1863954634-1080149394-1569302538-1863446477-24776729917318130978398527859929091"
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\key.exe
key.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Microsoft.VisualStudio.Package.LanguageService.11.0.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t3247.bat" "C:\Users\Admin\AppData\Local\Temp\B76D.tmp\key.exe" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8256951001354403857-17579651031974312452-1279859405470753081204796205-377755229"
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
C:\Users\Admin\AppData\Local\Temp\afolder/data.dat
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get Caption /format:list
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
"C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe"
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
bb.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe
puttty.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 4
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe
ereds.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1152
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 956
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | strong.girlsmist.online | udp |
| N/A | 8.8.8.8:53 | pepper.cobwebdesign.host | udp |
| N/A | 8.8.8.8:53 | crackerem.ru | udp |
| N/A | 8.8.8.8:53 | www.apl.com.pk | udp |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | kikidoyoulabme222.ru | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
Files
memory/1028-60-0x0000000075801000-0x0000000075803000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsc5033.tmp\System.dll
| MD5 | b0c77267f13b2f87c084fd86ef51ccfc |
| SHA1 | f7543f9e9b4f04386dfbf33c38cbed1bf205afb3 |
| SHA256 | a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77 |
| SHA512 | f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e |
\Users\Admin\AppData\Local\Temp\nsc5033.tmp\nsisdl.dll
| MD5 | a95c7af96416b2cd084fed4c07c8c291 |
| SHA1 | 0c62c2fd843ccb59784404ed36369784dc557671 |
| SHA256 | a1e09fb1739ef7557d18104b0d6a4c7725e1ec293f5404c80402f57ff9ebb9d0 |
| SHA512 | 427ef14b116b574c5558cc6bb0ce03ab37f891f2d7ab0f130e3cddd0265e6bd269c598ce93230e56cd41bb9d2649bbbaa2fa2c654d8116c0c6f79a6f3419d1dc |
\Users\Admin\AppData\Local\Temp\nsc5033.tmp\nsisdl.dll
| MD5 | a95c7af96416b2cd084fed4c07c8c291 |
| SHA1 | 0c62c2fd843ccb59784404ed36369784dc557671 |
| SHA256 | a1e09fb1739ef7557d18104b0d6a4c7725e1ec293f5404c80402f57ff9ebb9d0 |
| SHA512 | 427ef14b116b574c5558cc6bb0ce03ab37f891f2d7ab0f130e3cddd0265e6bd269c598ce93230e56cd41bb9d2649bbbaa2fa2c654d8116c0c6f79a6f3419d1dc |
\Users\Admin\AppData\Local\Temp\nsc5033.tmp\setup.exe
| MD5 | aa8c93e9e5160d638ad2cd03714d863f |
| SHA1 | bfadd4ed975732a0ad370962aabb371da020ed94 |
| SHA256 | 3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1 |
| SHA512 | 5ce5e78bcd183298150b801a4e7e133a7e97a5294f7c851dd60281fd10d0d7ce1074fa1a45e4d895b58232e1d8dcff4c7be8792054a300f9993709ef4f55ed33 |
memory/1624-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nsc5033.tmp\setup.exe
| MD5 | aa8c93e9e5160d638ad2cd03714d863f |
| SHA1 | bfadd4ed975732a0ad370962aabb371da020ed94 |
| SHA256 | 3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1 |
| SHA512 | 5ce5e78bcd183298150b801a4e7e133a7e97a5294f7c851dd60281fd10d0d7ce1074fa1a45e4d895b58232e1d8dcff4c7be8792054a300f9993709ef4f55ed33 |
C:\Users\Admin\AppData\Local\Temp\nsc5033.tmp\setup.exe
| MD5 | aa8c93e9e5160d638ad2cd03714d863f |
| SHA1 | bfadd4ed975732a0ad370962aabb371da020ed94 |
| SHA256 | 3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1 |
| SHA512 | 5ce5e78bcd183298150b801a4e7e133a7e97a5294f7c851dd60281fd10d0d7ce1074fa1a45e4d895b58232e1d8dcff4c7be8792054a300f9993709ef4f55ed33 |
\Users\Admin\AppData\Local\Temp\nsc5033.tmp\setup.exe
| MD5 | aa8c93e9e5160d638ad2cd03714d863f |
| SHA1 | bfadd4ed975732a0ad370962aabb371da020ed94 |
| SHA256 | 3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1 |
| SHA512 | 5ce5e78bcd183298150b801a4e7e133a7e97a5294f7c851dd60281fd10d0d7ce1074fa1a45e4d895b58232e1d8dcff4c7be8792054a300f9993709ef4f55ed33 |
\Users\Admin\AppData\Local\Temp\nsc5033.tmp\setup.exe
| MD5 | aa8c93e9e5160d638ad2cd03714d863f |
| SHA1 | bfadd4ed975732a0ad370962aabb371da020ed94 |
| SHA256 | 3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1 |
| SHA512 | 5ce5e78bcd183298150b801a4e7e133a7e97a5294f7c851dd60281fd10d0d7ce1074fa1a45e4d895b58232e1d8dcff4c7be8792054a300f9993709ef4f55ed33 |
\Users\Admin\AppData\Local\Temp\nsc5033.tmp\setup.exe
| MD5 | aa8c93e9e5160d638ad2cd03714d863f |
| SHA1 | bfadd4ed975732a0ad370962aabb371da020ed94 |
| SHA256 | 3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1 |
| SHA512 | 5ce5e78bcd183298150b801a4e7e133a7e97a5294f7c851dd60281fd10d0d7ce1074fa1a45e4d895b58232e1d8dcff4c7be8792054a300f9993709ef4f55ed33 |
memory/564-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\start.bat
| MD5 | f96458f7f2a09565f4b715dba1279633 |
| SHA1 | 86e808b7a0d46dcce31c2257f694d57f1391da9e |
| SHA256 | e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79 |
| SHA512 | 8da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78 |
\Users\Admin\AppData\Local\Temp\B76D.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/1552-77-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/1544-80-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\B76D.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
\Users\Admin\AppData\Local\Temp\B76D.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
