Analysis Overview
SHA256
424f2f46f0cf4c96c2f8ef8954d1438db206486353601425ead011d74c4cb128
Threat Level: Known bad
The file 424F2F46F0CF4C96C2F8EF8954D1438DB206486353601.exe was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
BetaBot
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Sets file execution options in registry
Executes dropped EXE
Sets file to hidden
Loads dropped DLL
Checks BIOS information in registry
Drops desktop.ini file(s)
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: MapViewOfSection
Kills process with taskkill
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Modifies Internet Explorer Protected Mode
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-04 23:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-04 23:26
Reported
2021-11-04 23:28
Platform
win7-en-20211014
Max time kernel
151s
Max time network
122s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\booking\data\K480101741BH.exe | N/A |
| N/A | N/A | C:\booking\data\sbhost.exe | N/A |
| N/A | N/A | C:\booking\data\sbhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yayge339_1.exe | N/A |
Sets file execution options in registry
Sets file to hidden
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\booking\data\sbhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\yayge339.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\yayge339.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\yayge339.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\booking\data\sbhost.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.09\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\booking\data\sbhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1724 set thread context of 288 | N/A | C:\booking\data\sbhost.exe | C:\booking\data\sbhost.exe |
| PID 1772 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\yayge339_1.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\booking\data\sbhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\booking\data\sbhost.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\yayge339_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\yayge339_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\booking\data\sbhost.exe | N/A |
| N/A | N/A | C:\booking\data\sbhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: 33 | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\424F2F46F0CF4C96C2F8EF8954D1438DB206486353601.exe
"C:\Users\Admin\AppData\Local\Temp\424F2F46F0CF4C96C2F8EF8954D1438DB206486353601.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\booking\data\startbook.vbs" /f=CREATE_NO_WINDOW install.cmd
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\booking\data\start1.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-161112375120565890601509182971-1380913554-1877728229-18123901242009051252111932918"
C:\Windows\SysWOW64\timeout.exe
timeout 7
C:\booking\data\K480101741BH.exe
"K480101741BH.exe" e -psetup wid.rar
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\booking\data\fbk.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\booking\data\445.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\booking"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\booking\data\sbhost.exe
sbhost.exe /start
C:\booking\data\sbhost.exe
sbhost.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im K480101741BH.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im K480101741BH.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\booking\data"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\yayge339_1.exe
/suac
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | update.microsoft.com | udp |
| US | 52.185.71.28:80 | update.microsoft.com | tcp |
| US | 8.8.8.8:53 | russk16.icu | udp |
| US | 8.8.8.8:53 | russk17.icu | udp |
| US | 8.8.8.8:53 | russk18.icu | udp |
| US | 8.8.8.8:53 | russk19.icu | udp |
| US | 8.8.8.8:53 | russk20.icu | udp |
| US | 8.8.8.8:53 | moscow13.at | udp |
| US | 8.8.8.8:53 | moscow13.at | udp |
| DE | 160.20.147.189:80 | moscow13.at | tcp |
Files
memory/2040-55-0x00000000754A1000-0x00000000754A3000-memory.dmp
memory/1480-56-0x0000000000000000-mapping.dmp
C:\booking\data\startbook.vbs
