Malware Analysis Report

2024-11-15 06:30

Sample ID 210624-melsmm1psn
Target d091285362e6cfcf60690c8a4dcd695e
SHA256 a8f36e203ba22b243837f95a371fbad43ef4162e2cf6f01ab78714fed88e7bb3
Tags
echelon evasion persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8f36e203ba22b243837f95a371fbad43ef4162e2cf6f01ab78714fed88e7bb3

Threat Level: Known bad

The file d091285362e6cfcf60690c8a4dcd695e was found to be: Known bad.

Malicious Activity Summary

echelon evasion persistence spyware stealer

Echelon

Executes dropped EXE

Modifies Windows Firewall

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Drops autorun.inf file

Enumerates physical storage devices

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-06-24 02:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-06-24 02:02

Reported

2021-06-24 02:05

Platform

win7v20210410

Max time kernel

150s

Max time network

197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe"

Signatures

Echelon

stealer spyware echelon

Downloads MZ/PE file

Modifies Windows Firewall

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Drops autorun.inf file

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe
PID 2024 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe
PID 2024 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe
PID 2024 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe
PID 2024 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe
PID 2024 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe
PID 2024 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe
PID 2024 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe
PID 1488 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 1488 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 1488 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 1488 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 1636 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe C:\Windows\SysWOW64\netsh.exe
PID 1636 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe C:\Windows\SysWOW64\netsh.exe
PID 1636 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe C:\Windows\SysWOW64\netsh.exe
PID 1636 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe

"C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe"

C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe

"C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe"

C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe

"C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe"

C:\Users\Admin\AppData\Roaming\Microsoft.exe

"C:\Users\Admin\AppData\Roaming\Microsoft.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft.exe" "Microsoft.exe" ENABLE

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 wervjjjjdjfvjdfgjdfjgjdf.000webhostapp.com udp
N/A 145.14.144.116:443 wervjjjjdjfvjdfgjdfjgjdf.000webhostapp.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.243.175.83:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 52.14.18.129:19492 2.tcp.ngrok.io tcp
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 3.128.107.74:19492 2.tcp.ngrok.io tcp
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 3.22.53.161:19492 2.tcp.ngrok.io tcp
N/A 3.22.53.161:19492 2.tcp.ngrok.io tcp

Files

memory/2024-59-0x0000000000950000-0x0000000000951000-memory.dmp

memory/2024-61-0x0000000076A81000-0x0000000076A83000-memory.dmp

memory/2024-62-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe

MD5 eb2efc889c96765d41bcac7ae5586f93
SHA1 f6129e5533d751f33bea71d2f114b2e217ecbb5c
SHA256 b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0
SHA512 5003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9

memory/772-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe

MD5 eb2efc889c96765d41bcac7ae5586f93
SHA1 f6129e5533d751f33bea71d2f114b2e217ecbb5c
SHA256 b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0
SHA512 5003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9

C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe

MD5 eb2efc889c96765d41bcac7ae5586f93
SHA1 f6129e5533d751f33bea71d2f114b2e217ecbb5c
SHA256 b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0
SHA512 5003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9

\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe

MD5 4679d9734f3c814016da3e5300705979
SHA1 73d0709085f74c84d188131df65911931bc94c01
SHA256 e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA512 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb

memory/772-68-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

memory/1488-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe

MD5 4679d9734f3c814016da3e5300705979
SHA1 73d0709085f74c84d188131df65911931bc94c01
SHA256 e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA512 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb

C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe

MD5 4679d9734f3c814016da3e5300705979
SHA1 73d0709085f74c84d188131df65911931bc94c01
SHA256 e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA512 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb

memory/772-74-0x00000000022C0000-0x0000000002331000-memory.dmp

memory/1488-75-0x0000000000970000-0x0000000000971000-memory.dmp

memory/772-76-0x000000001B110000-0x000000001B112000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft.exe

MD5 4679d9734f3c814016da3e5300705979
SHA1 73d0709085f74c84d188131df65911931bc94c01
SHA256 e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA512 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb

C:\Users\Admin\AppData\Roaming\Microsoft.exe

MD5 4679d9734f3c814016da3e5300705979
SHA1 73d0709085f74c84d188131df65911931bc94c01
SHA256 e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA512 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb

memory/1636-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft.exe

MD5 4679d9734f3c814016da3e5300705979
SHA1 73d0709085f74c84d188131df65911931bc94c01
SHA256 e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA512 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb

memory/1636-82-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/1084-83-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-06-24 02:02

Reported

2021-06-24 02:04

Platform

win10v20210408

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe"