\Users\Admin\AppData\Local\Temp\B76D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/432-87-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\B76D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
\Users\Admin\AppData\Local\Temp\B76D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/928-88-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\B76D.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/1344-94-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ytmp\t3247.bat
| MD5 | c3ea25c87339e902f1d3e3b1620a6a39 |
| SHA1 | 650a3cc7f89c864d833d4562a3fe26509856e1c5 |
| SHA256 | c0d05f8e3a12f6e810c2d0afa2274a21800ff639f63ce06f35b448d2d9042edf |
| SHA512 | b6b722bfab8fa909f2725a15ea0046d6df8833cec2c5ea32a5d06e20c9d829c3adef6fb76c557147ed3b99d49723ee3afb7c645e112708ddc0418a90854e2eb7 |
memory/1140-97-0x0000000000000000-mapping.dmp
memory/432-99-0x00000000009A0000-0x00000000009A1000-memory.dmp
memory/308-101-0x0000000000000000-mapping.dmp
memory/792-103-0x0000000000000000-mapping.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 336e4a90c6f8fa6b544a19457d63b7ed |
| SHA1 | 1b99a8bfd814f281f27aeb36be1fe06df454ef4a |
| SHA256 | 598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4 |
| SHA512 | b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690 |
\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
memory/1560-108-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
memory/2004-111-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\spc_player.dll
| MD5 | 41afbf49ba7f6ee164f31faa2cd38e15 |
| SHA1 | 4a9aeebf6e2a3c459629662b4e3d72fe210da63f |
| SHA256 | 50d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387 |
| SHA512 | a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe |
memory/1560-117-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1560-116-0x0000000077850000-0x0000000077851000-memory.dmp
memory/432-115-0x00000000071C5000-0x00000000071D6000-memory.dmp
memory/1560-118-0x0000000077100000-0x0000000077101000-memory.dmp
memory/432-114-0x00000000071C0000-0x00000000071C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1844-125-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1728-131-0x00000000004015C6-mapping.dmp
\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1728-130-0x0000000000400000-0x0000000000435000-memory.dmp
\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1548-122-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
\Users\Admin\AppData\Local\Temp\B76D.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1728-139-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1728-141-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/1728-142-0x00000000007D0000-0x00000000007DC000-memory.dmp
memory/1728-140-0x00000000003E0000-0x00000000003ED000-memory.dmp
memory/1728-138-0x0000000000500000-0x0000000000566000-memory.dmp
memory/1728-137-0x0000000000400000-0x0000000000435000-memory.dmp
memory/432-136-0x00000000071D6000-0x00000000071D7000-memory.dmp
memory/2044-143-0x0000000000000000-mapping.dmp
memory/2044-145-0x0000000070CC1000-0x0000000070CC3000-memory.dmp
memory/2044-151-0x0000000000420000-0x000000000042C000-memory.dmp
memory/2044-147-0x0000000000090000-0x0000000000192000-memory.dmp
memory/2044-146-0x00000000776C0000-0x0000000077840000-memory.dmp
memory/1728-152-0x00000000006C0000-0x00000000006C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/920-159-0x0000000000000000-mapping.dmp
memory/1016-157-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/1016-164-0x0000000000A20000-0x0000000000A21000-memory.dmp
memory/1560-166-0x0000000004190000-0x0000000004292000-memory.dmp
memory/1560-169-0x00000000043C0000-0x00000000043C1000-memory.dmp
memory/1560-168-0x00000000043D0000-0x00000000043DC000-memory.dmp
memory/1560-167-0x0000000004020000-0x000000000417C000-memory.dmp
memory/432-170-0x00000000082C0000-0x00000000083C2000-memory.dmp
memory/432-172-0x00000000008C0000-0x00000000008CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
C:\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/1364-177-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/1016-182-0x0000000000AD0000-0x0000000000BD2000-memory.dmp
memory/1016-184-0x0000000000620000-0x000000000062C000-memory.dmp
memory/1364-187-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/1624-188-0x0000000002930000-0x000000000357A000-memory.dmp
memory/564-186-0x0000000001F10000-0x0000000002A21000-memory.dmp
memory/1028-190-0x00000000024C0000-0x000000000310A000-memory.dmp
memory/432-191-0x00000000071D7000-0x00000000071D8000-memory.dmp
memory/2044-192-0x0000000002080000-0x0000000002082000-memory.dmp
memory/1364-193-0x0000000004EC0000-0x0000000004FC2000-memory.dmp
memory/1364-195-0x00000000009E0000-0x00000000009EC000-memory.dmp
memory/1600-197-0x0000000000000000-mapping.dmp
memory/1600-199-0x00000000001D0000-0x00000000002D2000-memory.dmp
memory/1600-201-0x0000000000CE0000-0x0000000000CEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\B76D.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/1204-205-0x0000000002A30000-0x0000000002A36000-memory.dmp
memory/1600-204-0x00000000027B0000-0x00000000027B1000-memory.dmp
memory/1552-206-0x00000000030F0000-0x0000000003D3A000-memory.dmp
memory/1552-208-0x00000000016C0000-0x00000000016CC000-memory.dmp
memory/432-210-0x0000000000000000-mapping.dmp
memory/432-212-0x00000000001D0000-0x00000000002D2000-memory.dmp
memory/432-214-0x0000000000690000-0x000000000069C000-memory.dmp
\Users\Admin\AppData\Local\Temp\B76D.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/432-217-0x0000000002300000-0x0000000002301000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2021-06-01 13:20