| MD5 | 594e0cb7f4486880945b986f1adf9f49 |
| SHA1 | 8155f7be615cd60017a1af07aac17801de2a64ba |
| SHA256 | 265d486a8fac96e0c3ce1309c50bcb88b0a37f739e533ed92483fe66b946c220 |
| SHA512 | 3093b6e45fc17654e2419b08d6519dd891afd1672bcf6e61c77dca19258ae8bf7d46db98facb38e0a27527cae865a8d1445d8546be78af6cbc465e5fd56d87c4 |
C:\booking\data\start1.bat
| MD5 | 0ccf45b2c7aad8f25d8a8f3a6ff7b620 |
| SHA1 | 7785a6d2b22a8b64dd549bc0a8a08a85b6404525 |
| SHA256 | 8df03bfad7860d4f609e48de215c6f40fbb0de78bdaeb08fdf3409e722585efb |
| SHA512 | 3fb8dd5fa9cdbb59d5d195e66f6108954c4a89b358a2f75bbb6e03739a67965ead3d91a24a648a4204fc32c6d753815e4cf98e17a2fdc5913704c28fdb159f6c |
memory/824-60-0x0000000000000000-mapping.dmp
memory/1716-62-0x0000000000000000-mapping.dmp
C:\booking\data\lip
| MD5 | fa29a98bb09c83776a6a935ac561f942 |
| SHA1 | e7b50856559b55faa43263869bf3bbcabca9497d |
| SHA256 | b0790da1d02a8a12b52da8b9d0762dbb7b42c6052c21c5060793e54048f2e91e |
| SHA512 | 6673a17bf8760a9d3eb1fa3fe34457d678744e536c73669d89ec99c59aaa22d1b5f96450e9bdecb53aa33808e51933d312f524d5a4046ab38c89fcf4b64901ef |
C:\booking\data\K480101741BH.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
\booking\data\K480101741BH.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
memory/956-67-0x0000000000000000-mapping.dmp
C:\booking\data\K480101741BH.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
memory/1060-70-0x0000000000000000-mapping.dmp
memory/1068-75-0x0000000000000000-mapping.dmp
memory/1492-73-0x0000000000000000-mapping.dmp
C:\booking\data\fbk.vbs
| MD5 | 12c302b2a7afa9d52bbc04875144319f |
| SHA1 | 5c5b5a2024a0f2838a0d94268282ad95ba388b25 |
| SHA256 | 3e8e92c822501efaae4e4ae0c4e63d6822bc5aa5e2178ab5f5cf6bb74c77e283 |
| SHA512 | 18b197db47f2bb2853de592a672a321f4188722eb48fd6165f9bc6d9f3dfe69dff2c0fdc49f9e5cfe939722c9ce47dd5dc31424619660c6e745122f5590a022f |
C:\booking\data\445.bat
| MD5 | c86da07ce7586e386a200461d52df5af |
| SHA1 | dc25c66d7b21df845afa3afcc011d8ca9e906b96 |
| SHA256 | 5e2dfcef3c3e413ac2ac6bde2c200e53aec9dc32b509e83735589b3c3dd3b268 |
| SHA512 | ae4d518a998d09d4c55f3b58a7cd38d5ffe3b7175f626fcfbba0aa8be066fe86edc96bcbbfeb33c9f6940f47bd011c2a7ad4b44326bd70833c7a0c84dc99732f |
memory/1312-78-0x0000000000000000-mapping.dmp
memory/1776-80-0x0000000000000000-mapping.dmp
memory/1780-82-0x0000000000000000-mapping.dmp
\booking\data\sbhost.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
C:\booking\data\sbhost.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
\booking\data\sbhost.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
memory/1724-87-0x0000000000000000-mapping.dmp
C:\booking\data\sbhost.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
\booking\data\sbhost.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
memory/288-91-0x0000000000400000-0x0000000000435000-memory.dmp
memory/288-92-0x0000000000400000-0x0000000000435000-memory.dmp
memory/288-93-0x00000000004015C6-mapping.dmp
C:\booking\data\sbhost.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
memory/288-97-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1164-96-0x0000000000000000-mapping.dmp
memory/288-98-0x0000000000400000-0x0000000000435000-memory.dmp
memory/288-100-0x0000000000600000-0x0000000000666000-memory.dmp
memory/1976-102-0x0000000000000000-mapping.dmp
memory/1620-104-0x0000000000000000-mapping.dmp
memory/1624-106-0x0000000000000000-mapping.dmp
memory/288-109-0x0000000000600000-0x0000000000666000-memory.dmp
memory/288-108-0x0000000000400000-0x0000000000435000-memory.dmp
memory/288-111-0x0000000000260000-0x000000000026D000-memory.dmp
memory/288-110-0x0000000000250000-0x0000000000251000-memory.dmp
memory/288-112-0x0000000001F80000-0x0000000001F81000-memory.dmp
memory/288-113-0x0000000002510000-0x000000000251C000-memory.dmp
memory/964-114-0x0000000000000000-mapping.dmp
memory/964-116-0x0000000074271000-0x0000000074273000-memory.dmp
memory/964-117-0x00000000774D0000-0x0000000077650000-memory.dmp
memory/964-118-0x0000000000550000-0x0000000000683000-memory.dmp
memory/964-119-0x0000000000290000-0x000000000029C000-memory.dmp
memory/288-120-0x00000000020F0000-0x00000000020F1000-memory.dmp