Signatures

Modifies Windows Firewall

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Drops autorun.inf file

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\ProgramData\Decoder.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\ProgramData\Decoder.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe N/A
N/A N/A C:\ProgramData\Decoder.exe N/A
N/A N/A C:\ProgramData\Decoder.exe N/A
N/A N/A C:\ProgramData\Decoder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Decoder.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 564 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe
PID 564 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe
PID 564 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe
PID 564 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe
PID 564 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe
PID 3236 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 3236 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 3236 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe C:\Users\Admin\AppData\Roaming\Microsoft.exe
PID 3736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe C:\ProgramData\Decoder.exe
PID 3736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe C:\ProgramData\Decoder.exe
PID 3736 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe C:\ProgramData\Decoder.exe
PID 3736 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe C:\Windows\system32\cmd.exe
PID 3736 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe C:\Windows\system32\cmd.exe
PID 3580 wrote to memory of 3140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3580 wrote to memory of 3140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 704 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe C:\Windows\SysWOW64\netsh.exe
PID 704 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe C:\Windows\SysWOW64\netsh.exe
PID 704 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Roaming\Microsoft.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe

"C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe"

C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe

"C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe"

C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe

"C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe"

C:\Users\Admin\AppData\Roaming\Microsoft.exe

"C:\Users\Admin\AppData\Roaming\Microsoft.exe"

C:\ProgramData\Decoder.exe

"C:\ProgramData\Decoder.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""

C:\Windows\system32\timeout.exe

timeout 4

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft.exe" "Microsoft.exe" ENABLE

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 wervjjjjdjfvjdfgjdfjgjdf.000webhostapp.com udp
N/A 145.14.144.116:443 wervjjjjdjfvjdfgjdfjgjdf.000webhostapp.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 23.21.173.155:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 8.8.8.8:53 freegeoip.app udp
N/A 172.67.188.154:443 freegeoip.app tcp
N/A 8.8.8.8:53 f0521569.xsph.ru udp
N/A 141.8.192.151:80 f0521569.xsph.ru tcp
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 3.138.45.170:19492 2.tcp.ngrok.io tcp
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 3.131.207.170:19492 2.tcp.ngrok.io tcp
N/A 8.8.8.8:53 2.tcp.ngrok.io udp
N/A 13.59.15.185:19492 2.tcp.ngrok.io tcp
N/A 13.59.15.185:19492 2.tcp.ngrok.io tcp
N/A 13.59.15.185:19492 2.tcp.ngrok.io tcp

Files

memory/564-114-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/564-116-0x00000000055B0000-0x00000000055B1000-memory.dmp

memory/3736-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe

MD5 eb2efc889c96765d41bcac7ae5586f93
SHA1 f6129e5533d751f33bea71d2f114b2e217ecbb5c
SHA256 b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0
SHA512 5003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9

C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe

MD5 eb2efc889c96765d41bcac7ae5586f93
SHA1 f6129e5533d751f33bea71d2f114b2e217ecbb5c
SHA256 b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0
SHA512 5003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9

memory/3236-121-0x0000000000000000-mapping.dmp

memory/3736-120-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe

MD5 4679d9734f3c814016da3e5300705979
SHA1 73d0709085f74c84d188131df65911931bc94c01
SHA256 e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA512 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb

C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe

MD5 4679d9734f3c814016da3e5300705979
SHA1 73d0709085f74c84d188131df65911931bc94c01
SHA256 e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA512 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb

memory/3236-125-0x0000000002520000-0x0000000002521000-memory.dmp

memory/3736-126-0x0000000002D20000-0x0000000002D91000-memory.dmp

memory/3736-127-0x000000001BC50000-0x000000001BC52000-memory.dmp

memory/704-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft.exe

MD5 4679d9734f3c814016da3e5300705979
SHA1 73d0709085f74c84d188131df65911931bc94c01
SHA256 e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA512 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb

C:\Users\Admin\AppData\Roaming\Microsoft.exe

MD5 4679d9734f3c814016da3e5300705979
SHA1 73d0709085f74c84d188131df65911931bc94c01
SHA256 e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df
SHA512 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb

memory/2976-131-0x0000000000000000-mapping.dmp

C:\ProgramData\Decoder.exe

MD5 c29c0d495ed13e703f433d53bdffdab8
SHA1 74ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA256 20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512 fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426

memory/3580-134-0x0000000000000000-mapping.dmp

C:\ProgramData\Decoder.exe

MD5 c29c0d495ed13e703f433d53bdffdab8
SHA1 74ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA256 20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512 fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426

C:\Users\Admin\AppData\Local\Temp\.cmd

MD5 73712247036b6a24d16502c57a3e5679
SHA1 65ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA256 8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512 548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

memory/3140-136-0x0000000000000000-mapping.dmp

memory/2976-137-0x0000000004AE0000-0x0000000004B76000-memory.dmp

memory/704-138-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/2976-139-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/2976-140-0x0000000004AD2000-0x0000000004AD3000-memory.dmp

memory/2976-141-0x0000000004AD3000-0x0000000004AD4000-memory.dmp

memory/2976-142-0x0000000004B80000-0x0000000004B81000-memory.dmp

memory/2976-143-0x0000000004A20000-0x0000000004AB4000-memory.dmp

memory/2976-144-0x0000000004AD4000-0x0000000004AD6000-memory.dmp

memory/2976-145-0x0000000005190000-0x0000000005191000-memory.dmp

memory/2976-146-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

memory/2976-147-0x00000000054A0000-0x0000000005510000-memory.dmp

memory/3176-148-0x0000000000000000-mapping.dmp