Reported
2021-06-01 13:22
Platform
win10v20210410
Max time kernel
150s
Max time network
135s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsz69E.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\puttty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\ereds.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\g31ssg513s51.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\g31ssg513s51.exe\"" | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\g31ssg513s51.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\key.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\puttty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\ereds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4196 set thread context of 4244 | N/A | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d33647e9d09ffe352d2d6c6db4d48c11f2c04c4aab3deb0fd4c48a65cb47385a.exe
"C:\Users\Admin\AppData\Local\Temp\d33647e9d09ffe352d2d6c6db4d48c11f2c04c4aab3deb0fd4c48a65cb47385a.exe"
C:\Users\Admin\AppData\Local\Temp\nsz69E.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\nsz69E.tmp\setup.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8DF.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\nsz69E.tmp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\key.exe
key.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t18921.bat" "C:\Users\Admin\AppData\Local\Temp\8DF.tmp\key.exe" "
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
C:\Users\Admin\AppData\Local\Temp\afolder/data.dat
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Microsoft.VisualStudio.Package.LanguageService.11.0.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get Caption /format:list
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe
bb.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe
"C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\puttty.exe
puttty.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 4
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\ereds.exe
ereds.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 2396
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1584
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | strong.girlsmist.online | udp |
| N/A | 8.8.8.8:53 | pepper.cobwebdesign.host | udp |
| N/A | 8.8.8.8:53 | crackerem.ru | udp |
| N/A | 35.205.61.67:80 | crackerem.ru | tcp |
| N/A | 8.8.8.8:53 | www.apl.com.pk | udp |
| N/A | 203.124.43.228:80 | www.apl.com.pk | tcp |
| N/A | 203.124.43.228:443 | www.apl.com.pk | tcp |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 172.217.20.110:80 | google.com | tcp |
| N/A | 8.8.8.8:53 | kikidoyoulabme222.ru | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
| N/A | 35.205.61.67:80 | ereds6969.co | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsz69E.tmp\nsisdl.dll
| MD5 | a95c7af96416b2cd084fed4c07c8c291 |
| SHA1 | 0c62c2fd843ccb59784404ed36369784dc557671 |
| SHA256 | a1e09fb1739ef7557d18104b0d6a4c7725e1ec293f5404c80402f57ff9ebb9d0 |
| SHA512 | 427ef14b116b574c5558cc6bb0ce03ab37f891f2d7ab0f130e3cddd0265e6bd269c598ce93230e56cd41bb9d2649bbbaa2fa2c654d8116c0c6f79a6f3419d1dc |
\Users\Admin\AppData\Local\Temp\nsz69E.tmp\System.dll
| MD5 | b0c77267f13b2f87c084fd86ef51ccfc |
| SHA1 | f7543f9e9b4f04386dfbf33c38cbed1bf205afb3 |
| SHA256 | a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77 |
| SHA512 | f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e |
\Users\Admin\AppData\Local\Temp\nsz69E.tmp\nsisdl.dll
| MD5 | a95c7af96416b2cd084fed4c07c8c291 |
| SHA1 | 0c62c2fd843ccb59784404ed36369784dc557671 |
| SHA256 | a1e09fb1739ef7557d18104b0d6a4c7725e1ec293f5404c80402f57ff9ebb9d0 |
| SHA512 | 427ef14b116b574c5558cc6bb0ce03ab37f891f2d7ab0f130e3cddd0265e6bd269c598ce93230e56cd41bb9d2649bbbaa2fa2c654d8116c0c6f79a6f3419d1dc |
memory/1148-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nsz69E.tmp\setup.exe
| MD5 | aa8c93e9e5160d638ad2cd03714d863f |
| SHA1 | bfadd4ed975732a0ad370962aabb371da020ed94 |
| SHA256 | 3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1 |
| SHA512 | 5ce5e78bcd183298150b801a4e7e133a7e97a5294f7c851dd60281fd10d0d7ce1074fa1a45e4d895b58232e1d8dcff4c7be8792054a300f9993709ef4f55ed33 |
C:\Users\Admin\AppData\Local\Temp\nsz69E.tmp\setup.exe
| MD5 | aa8c93e9e5160d638ad2cd03714d863f |
| SHA1 | bfadd4ed975732a0ad370962aabb371da020ed94 |
| SHA256 | 3be0e1472ad786cfb4a11fb88470d92873d916eacb651d49e8a520ce8206e4c1 |
| SHA512 | 5ce5e78bcd183298150b801a4e7e133a7e97a5294f7c851dd60281fd10d0d7ce1074fa1a45e4d895b58232e1d8dcff4c7be8792054a300f9993709ef4f55ed33 |
memory/2160-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\start.bat
| MD5 | f96458f7f2a09565f4b715dba1279633 |
| SHA1 | 86e808b7a0d46dcce31c2257f694d57f1391da9e |
| SHA256 | e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79 |
| SHA512 | 8da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78 |
memory/3644-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/2344-124-0x0000000000000000-mapping.dmp
memory/2088-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ytmp\t18921.bat
| MD5 | e9afa82607ef0422e64d5f8b2c11586a |
| SHA1 | b6777d86175b122f85ea1e37c142e2984e12bb99 |
| SHA256 | 1989b8faef857a6109c39fc8046a8cb43cdc6493c15b50db6fa8ae5f30fefd88 |
| SHA512 | d88b3a0ce905945195839c1b126f5ef8b43126ce5a5e8897af93f3345729daa1fe5922cbb7b9cb746ed50d496b2e08e9bf2844773ede2acf863049282e2bf645 |
memory/3660-128-0x0000000000000000-mapping.dmp
memory/632-129-0x0000000000000000-mapping.dmp
