Analysis Overview
SHA256
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Threat Level: Known bad
The file RIP_YOUR_PC_LOL.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Detect PurpleFox Rootkit
Nanocore family
njRAT/Bladabindi
PurpleFox
Nirsoft
Fickerstealer
Njrat family
Async RAT payload
HawkEye
NanoCore
Async RAT payload
NirSoft WebBrowserPassView
NirSoft MailPassView
Nirsoft
UPX packed file
Executes dropped EXE
Sets DLL path for service in the registry
Loads dropped DLL
Uses the VBS compiler for execution
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-15 08:40
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Nanocore family
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Njrat family
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2022-03-15 08:40
Reported
2022-03-15 09:11
Platform
win10v2004-20220310-en
Max time kernel
1673s
Max time network
1737s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4448 wrote to memory of 3740 | N/A | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 4448 wrote to memory of 3740 | N/A | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 4448 wrote to memory of 3740 | N/A | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 3740 wrote to memory of 1424 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\system32\FonDUE.EXE |
| PID 3740 wrote to memory of 1424 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\system32\FonDUE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe
"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"
C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | api.msn.com | udp |
| US | 204.79.197.203:443 | api.msn.com | tcp |
| US | 13.107.21.200:443 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2022-03-15 08:40
Reported
2022-03-15 08:41
Platform
win11-20220223-en
Max time network
20s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| US | 20.83.130.102:443 | tcp | |
| US | 20.83.130.102:443 | tcp | |
| US | 20.83.130.102:443 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-15 08:40
Reported
2022-03-15 08:43
Platform
win7-20220310-en
Max time kernel
4294137s
Max time network
78s
Command Line
Signatures
AsyncRat
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fickerstealer
HawkEye
NanoCore
PurpleFox
njRAT/Bladabindi
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\healastounding.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\HD____11.19.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
| N/A | N/A | C:\Windows\Help\Winlogon.exe | N/A |
| N/A | N/A | C:\Windows\Cursors\WUDFhosts.exe | N/A |
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\259445793.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1408 set thread context of 1172 | N/A | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe |
| PID 932 set thread context of 1964 | N/A | C:\Windows\Help\Winlogon.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1200 set thread context of 1324 | N/A | C:\Users\Admin\AppData\Roaming\Pluto Panel.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Cursors\TrustedInsteller.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Help\active_desktop_render_New.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\Help\Winlogon.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Help\active_desktop_render.dll | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Cursors\WUDFhosts.exe | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| File created | C:\Windows\Cursors\KillProcc.sys | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\HD____11.19.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Help\Winlogon.exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-7f-39-eb-e6-de\WpadDecisionTime = 909a7af25038d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{337A7107-D537-4C65-853C-10AA3D5FEF10}\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-7f-39-eb-e6-de | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{337A7107-D537-4C65-853C-10AA3D5FEF10}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{337A7107-D537-4C65-853C-10AA3D5FEF10}\WpadDecisionTime = 909a7af25038d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{337A7107-D537-4C65-853C-10AA3D5FEF10}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{337A7107-D537-4C65-853C-10AA3D5FEF10}\06-7f-39-eb-e6-de | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-7f-39-eb-e6-de\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-7f-39-eb-e6-de\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{337A7107-D537-4C65-853C-10AA3D5FEF10} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Cursors\WUDFhosts.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\___11.19.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\22.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe
"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"
C:\Users\Admin\AppData\Roaming\healastounding.exe
"C:\Users\Admin\AppData\Roaming\healastounding.exe"
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Users\Admin\AppData\Roaming\22.exe
"C:\Users\Admin\AppData\Roaming\22.exe"
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
C:\Users\Admin\AppData\Roaming\___11.19.exe
"C:\Users\Admin\AppData\Roaming\___11.19.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 88
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 324
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259445793.txt",MainThread
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=FilteraAtion1 action=block
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Block assign=y
C:\Windows\Help\Winlogon.exe
C:\Windows\Help\Winlogon.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Roaming\22.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 216
C:\Windows\Cursors\WUDFhosts.exe
C:\Windows\Cursors\WUDFhosts.exe -o pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | 22ssh.com | udp |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.16.155.36:80 | whatismyipaddress.com | tcp |
| US | 104.16.155.36:443 | whatismyipaddress.com | tcp |
| US | 104.16.155.36:443 | whatismyipaddress.com | tcp |
| N/A | 127.0.0.1:8088 | tcp | |
| US | 8.8.8.8:53 | pool.usa-138.com | udp |
| KR | 220.86.85.75:80 | pool.usa-138.com | tcp |
| N/A | 127.0.0.1:8088 | tcp |
Files
memory/1924-54-0x00000000759C1000-0x00000000759C3000-memory.dmp
memory/1924-55-0x0000000074DF0000-0x000000007539B000-memory.dmp
memory/1924-56-0x0000000000C20000-0x0000000000C21000-memory.dmp
memory/1924-57-0x0000000074DF0000-0x000000007539B000-memory.dmp
\Users\Admin\AppData\Roaming\healastounding.exe
| MD5 | 6fb798f1090448ce26299c2b35acf876 |
| SHA1 | 451423d5690cffa02741d5da6e7c45bc08aefb55 |
| SHA256 | b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f |
| SHA512 | 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3 |
C:\Users\Admin\AppData\Roaming\healastounding.exe
| MD5 | 6fb798f1090448ce26299c2b35acf876 |
| SHA1 | 451423d5690cffa02741d5da6e7c45bc08aefb55 |
| SHA256 | b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f |
| SHA512 | 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3 |
C:\Users\Admin\AppData\Roaming\healastounding.exe
| MD5 | 6fb798f1090448ce26299c2b35acf876 |
| SHA1 | 451423d5690cffa02741d5da6e7c45bc08aefb55 |
| SHA256 | b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f |
| SHA512 | 9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3 |
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
| MD5 | ed666bf7f4a0766fcec0e9c8074b089b |
| SHA1 | 1b90f1a4cb6059d573fff115b3598604825d76e6 |
| SHA256 | d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264 |
| SHA512 | d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49 |
\Users\Admin\AppData\Roaming\Pluto Panel.exe
| MD5 | ed666bf7f4a0766fcec0e9c8074b089b |
| SHA1 | 1b90f1a4cb6059d573fff115b3598604825d76e6 |
| SHA256 | d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264 |
| SHA512 | d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49 |
C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
| MD5 | ed666bf7f4a0766fcec0e9c8074b089b |
| SHA1 | 1b90f1a4cb6059d573fff115b3598604825d76e6 |
| SHA256 | d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264 |
| SHA512 | d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49 |
\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
\Users\Admin\AppData\Roaming\22.exe
| MD5 | dbf9daa1707b1037e28a6e0694b33a4b |