memory/824-121-0x00000000021E0000-0x00000000022D5000-memory.dmp
memory/964-122-0x0000000000690000-0x0000000000710000-memory.dmp
memory/1252-123-0x0000000002AF0000-0x0000000002AF6000-memory.dmp
\Users\Admin\AppData\Local\Temp\yayge339_1.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
memory/1772-125-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\yayge339_1.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
C:\Users\Admin\AppData\Local\Temp\yayge339_1.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-04 23:26
Reported
2021-11-04 23:28
Platform
win10-en-20211104
Max time kernel
157s
Max time network
128s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\booking\data\K480101741BH.exe | N/A |
| N/A | N/A | C:\booking\data\sbhost.exe | N/A |
| N/A | N/A | C:\booking\data\sbhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\g559o1515guoa9_1.exe | N/A |
Sets file execution options in registry
Sets file to hidden
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\g559o1515guoa9.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\g559o1515guoa9.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\g559o1515guoa9.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\booking\data\sbhost.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.09\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\booking\data\sbhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2808 set thread context of 4012 | N/A | C:\booking\data\sbhost.exe | C:\booking\data\sbhost.exe |
| PID 3140 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\g559o1515guoa9_1.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\booking\data\sbhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\booking\data\sbhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\424F2F46F0CF4C96C2F8EF8954D1438DB206486353601.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\g559o1515guoa9_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\g559o1515guoa9_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\booking\data\sbhost.exe | N/A |
| N/A | N/A | C:\booking\data\sbhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: 33 | N/A | C:\booking\data\sbhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\424F2F46F0CF4C96C2F8EF8954D1438DB206486353601.exe
"C:\Users\Admin\AppData\Local\Temp\424F2F46F0CF4C96C2F8EF8954D1438DB206486353601.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\booking\data\startbook.vbs" /f=CREATE_NO_WINDOW install.cmd
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\booking\data\start1.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 7
C:\booking\data\K480101741BH.exe
"K480101741BH.exe" e -psetup wid.rar
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\booking\data\fbk.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\booking\data\445.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\booking"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\booking\data\sbhost.exe
sbhost.exe /start
C:\booking\data\sbhost.exe
sbhost.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im K480101741BH.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im K480101741BH.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\booking\data"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\g559o1515guoa9_1.exe
/suac
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.20:443 | tcp | |
| US | 8.8.8.8:53 | sv.symcb.com | udp |
| US | 93.184.220.29:80 | sv.symcb.com | tcp |
| US | 8.8.8.8:53 | s.symcb.com | udp |
| US | 72.21.91.29:80 | s.symcb.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 216.58.214.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | russk16.icu | udp |
| US | 8.8.8.8:53 | russk17.icu | udp |
| US | 8.8.8.8:53 | russk18.icu | udp |
| US | 8.8.8.8:53 | russk19.icu | udp |
| US | 8.8.8.8:53 | russk20.icu | udp |
| US | 8.8.8.8:53 | moscow13.at | udp |
| US | 8.8.8.8:53 | moscow13.at | udp |
| DE | 160.20.147.189:80 | moscow13.at | tcp |
Files
memory/3924-118-0x0000000000000000-mapping.dmp
C:\booking\data\startbook.vbs
| MD5 | 594e0cb7f4486880945b986f1adf9f49 |
| SHA1 | 8155f7be615cd60017a1af07aac17801de2a64ba |
| SHA256 | 265d486a8fac96e0c3ce1309c50bcb88b0a37f739e533ed92483fe66b946c220 |
| SHA512 | 3093b6e45fc17654e2419b08d6519dd891afd1672bcf6e61c77dca19258ae8bf7d46db98facb38e0a27527cae865a8d1445d8546be78af6cbc465e5fd56d87c4 |
C:\booking\data\start1.bat
| MD5 | 0ccf45b2c7aad8f25d8a8f3a6ff7b620 |
| SHA1 | 7785a6d2b22a8b64dd549bc0a8a08a85b6404525 |
| SHA256 | 8df03bfad7860d4f609e48de215c6f40fbb0de78bdaeb08fdf3409e722585efb |
| SHA512 | 3fb8dd5fa9cdbb59d5d195e66f6108954c4a89b358a2f75bbb6e03739a67965ead3d91a24a648a4204fc32c6d753815e4cf98e17a2fdc5913704c28fdb159f6c |
memory/1128-121-0x0000000000000000-mapping.dmp
memory/1248-122-0x0000000000000000-mapping.dmp
C:\booking\data\lip
| MD5 | fa29a98bb09c83776a6a935ac561f942 |
| SHA1 | e7b50856559b55faa43263869bf3bbcabca9497d |
| SHA256 | b0790da1d02a8a12b52da8b9d0762dbb7b42c6052c21c5060793e54048f2e91e |
| SHA512 | 6673a17bf8760a9d3eb1fa3fe34457d678744e536c73669d89ec99c59aaa22d1b5f96450e9bdecb53aa33808e51933d312f524d5a4046ab38c89fcf4b64901ef |
C:\booking\data\K480101741BH.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
memory/1528-124-0x0000000000000000-mapping.dmp
memory/4056-126-0x0000000000000000-mapping.dmp
C:\booking\data\fbk.vbs
| MD5 | 12c302b2a7afa9d52bbc04875144319f |
| SHA1 | 5c5b5a2024a0f2838a0d94268282ad95ba388b25 |
| SHA256 | 3e8e92c822501efaae4e4ae0c4e63d6822bc5aa5e2178ab5f5cf6bb74c77e283 |
| SHA512 | 18b197db47f2bb2853de592a672a321f4188722eb48fd6165f9bc6d9f3dfe69dff2c0fdc49f9e5cfe939722c9ce47dd5dc31424619660c6e745122f5590a022f |
memory/3516-128-0x0000000000000000-mapping.dmp
memory/2552-129-0x0000000000000000-mapping.dmp
C:\booking\data\445.bat
| MD5 | c86da07ce7586e386a200461d52df5af |
| SHA1 | dc25c66d7b21df845afa3afcc011d8ca9e906b96 |
| SHA256 | 5e2dfcef3c3e413ac2ac6bde2c200e53aec9dc32b509e83735589b3c3dd3b268 |
| SHA512 | ae4d518a998d09d4c55f3b58a7cd38d5ffe3b7175f626fcfbba0aa8be066fe86edc96bcbbfeb33c9f6940f47bd011c2a7ad4b44326bd70833c7a0c84dc99732f |
memory/604-131-0x0000000000000000-mapping.dmp
memory/364-132-0x0000000000000000-mapping.dmp
memory/708-133-0x0000000000000000-mapping.dmp
memory/2808-134-0x0000000000000000-mapping.dmp
C:\booking\data\sbhost.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
C:\booking\data\sbhost.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
memory/4012-137-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4012-138-0x00000000004015C6-mapping.dmp
C:\booking\data\sbhost.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
memory/1052-140-0x0000000000000000-mapping.dmp
memory/4012-141-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4012-142-0x0000000002170000-0x00000000021D6000-memory.dmp
memory/4012-145-0x0000000002170000-0x00000000021D6000-memory.dmp
memory/4012-144-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4012-146-0x0000000000440000-0x000000000058A000-memory.dmp
memory/4012-148-0x0000000002670000-0x000000000267C000-memory.dmp
memory/4012-147-0x00000000009A0000-0x00000000009A1000-memory.dmp
memory/1700-149-0x0000000000000000-mapping.dmp
memory/2100-150-0x0000000000000000-mapping.dmp
memory/1924-151-0x0000000000000000-mapping.dmp
memory/1984-152-0x0000000000000000-mapping.dmp
memory/1984-154-0x0000000000A00000-0x0000000000B33000-memory.dmp
memory/1984-153-0x00000000010A0000-0x00000000014DF000-memory.dmp
memory/4012-156-0x0000000002660000-0x0000000002661000-memory.dmp
memory/1984-155-0x0000000000D70000-0x0000000000D7D000-memory.dmp
C:\booking\data\K480101741BH.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
memory/604-158-0x0000000003030000-0x0000000003163000-memory.dmp
memory/1128-159-0x00000000054E0000-0x0000000005613000-memory.dmp
memory/1984-160-0x0000000006570000-0x0000000006572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\g559o1515guoa9_1.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |
memory/3140-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\g559o1515guoa9_1.exe
| MD5 | df909129b945e2c5ea6d493b1460ad22 |
| SHA1 | 6ae361b0a0e92d46b6268e989514d995bc49a76a |
| SHA256 | 7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0 |
| SHA512 | d71a6145150da0ff4b6ed8ded3e347464dbae9b560e83afc4bf58d74dfa1b52d6618d2b80bbe8dff56b85ad847ace2c907dbf696fa91031472e08194058c4814 |