memory/392-130-0x0000000000000000-mapping.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 336e4a90c6f8fa6b544a19457d63b7ed |
| SHA1 | 1b99a8bfd814f281f27aeb36be1fe06df454ef4a |
| SHA256 | 598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4 |
| SHA512 | b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690 |
memory/1460-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
memory/1452-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/2984-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/1452-138-0x00000000013A0000-0x00000000013A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\spc_player.dll
| MD5 | 41afbf49ba7f6ee164f31faa2cd38e15 |
| SHA1 | 4a9aeebf6e2a3c459629662b4e3d72fe210da63f |
| SHA256 | 50d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387 |
| SHA512 | a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe |
memory/392-141-0x0000000000000000-mapping.dmp
memory/1460-142-0x0000000077F60000-0x0000000077F61000-memory.dmp
memory/1460-143-0x00000000006E0000-0x000000000082A000-memory.dmp
memory/1460-144-0x0000000075EF0000-0x0000000075EF1000-memory.dmp
memory/1452-145-0x0000000006E60000-0x0000000006E61000-memory.dmp
memory/1452-146-0x0000000006E63000-0x0000000006E65000-memory.dmp
memory/1452-147-0x0000000007210000-0x0000000007211000-memory.dmp
memory/4216-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/4196-148-0x0000000000000000-mapping.dmp
memory/4244-152-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4244-153-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/4244-156-0x0000000002130000-0x0000000002196000-memory.dmp
memory/4244-159-0x0000000002670000-0x000000000267C000-memory.dmp
memory/1452-160-0x0000000006E65000-0x0000000006E66000-memory.dmp
memory/4244-158-0x0000000002640000-0x0000000002641000-memory.dmp
memory/4244-157-0x0000000000590000-0x000000000059D000-memory.dmp
memory/4244-155-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4312-161-0x0000000000000000-mapping.dmp
memory/4312-162-0x0000000000990000-0x0000000000DCF000-memory.dmp
memory/4312-163-0x00000000007F0000-0x00000000008F2000-memory.dmp
memory/4312-165-0x0000000003300000-0x0000000003436000-memory.dmp
memory/4312-166-0x0000000003300000-0x0000000003436000-memory.dmp
memory/4244-168-0x0000000002660000-0x0000000002661000-memory.dmp
memory/4312-167-0x0000000003300000-0x0000000003436000-memory.dmp
memory/4444-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/4472-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/4444-173-0x0000000001310000-0x0000000001311000-memory.dmp
memory/1460-174-0x0000000002F60000-0x0000000003062000-memory.dmp
memory/1460-176-0x00000000031F0000-0x00000000031F1000-memory.dmp
memory/4444-177-0x0000000005440000-0x0000000005542000-memory.dmp
memory/4628-180-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
C:\Users\Admin\AppData\Local\Temp\8DF.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/2160-183-0x0000000001020000-0x0000000001122000-memory.dmp
memory/4628-184-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/2160-186-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/1148-187-0x0000000003170000-0x0000000003272000-memory.dmp
memory/4024-188-0x0000000002710000-0x0000000002812000-memory.dmp
memory/4312-189-0x00000000065B0000-0x00000000065B2000-memory.dmp
memory/4760-190-0x0000000000000000-mapping.dmp
memory/4628-191-0x0000000005F70000-0x0000000006072000-memory.dmp
memory/4760-194-0x0000000005A50000-0x0000000005B52000-memory.dmp
memory/1452-197-0x0000000007480000-0x0000000007582000-memory.dmp
memory/3644-198-0x0000000003AC0000-0x0000000003BC2000-memory.dmp
memory/2088-201-0x0000000001120000-0x0000000001222000-memory.dmp
memory/5084-204-0x0000000000000000-mapping.dmp
memory/5084-205-0x0000000005940000-0x0000000005A42000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-06-01 13:20
Reported
2021-06-01 13:23
Platform
win7v20210408
Max time kernel
149s
Max time network
190s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\puttty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\ereds.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\7wmi1gyquw39c1.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\7wmi1gyquw39c1.exe\"" | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\7wmi1gyquw39c1.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\624C.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\624C.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\624C.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\624C.tmp\ereds.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\624C.tmp\ereds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\624C.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\624C.tmp\puttty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\624C.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\624C.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\624C.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\624C.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\624C.tmp\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1724 set thread context of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe | C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\puttty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\624C.tmp\ereds.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd.exe
"C:\Users\Admin\AppData\Local\Temp\1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\624C.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11098641073790893561013574446-5836042-1470728442108660730915304296341759808603"
C:\Users\Admin\AppData\Local\Temp\624C.tmp\key.exe