| SHA1 | ddc1fcec1c25f2d97c372fffa247969aa6cd35ef |
| SHA256 | a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6 |
| SHA512 | 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd |
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
memory/1408-70-0x0000000002558000-0x0000000002580000-memory.dmp
memory/1236-72-0x0000000074DF0000-0x000000007539B000-memory.dmp
memory/1236-73-0x0000000000110000-0x0000000000111000-memory.dmp
C:\Users\Admin\AppData\Roaming\22.exe
| MD5 | dbf9daa1707b1037e28a6e0694b33a4b |
| SHA1 | ddc1fcec1c25f2d97c372fffa247969aa6cd35ef |
| SHA256 | a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6 |
| SHA512 | 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd |
memory/1200-74-0x0000000074DF0000-0x000000007539B000-memory.dmp
memory/1200-75-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1200-76-0x0000000074DF0000-0x000000007539B000-memory.dmp
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
memory/1408-81-0x0000000002558000-0x0000000002580000-memory.dmp
memory/1408-82-0x0000000000220000-0x0000000000267000-memory.dmp
C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
memory/1172-78-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1172-84-0x0000000000400000-0x000000000044F000-memory.dmp
\Users\Admin\AppData\Roaming\___11.19.exe
| MD5 | a071727b72a8374ff79a695ecde32594 |
| SHA1 | b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc |
| SHA256 | 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745 |
| SHA512 | 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400 |
C:\Users\Admin\AppData\Roaming\___11.19.exe
| MD5 | a071727b72a8374ff79a695ecde32594 |
| SHA1 | b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc |
| SHA256 | 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745 |
| SHA512 | 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400 |
memory/2020-88-0x0000000000400000-0x0000000000625000-memory.dmp
C:\Users\Admin\AppData\Roaming\22.exe
| MD5 | dbf9daa1707b1037e28a6e0694b33a4b |
| SHA1 | ddc1fcec1c25f2d97c372fffa247969aa6cd35ef |
| SHA256 | a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6 |
| SHA512 | 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd |
\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/1388-96-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1388-98-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/1388-99-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
C:\Windows\SysWOW64\TXPlatforn.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
\Users\Admin\AppData\Roaming\22.exe
| MD5 | dbf9daa1707b1037e28a6e0694b33a4b |
| SHA1 | ddc1fcec1c25f2d97c372fffa247969aa6cd35ef |
| SHA256 | a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6 |
| SHA512 | 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd |
\Users\Admin\AppData\Roaming\22.exe
| MD5 | dbf9daa1707b1037e28a6e0694b33a4b |
| SHA1 | ddc1fcec1c25f2d97c372fffa247969aa6cd35ef |
| SHA256 | a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6 |
| SHA512 | 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd |
memory/1388-108-0x0000000010000000-0x00000000101B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
\Users\Admin\AppData\Roaming\22.exe
| MD5 | dbf9daa1707b1037e28a6e0694b33a4b |
| SHA1 | ddc1fcec1c25f2d97c372fffa247969aa6cd35ef |
| SHA256 | a604a3ff78644533fac5ee9f198e9c5f2fa1ae2a5828186367a9e00935cff6b6 |
| SHA512 | 145b606ffd58554050ff8712ddb38c1c66dd5f33ea15fd48474e1c165b2c0348d2413e16c7ad07ff1c65ce71e2be23e3758e6d48c4f2454d5407982119706bfd |
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
| MD5 | 0fd7de5367376231a788872005d7ed4f |
| SHA1 | 658e4d5efb8b14661967be2183cc60e3e561b2b6 |
| SHA256 | 9083992637e90e412e6f4e77331eb69ee8db821c54bbc38533e0f889cc4ca9dd |
| SHA512 | 522d5be2803fbce0d12c325cc2ef1e3a92cec03aeba7d1164530093ad58caecd827dd557ca3c182a66c6667150e731de37bb552d19425f96cc78fe3423e1a863 |
C:\Users\Admin\AppData\Roaming\___11.19.exe
| MD5 | a071727b72a8374ff79a695ecde32594 |
| SHA1 | b2aba60b3332d6b8f0a56cea310cdc2bdb4f9ffc |
| SHA256 | 8ecdfe60eacb5bf647ae69bcbc41dd727ea3089e92b4b08ebca3a8d162e50745 |
| SHA512 | 854b93fb6b9bf0fe4caef5572935852ce8becf2bc7bd41b192a4b3cefb7854a2405c6c0c06bbdd4e1026ff9440ec753911dcc935fe68118e322614c1b918e400 |