key.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t12667.bat" "C:\Users\Admin\AppData\Local\Temp\624C.tmp\key.exe" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1636854565373510870-1965922754-557489954120530030018711853661765826816-1756970573"
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
C:\Users\Admin\AppData\Local\Temp\afolder/data.dat
C:\Users\Admin\AppData\Local\Temp\624C.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Microsoft.VisualStudio.Package.LanguageService.11.0.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get Caption /format:list
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe
bb.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe
"C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\624C.tmp\puttty.exe
puttty.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 4
C:\Users\Admin\AppData\Local\Temp\624C.tmp\ereds.exe
ereds.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1072
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 852
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | crackerem.ru | udp |
| N/A | 8.8.8.8:53 | www.apl.com.pk | udp |
| N/A | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 8.8.8.8:53 | update.microsoft.com | udp |
| N/A | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| N/A | 8.8.8.8:53 | kikidoyoulabme222.ru | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 8.8.8.8:53 | alldayever231.su | udp |
Files
memory/520-59-0x0000000075C31000-0x0000000075C33000-memory.dmp
memory/1244-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\624C.tmp\start.bat
| MD5 | f96458f7f2a09565f4b715dba1279633 |
| SHA1 | 86e808b7a0d46dcce31c2257f694d57f1391da9e |
| SHA256 | e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79 |
| SHA512 | 8da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78 |
C:\Users\Admin\AppData\Local\Temp\624C.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
\Users\Admin\AppData\Local\Temp\624C.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/1560-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\624C.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/1576-66-0x0000000000000000-mapping.dmp
memory/1004-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ytmp\t12667.bat
| MD5 | 1e6e4570bef9bac233f870ff835fac84 |
| SHA1 | 2c6440f4c7739228588b99b1cc5266790bee6d22 |
| SHA256 | a92fe2334064db650516a7b9b157f8a0bba8d98b9963d283151034e5c1972836 |
| SHA512 | 6d2e9d9acba9e20c18817d3a3250445676e9f9929b8ff61557a66f7e6bb3381ca100e16be805e6b3dd165947f6a9fc58a07c0bb93bb96693dd103da231bd73b0 |
memory/796-70-0x0000000000000000-mapping.dmp
memory/240-71-0x0000000000000000-mapping.dmp
memory/324-72-0x0000000000000000-mapping.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 336e4a90c6f8fa6b544a19457d63b7ed |
| SHA1 | 1b99a8bfd814f281f27aeb36be1fe06df454ef4a |
| SHA256 | 598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4 |
| SHA512 | b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690 |
\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
memory/780-76-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
C:\Users\Admin\AppData\Local\Temp\624C.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
\Users\Admin\AppData\Local\Temp\624C.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/1068-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\624C.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/1952-83-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\624C.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/1068-85-0x00000000000E0000-0x00000000000E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\spc_player.dll
| MD5 | 41afbf49ba7f6ee164f31faa2cd38e15 |
| SHA1 | 4a9aeebf6e2a3c459629662b4e3d72fe210da63f |
| SHA256 | 50d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387 |
| SHA512 | a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe |
memory/888-88-0x0000000000000000-mapping.dmp
memory/1068-93-0x0000000006F95000-0x0000000006FA6000-memory.dmp
memory/1068-92-0x0000000006F90000-0x0000000006F91000-memory.dmp
memory/780-91-0x0000000075590000-0x0000000075591000-memory.dmp
memory/780-90-0x0000000000230000-0x0000000000231000-memory.dmp
memory/780-89-0x0000000077480000-0x0000000077481000-memory.dmp
\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1724-97-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1296-100-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/316-102-0x0000000000400000-0x0000000000435000-memory.dmp
memory/316-103-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\624C.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1068-106-0x0000000006FA6000-0x0000000006FA7000-memory.dmp
memory/316-107-0x0000000000400000-0x0000000000435000-memory.dmp
memory/316-108-0x0000000000440000-0x00000000004A6000-memory.dmp
memory/316-109-0x0000000000240000-0x0000000000241000-memory.dmp
memory/316-110-0x00000000003C0000-0x00000000003CD000-memory.dmp
memory/316-111-0x00000000004B0000-0x00000000004B1000-memory.dmp
memory/316-112-0x0000000001DD0000-0x0000000001DDC000-memory.dmp
memory/324-113-0x0000000000000000-mapping.dmp
memory/324-115-0x0000000070151000-0x0000000070153000-memory.dmp
memory/324-117-0x00000000001A0000-0x00000000002A2000-memory.dmp
memory/324-116-0x00000000772F0000-0x0000000077470000-memory.dmp
memory/324-121-0x00000000003F0000-0x00000000003FC000-memory.dmp
memory/324-123-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/1068-122-0x0000000006FA7000-0x0000000006FA8000-memory.dmp
\Users\Admin\AppData\Local\Temp\624C.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
C:\Users\Admin\AppData\Local\Temp\624C.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
\Users\Admin\AppData\Local\Temp\624C.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/1872-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\624C.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/1776-128-0x0000000000000000-mapping.dmp
memory/1776-132-0x0000000000850000-0x0000000000851000-memory.dmp
memory/780-133-0x00000000044C0000-0x0000000004684000-memory.dmp
memory/780-134-0x00000000042B0000-0x00000000043B2000-memory.dmp
memory/780-136-0x0000000004140000-0x000000000429C000-memory.dmp
memory/780-135-0x0000000004130000-0x000000000428C000-memory.dmp
memory/1776-138-0x0000000000CA0000-0x0000000000DA2000-memory.dmp
memory/1776-140-0x0000000000620000-0x000000000062C000-memory.dmp
memory/1776-141-0x00000000005D0000-0x00000000005D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\624C.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
\Users\Admin\AppData\Local\Temp\624C.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/1152-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\624C.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
\Users\Admin\AppData\Local\Temp\624C.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/1152-150-0x0000000000C00000-0x0000000000C01000-memory.dmp
memory/1244-149-0x0000000001EF0000-0x0000000002A01000-memory.dmp
memory/324-152-0x0000000000760000-0x0000000000762000-memory.dmp
memory/520-151-0x0000000002680000-0x00000000032CA000-memory.dmp
memory/1068-153-0x0000000007840000-0x0000000007942000-memory.dmp
memory/1068-155-0x0000000000890000-0x000000000089C000-memory.dmp
memory/1152-157-0x0000000005290000-0x0000000005392000-memory.dmp
memory/1152-159-0x0000000002080000-0x000000000208C000-memory.dmp
memory/1700-161-0x0000000000000000-mapping.dmp
memory/1700-163-0x00000000001C0000-0x00000000002C2000-memory.dmp
memory/1700-165-0x0000000000670000-0x000000000067C000-memory.dmp
\Users\Admin\AppData\Local\Temp\624C.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/1700-168-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/1204-169-0x0000000002B20000-0x0000000002B26000-memory.dmp
memory/1560-170-0x0000000002A20000-0x0000000002B22000-memory.dmp
memory/1560-173-0x0000000003130000-0x0000000003D7A000-memory.dmp
memory/1560-172-0x0000000003130000-0x0000000003D7A000-memory.dmp
memory/1604-174-0x0000000000000000-mapping.dmp
memory/1604-176-0x00000000001C0000-0x00000000002C2000-memory.dmp
memory/1604-178-0x00000000003E0000-0x00000000003EC000-memory.dmp
\Users\Admin\AppData\Local\Temp\624C.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/1604-181-0x00000000020F0000-0x00000000020F1000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2021-06-01 13:20
Reported
2021-06-01 13:23
Platform
win7v20210408
Max time kernel
150s
Max time network
179s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
Vjw0rm
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\amtemu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F882.tmp\key.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F882.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F882.tmp\puttty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F882.tmp\ereds.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcrobatDC.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcrobatDC.js | C:\Windows\System32\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\53mk17a1.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\53mk17a1.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\53mk17a1.exe\"" | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F882.tmp\ereds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F882.tmp\key.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F882.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F882.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\F882.tmp\ereds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\F882.tmp\key.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\F882.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\F882.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\F882.tmp\puttty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\F882.tmp\ereds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\F882.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\F882.tmp\key.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1708 set thread context of 516 | N/A | C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe | C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AcrobatDC.js | C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe | N/A |
| File opened for modification | C:\Windows\AcrobatDC.js | C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe | N/A |
| File created | C:\Windows\amtemu.exe | C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe | N/A |
| File opened for modification | C:\Windows\amtemu.exe | C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afolder\data.dat | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe
"C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\AcrobatDC.js"
C:\Windows\amtemu.exe
"C:\Windows\amtemu.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F882.tmp\start.bat" C:\Windows\amtemu.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-732837619-1410552359-2104853307-22034894-1661349562-12314096762062640880-844609066"
C:\Users\Admin\AppData\Local\Temp\F882.tmp\key.exe
key.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Windows\AcrobatDC.js
C:\Users\Admin\AppData\Local\Temp\F882.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
Microsoft.VisualStudio.Package.LanguageService.11.0.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 2
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" os get Caption /format:list
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t27408.bat" "C:\Users\Admin\AppData\Local\Temp\F882.tmp\key.exe" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1305804963-2003508894-10576758041146480427-664449230-596923050-719630763394335139"
C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\SysWOW64\find.exe
FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
C:\Users\Admin\AppData\Local\Temp\afolder/data.dat
C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe
bb.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe
"C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a0
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\F882.tmp\puttty.exe
puttty.exe
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 4
C:\Users\Admin\AppData\Local\Temp\F882.tmp\ereds.exe
ereds.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1036
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 844
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | uploadp2p.publicvm.com | udp |
| N/A | 8.8.8.8:53 | crackerem.ru | udp |
| N/A | 8.8.8.8:53 | www.apl.com.pk | udp |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 8.8.8.8:53 | uploadp2p.publicvm.com | udp |
| N/A | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 8.8.8.8:53 | uploadp2p.publicvm.com | udp |
| N/A | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| N/A | 8.8.8.8:53 | uploadp2p.publicvm.com | udp |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | uploadp2p.publicvm.com | udp |
| N/A | 8.8.8.8:53 | kikidoyoulabme222.ru | udp |
| N/A | 8.8.8.8:53 | uploadp2p.publicvm.com | udp |
| N/A | 8.8.8.8:53 | ereds6969.co | udp |
| N/A | 8.8.8.8:53 | uploadp2p.publicvm.com | udp |
| N/A | 8.8.8.8:53 | alldayever231.su | udp |
| N/A | 8.8.8.8:53 | uploadp2p.publicvm.com | udp |
Files
memory/1052-60-0x000007FEFB681000-0x000007FEFB683000-memory.dmp
memory/1740-61-0x0000000000000000-mapping.dmp
C:\Windows\AcrobatDC.js
| MD5 | 9369231125c086e3761ec5238ce71020 |
| SHA1 | e92d312f660e360a460b9eb182ea68a2f5068f95 |
| SHA256 | 600b88a21f553bd0e719af4601bde53de7bd7e7e09dfe56032f88ac54e34d58f |
| SHA512 | 57874d89812731a5daf656965c7ed86b37143265f53a5bad27716d12b38bc675d4fd31d3e360fc744d5d868483033bd0a514fca94afac7ee6ce3a2277a166ce4 |
memory/1928-63-0x0000000000000000-mapping.dmp
C:\Windows\amtemu.exe
| MD5 | 88124e4aba906259af28a466774431ea |
| SHA1 | fbc1c27e0d7177238ec99481ffa7d839d1f51594 |
| SHA256 | 1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd |
| SHA512 | cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d |
memory/1928-65-0x0000000074D91000-0x0000000074D93000-memory.dmp
memory/1588-66-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F882.tmp\start.bat
| MD5 | f96458f7f2a09565f4b715dba1279633 |
| SHA1 | 86e808b7a0d46dcce31c2257f694d57f1391da9e |
| SHA256 | e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79 |
| SHA512 | 8da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78 |
\Users\Admin\AppData\Local\Temp\F882.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
C:\Users\Admin\AppData\Local\Temp\F882.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/852-70-0x0000000000000000-mapping.dmp
memory/1656-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F882.tmp\key.exe
| MD5 | 4d50c264c22fd1047a8a3bd8b77b3bd1 |
| SHA1 | 007d3a3b116834e1ef181397dde48108a660a380 |
| SHA256 | 2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45 |
| SHA512 | 8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7 |
memory/1252-74-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\F882.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
\Users\Admin\AppData\Local\Temp\F882.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
C:\Users\Admin\AppData\Local\Temp\F882.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/1828-78-0x0000000000000000-mapping.dmp
memory/432-80-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F882.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
| MD5 | 89158e00639d9ef6ee9337b4f19e74f4 |
| SHA1 | dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8 |
| SHA256 | 9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d |
| SHA512 | c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add |
memory/1828-81-0x0000000000D20000-0x0000000000D21000-memory.dmp
memory/660-83-0x0000000000000000-mapping.dmp
memory/1328-84-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ytmp\t27408.bat
| MD5 | e27d9b298ec7d6ebcefe841b61c8ef86 |
| SHA1 | e39b06fd4677e1fa4ac2d0f109fefd7c700eb988 |
| SHA256 | 2a620ff3c57f0c551458202e7b21392dfd001ab269149e18366c5a0987127f5a |
| SHA512 | 79ad6896e17e8ea5a8cb65811a7ad00255dff91c3454724276651cf842be1a02c64c680c39ea19dda63531f7c1f09c946445935cecc88d3c078c0c25a75a423f |
memory/1956-86-0x0000000000000000-mapping.dmp
memory/944-87-0x0000000000000000-mapping.dmp
memory/900-88-0x0000000000000000-mapping.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 336e4a90c6f8fa6b544a19457d63b7ed |
| SHA1 | 1b99a8bfd814f281f27aeb36be1fe06df454ef4a |
| SHA256 | 598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4 |
| SHA512 | b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690 |
memory/1828-90-0x0000000006F40000-0x0000000006F41000-memory.dmp
memory/1828-91-0x0000000006F45000-0x0000000006F56000-memory.dmp
\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
memory/1920-94-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
| MD5 | 8abdc20f619641e29aa9ad2b999a0dcc |
| SHA1 | caad125358d2ae6d217e74cfcd175ac81c43c729 |
| SHA256 | cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96 |
| SHA512 | 90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e |
memory/1708-100-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1016-101-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\spc_player.dll
| MD5 | 41afbf49ba7f6ee164f31faa2cd38e15 |
| SHA1 | 4a9aeebf6e2a3c459629662b4e3d72fe210da63f |
| SHA256 | 50d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387 |
| SHA512 | a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe |
C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/1920-106-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1920-104-0x0000000077170000-0x0000000077171000-memory.dmp
memory/1828-107-0x0000000006F56000-0x0000000006F57000-memory.dmp
memory/1920-108-0x00000000766A0000-0x00000000766A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/516-110-0x0000000000400000-0x0000000000435000-memory.dmp
memory/516-111-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F882.tmp\bb.exe
| MD5 | 347d7700eb4a4537df6bb7492ca21702 |
| SHA1 | 983189dab4b523e19f8efd35eee4d7d43d84aca2 |
| SHA256 | a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8 |
| SHA512 | 5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9 |
memory/516-114-0x0000000000400000-0x0000000000435000-memory.dmp
memory/516-119-0x0000000001DD0000-0x0000000001DDC000-memory.dmp
memory/516-118-0x00000000005D0000-0x00000000005D1000-memory.dmp
memory/516-117-0x0000000000250000-0x000000000025D000-memory.dmp
memory/516-116-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/516-115-0x0000000001C40000-0x0000000001CA6000-memory.dmp
memory/1840-120-0x0000000000000000-mapping.dmp
memory/1840-122-0x000000006FE41000-0x000000006FE43000-memory.dmp
memory/1840-128-0x0000000000250000-0x000000000025C000-memory.dmp
memory/1840-130-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1828-129-0x0000000006F57000-0x0000000006F58000-memory.dmp
memory/1840-124-0x0000000000550000-0x0000000000652000-memory.dmp
memory/1840-123-0x0000000076FE0000-0x0000000077160000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F882.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/1288-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F882.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/1360-137-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\F882.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
\Users\Admin\AppData\Local\Temp\F882.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/1288-139-0x0000000002030000-0x0000000002031000-memory.dmp
memory/1920-141-0x0000000003FF0000-0x000000000414C000-memory.dmp
memory/1920-142-0x0000000004380000-0x000000000438C000-memory.dmp
memory/1920-143-0x0000000004000000-0x000000000415C000-memory.dmp
memory/1920-140-0x0000000004170000-0x0000000004272000-memory.dmp
memory/1288-144-0x00000000044D0000-0x00000000045D2000-memory.dmp
memory/1288-146-0x0000000000560000-0x000000000056C000-memory.dmp
memory/1288-147-0x0000000000510000-0x0000000000511000-memory.dmp
\Users\Admin\AppData\Local\Temp\F882.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
C:\Users\Admin\AppData\Local\Temp\F882.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/2132-151-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\F882.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
C:\Users\Admin\AppData\Local\Temp\F882.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/1360-155-0x0000000001CA0000-0x0000000001DA2000-memory.dmp
memory/1588-156-0x0000000001D20000-0x0000000002831000-memory.dmp
memory/1588-158-0x0000000000140000-0x000000000014A000-memory.dmp
memory/2132-157-0x00000000005D0000-0x00000000005D1000-memory.dmp
memory/1928-159-0x0000000002820000-0x000000000346A000-memory.dmp
memory/1840-161-0x0000000000750000-0x0000000000752000-memory.dmp
memory/1740-162-0x00000000025A0000-0x00000000025A6000-memory.dmp
memory/1828-163-0x0000000007B10000-0x0000000007C12000-memory.dmp
memory/1828-165-0x0000000000650000-0x000000000065C000-memory.dmp
memory/2300-167-0x0000000000000000-mapping.dmp
memory/2300-169-0x00000000001C0000-0x00000000002C2000-memory.dmp
memory/2300-171-0x0000000000400000-0x000000000040C000-memory.dmp
\Users\Admin\AppData\Local\Temp\F882.tmp\puttty.exe
| MD5 | 8a40892abb22c314d13d30923f9b96c8 |
| SHA1 | ff6807c0e8454101746b57fd8cc22105b6d98100 |
| SHA256 | ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8 |
| SHA512 | 8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b |
memory/1212-175-0x0000000003AB0000-0x0000000003AB6000-memory.dmp
memory/2300-174-0x0000000002EA0000-0x0000000002EA1000-memory.dmp
memory/2132-176-0x0000000005410000-0x0000000005512000-memory.dmp
memory/2132-178-0x00000000045A0000-0x00000000045AC000-memory.dmp
memory/2436-180-0x0000000000000000-mapping.dmp
memory/2436-182-0x00000000001C0000-0x00000000002C2000-memory.dmp
memory/2436-184-0x00000000003E0000-0x00000000003EC000-memory.dmp
memory/852-186-0x0000000002F40000-0x0000000003B8A000-memory.dmp
memory/852-188-0x00000000010B0000-0x00000000010BC000-memory.dmp
\Users\Admin\AppData\Local\Temp\F882.tmp\ereds.exe
| MD5 | 767d99623569552123fb197eead28fca |
| SHA1 | 9f1016e3cce207c6ed707482104ea3ee9034accf |
| SHA256 | 83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145 |
| SHA512 | 897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c |
memory/2436-191-0x0000000002EE0000-0x0000000002EE1000-memory.dmp