\Users\Admin\AppData\Roaming\HD____11.19.exe
| MD5 | b14120b6701d42147208ebf264ad9981 |
| SHA1 | f3cff7ac8e6c1671d2c3387648e54f80957196de |
| SHA256 | d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97 |
| SHA512 | 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b |
\Users\Admin\AppData\Roaming\HD____11.19.exe
| MD5 | b14120b6701d42147208ebf264ad9981 |
| SHA1 | f3cff7ac8e6c1671d2c3387648e54f80957196de |
| SHA256 | d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97 |
| SHA512 | 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b |
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
| MD5 | b14120b6701d42147208ebf264ad9981 |
| SHA1 | f3cff7ac8e6c1671d2c3387648e54f80957196de |
| SHA256 | d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97 |
| SHA512 | 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b |
\Windows\SysWOW64\259445793.txt
| MD5 | 3fc5ac6a0d9786674d762a8752a4de71 |
| SHA1 | 9b0960baf3d08d1fada3bac276fd219940634fd6 |
| SHA256 | 7a8903b51d3ae89cb5b7c668b9729c491d21c0a27c522264d1918585a6cb6923 |
| SHA512 | fab4e90377b1e4a2ef77fc0976b870ba8882338bbcd3152c2fd76eb2b0bcfcbe1a6c42461da62600a29fa1abda309e43e1eb15f8dc575b7e4dcd155e6e4d8485 |
\Users\Admin\AppData\Roaming\HD____11.19.exe
| MD5 | b14120b6701d42147208ebf264ad9981 |
| SHA1 | f3cff7ac8e6c1671d2c3387648e54f80957196de |
| SHA256 | d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97 |
| SHA512 | 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b |
memory/696-122-0x0000000005FC0000-0x0000000006382000-memory.dmp
memory/696-125-0x000000000604C000-0x000000000619A000-memory.dmp
\Users\Admin\AppData\Roaming\HD____11.19.exe
| MD5 | b14120b6701d42147208ebf264ad9981 |
| SHA1 | f3cff7ac8e6c1671d2c3387648e54f80957196de |
| SHA256 | d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97 |
| SHA512 | 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b |
memory/696-123-0x0000000006042000-0x000000000604C000-memory.dmp
memory/696-126-0x0000000006025000-0x0000000006035000-memory.dmp
\Users\Admin\AppData\Roaming\HD____11.19.exe
| MD5 | b14120b6701d42147208ebf264ad9981 |
| SHA1 | f3cff7ac8e6c1671d2c3387648e54f80957196de |
| SHA256 | d987bd57582a22dfc65901ff256eda635dc8dad598c93b200002130b87fcfd97 |
| SHA512 | 27a066b9d842acd7b1e0ca1dd045a9262b0d0a00c180eedeebeb9d3091925b184186fc3a1d2df28ae4c55626febe6abf6fdb5e26d45fd1a2968d57540e7cf29b |
\Windows\SysWOW64\259445793.txt
| MD5 | 3fc5ac6a0d9786674d762a8752a4de71 |
| SHA1 | 9b0960baf3d08d1fada3bac276fd219940634fd6 |
| SHA256 | 7a8903b51d3ae89cb5b7c668b9729c491d21c0a27c522264d1918585a6cb6923 |
| SHA512 | fab4e90377b1e4a2ef77fc0976b870ba8882338bbcd3152c2fd76eb2b0bcfcbe1a6c42461da62600a29fa1abda309e43e1eb15f8dc575b7e4dcd155e6e4d8485 |
\??\c:\windows\SysWOW64\259445793.txt
| MD5 | 3fc5ac6a0d9786674d762a8752a4de71 |
| SHA1 | 9b0960baf3d08d1fada3bac276fd219940634fd6 |
| SHA256 | 7a8903b51d3ae89cb5b7c668b9729c491d21c0a27c522264d1918585a6cb6923 |
| SHA512 | fab4e90377b1e4a2ef77fc0976b870ba8882338bbcd3152c2fd76eb2b0bcfcbe1a6c42461da62600a29fa1abda309e43e1eb15f8dc575b7e4dcd155e6e4d8485 |
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
\Windows\SysWOW64\259445793.txt
| MD5 | 3fc5ac6a0d9786674d762a8752a4de71 |
| SHA1 | 9b0960baf3d08d1fada3bac276fd219940634fd6 |
| SHA256 | 7a8903b51d3ae89cb5b7c668b9729c491d21c0a27c522264d1918585a6cb6923 |
| SHA512 | fab4e90377b1e4a2ef77fc0976b870ba8882338bbcd3152c2fd76eb2b0bcfcbe1a6c42461da62600a29fa1abda309e43e1eb15f8dc575b7e4dcd155e6e4d8485 |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
\Windows\Help\active_desktop_render.dll
| MD5 | 07a36097730666fe9e5434d85a5ab989 |
| SHA1 | 780ca47c15932ed1f9640c17b9bb340410a52338 |
| SHA256 | 1fb4cee4d83d424e0bfcbfd97169ef717b3ebdcc5d01ba7c7c547ae606ad5c3c |
| SHA512 | 4a08080471c660856af724e4480ec721c22c462346e293d93e2f9577e6d669c6b51cd81ef96dfad943c791dfd7f7f0c2d5234a82d81ce5f1c01bb493cda34085 |
C:\Windows\Help\active_desktop_render.dll
| MD5 | 07a36097730666fe9e5434d85a5ab989 |
| SHA1 | 780ca47c15932ed1f9640c17b9bb340410a52338 |
| SHA256 | 1fb4cee4d83d424e0bfcbfd97169ef717b3ebdcc5d01ba7c7c547ae606ad5c3c |
| SHA512 | 4a08080471c660856af724e4480ec721c22c462346e293d93e2f9577e6d669c6b51cd81ef96dfad943c791dfd7f7f0c2d5234a82d81ce5f1c01bb493cda34085 |
C:\Windows\Help\Winlogon.exe
| MD5 | a8ddace9435fe395325fc45dde8bd0a3 |
| SHA1 | dcf9baaa9e3a27450debf4f35112376ed005c800 |
| SHA256 | 6e81d7c71b3e8d731e11ad75d3dac02a4210c9f90fac618af5c00cbce3718658 |
| SHA512 | 2c6006e42ecf31da02a4584e69c0e55390be5a405353307582852728b2ceb65033f3f5cd0b6465b3a1541d19eab95c61b394e3403dee558196c2f2969d82b196 |
memory/1964-151-0x0000000010000000-0x0000000010103000-memory.dmp
memory/1964-154-0x0000000010000000-0x0000000010103000-memory.dmp
memory/1964-156-0x0000000010000000-0x0000000010103000-memory.dmp
memory/1964-159-0x0000000010000000-0x0000000010103000-memory.dmp
memory/1964-162-0x0000000010000000-0x0000000010103000-memory.dmp
memory/1964-165-0x0000000010000000-0x0000000010103000-memory.dmp
memory/1964-168-0x0000000010000000-0x0000000010103000-memory.dmp
memory/1964-171-0x0000000010000000-0x0000000010103000-memory.dmp
\Windows\Help\Winlogon.exe
| MD5 | a8ddace9435fe395325fc45dde8bd0a3 |
| SHA1 | dcf9baaa9e3a27450debf4f35112376ed005c800 |
| SHA256 | 6e81d7c71b3e8d731e11ad75d3dac02a4210c9f90fac618af5c00cbce3718658 |
| SHA512 | 2c6006e42ecf31da02a4584e69c0e55390be5a405353307582852728b2ceb65033f3f5cd0b6465b3a1541d19eab95c61b394e3403dee558196c2f2969d82b196 |
\Windows\Help\Winlogon.exe
| MD5 | a8ddace9435fe395325fc45dde8bd0a3 |
| SHA1 | dcf9baaa9e3a27450debf4f35112376ed005c800 |
| SHA256 | 6e81d7c71b3e8d731e11ad75d3dac02a4210c9f90fac618af5c00cbce3718658 |
| SHA512 | 2c6006e42ecf31da02a4584e69c0e55390be5a405353307582852728b2ceb65033f3f5cd0b6465b3a1541d19eab95c61b394e3403dee558196c2f2969d82b196 |
\Windows\Help\Winlogon.exe
| MD5 | a8ddace9435fe395325fc45dde8bd0a3 |
| SHA1 | dcf9baaa9e3a27450debf4f35112376ed005c800 |
| SHA256 | 6e81d7c71b3e8d731e11ad75d3dac02a4210c9f90fac618af5c00cbce3718658 |
| SHA512 | 2c6006e42ecf31da02a4584e69c0e55390be5a405353307582852728b2ceb65033f3f5cd0b6465b3a1541d19eab95c61b394e3403dee558196c2f2969d82b196 |
\Windows\Help\Winlogon.exe
| MD5 | a8ddace9435fe395325fc45dde8bd0a3 |
| SHA1 | dcf9baaa9e3a27450debf4f35112376ed005c800 |
| SHA256 | 6e81d7c71b3e8d731e11ad75d3dac02a4210c9f90fac618af5c00cbce3718658 |
| SHA512 | 2c6006e42ecf31da02a4584e69c0e55390be5a405353307582852728b2ceb65033f3f5cd0b6465b3a1541d19eab95c61b394e3403dee558196c2f2969d82b196 |
C:\Windows\Cursors\WUDFhosts.exe
| MD5 | 4a72e30c0a582b082030adfd8345014f |
| SHA1 | 2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353 |
| SHA256 | e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976 |
| SHA512 | 8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798 |
\Windows\Cursors\WUDFhosts.exe
| MD5 | 4a72e30c0a582b082030adfd8345014f |
| SHA1 | 2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353 |
| SHA256 | e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976 |
| SHA512 | 8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798 |
C:\Windows\Cursors\WUDFhosts.exe
| MD5 | 4a72e30c0a582b082030adfd8345014f |
| SHA1 | 2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353 |
| SHA256 | e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976 |
| SHA512 | 8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798 |
memory/280-179-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/1324-180-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1324-183-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-15 08:40
Reported
2022-03-15 09:11
Platform
win10-20220310-en
Max time kernel
314s
Max time network
1595s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2660 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 2660 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 2660 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 2876 wrote to memory of 2932 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\System32\FonDUE.EXE |
| PID 2876 wrote to memory of 2932 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\System32\FonDUE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe
"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"
C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Windows\System32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll