Analysis Overview
SHA256
053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786
Threat Level: Known bad
The file 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786 was found to be: Known bad.
Malicious Activity Summary
BetaBot
UAC bypass
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Modifies security service
Modifies firewall policy service
CryptOne packer
Sets service image path in registry
Disables use of System Restore points
Sets file execution options in registry
Disables taskbar notifications via registry modification
Executes dropped EXE
Downloads MZ/PE file
Loads dropped DLL
Checks BIOS information in registry
Checks for any installed AV software in registry
Checks whether UAC is enabled
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Modifies Internet Explorer settings
Enumerates system info in registry
Runs regedit.exe
Checks processor information in registry
Suspicious use of WriteProcessMemory
NTFS ADS
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Discovers systems in the same network
Runs net.exe
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-13 06:37
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-13 06:37
Reported
2022-07-13 06:40
Platform
win7-20220414-en
Max time kernel
146s
Max time network
145s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath | C:\Windows\SysWOW64\regedit.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables taskbar notifications via registry modification
Disables use of System Restore points
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7s73cw93u.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "bfuk.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\s59ucg5sg3o91qu.exe | C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\s59ucg5sg3o91qu.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath | C:\Windows\SysWOW64\regedit.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.08 = "\"C:\\ProgramData\\Google Updater 2.08\\s59ucg5sg3o91qu.exe\"" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.08 = "C:\\ProgramData\\Google Updater 2.08\\s59ucg5sg3o91qu.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.08 = "\"C:\\ProgramData\\Google Updater 2.08\\s59ucg5sg3o91qu.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.08 = "\"C:\\ProgramData\\Google Updater 2.08\\s59ucg5sg3o91qu.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\regedit.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.08\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\explorer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe:14F4FC7F | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe:14F4FC7F | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs net.exe
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\nltest.exe | N/A |
| N/A | N/A | C:\Windows\system32\nltest.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\choice.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe
"C:\Users\Admin\AppData\Local\Temp\053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe
/suac
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\SysWOW64\regedit.exe"
C:\Users\Admin\AppData\Local\Temp\7s73cw93u.exe
"C:\Users\Admin\AppData\Local\Temp\7s73cw93u.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /c net group "Domain Admins" /domain
C:\Windows\system32\net.exe
net group "Domain Admins" /domain
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "Domain Admins" /domain
C:\Windows\system32\cmd.exe
"cmd.exe" /c net group "domain computers" /domain
C:\Windows\system32\net.exe
net group "domain computers" /domain
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
C:\Windows\system32\cmd.exe
"cmd.exe" /c nltest /domain_trusts /all_trusts
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
"cmd.exe" /c nltest /domain_trusts
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
"cmd.exe" /c net view /all
C:\Windows\system32\net.exe
net view /all
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7s73cw93u.exe" && /C choice /C Y /N /D Y /T 3 & Del "shfolder.dll" && Del LAG1 && Del LAG2
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 20.72.235.82:80 | windowsupdate.microsoft.com | tcp |
| US | 8.8.8.8:53 | russk11.icu | udp |
| US | 8.8.8.8:53 | russk12.icu | udp |
| US | 8.8.8.8:53 | russk13.icu | udp |
| US | 8.8.8.8:53 | russk14.icu | udp |
| US | 8.8.8.8:53 | russk15.icu | udp |
| US | 8.8.8.8:53 | moscow13.at | udp |
| US | 8.8.8.8:53 | moscow13.at | udp |
| RU | 62.204.41.171:80 | moscow13.at | tcp |
| US | 8.8.8.8:53 | russk21.icu | udp |
| RU | 62.204.41.171:80 | russk21.icu | tcp |
| RU | 62.204.41.171:80 | russk21.icu | tcp |
Files
memory/1032-54-0x0000000075B71000-0x0000000075B73000-memory.dmp
memory/1032-56-0x0000000002260000-0x00000000022C6000-memory.dmp
memory/1032-58-0x00000000020E0000-0x0000000002113000-memory.dmp
memory/1032-59-0x0000000000400000-0x000000000049C000-memory.dmp
memory/1032-60-0x0000000002260000-0x00000000022C6000-memory.dmp
memory/1032-61-0x0000000000400000-0x000000000049C000-memory.dmp
memory/1032-62-0x0000000002B10000-0x0000000002B1C000-memory.dmp
memory/1004-63-0x0000000000000000-mapping.dmp
memory/1004-65-0x0000000074CB1000-0x0000000074CB3000-memory.dmp
memory/1004-66-0x0000000077810000-0x0000000077990000-memory.dmp
memory/1032-68-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1032-70-0x0000000002260000-0x00000000022C6000-memory.dmp
memory/1004-69-0x00000000001A0000-0x00000000001AD000-memory.dmp
memory/1004-67-0x0000000000200000-0x0000000000303000-memory.dmp
memory/1004-71-0x00000000004B0000-0x00000000004BC000-memory.dmp
memory/1004-72-0x0000000000200000-0x0000000000303000-memory.dmp
memory/1004-73-0x0000000077810000-0x0000000077990000-memory.dmp
memory/1200-74-0x0000000002640000-0x0000000002646000-memory.dmp
\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe
| MD5 | 25809fc57cbbfdbc64b4c5d4e17d1d06 |
| SHA1 | 0415083490d597fc23ddc7c6e5163ad51ee60213 |
| SHA256 | 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786 |
| SHA512 | a078e118303ff225c7526a844e8b0984362e7f764a473fd3599781c432280f5ef6b00eaf6c8ed2dd08bde115e66f675795a0f6769a51fbfe1a0a5e14e3f4509a |
memory/1044-76-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\s59ucg5sg3o91qu_1.exe
| MD5 | 25809fc57cbbfdbc64b4c5d4e17d1d06 |
| SHA1 | 0415083490d597fc23ddc7c6e5163ad51ee60213 |
| SHA256 | 053e024947a8103550e2250b51a61f65eb0a7f9a99c9c1783d5fd86ecde1d786 |
| SHA512 | a078e118303ff225c7526a844e8b0984362e7f764a473fd3599781c432280f5ef6b00eaf6c8ed2dd08bde115e66f675795a0f6769a51fbfe1a0a5e14e3f4509a |
memory/1044-79-0x00000000020F0000-0x0000000002123000-memory.dmp
memory/1044-81-0x00000000021B0000-0x0000000002216000-memory.dmp
memory/1044-83-0x0000000000400000-0x000000000049C000-memory.dmp
memory/1044-84-0x00000000021B0000-0x0000000002216000-memory.dmp
memory/1044-85-0x0000000000400000-0x000000000049C000-memory.dmp
memory/1044-86-0x00000000024D0000-0x00000000024DC000-memory.dmp
memory/1588-87-0x0000000000000000-mapping.dmp
memory/1044-89-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1588-90-0x00000000000B0000-0x0000000000115000-memory.dmp
memory/1588-91-0x0000000000090000-0x000000000009B000-memory.dmp
\Users\Admin\AppData\Local\Temp\7s73cw93u.exe
| MD5 | 60a1564d18f20769eb65478cc5bc56c0 |
| SHA1 | 15ba12509eb288ed4e47162714f86777d8819976 |
| SHA256 | deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110 |
| SHA512 | e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71 |
C:\Users\Admin\AppData\Local\Temp\7s73cw93u.exe
| MD5 | 60a1564d18f20769eb65478cc5bc56c0 |
| SHA1 | 15ba12509eb288ed4e47162714f86777d8819976 |
| SHA256 | deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110 |
| SHA512 | e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71 |
memory/1952-93-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7s73cw93u.exe
| MD5 | 60a1564d18f20769eb65478cc5bc56c0 |
| SHA1 | 15ba12509eb288ed4e47162714f86777d8819976 |
| SHA256 | deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110 |
| SHA512 | e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71 |
memory/1952-96-0x00000000009A0000-0x00000000009A8000-memory.dmp
memory/1560-97-0x0000000000000000-mapping.dmp
memory/1912-98-0x0000000000000000-mapping.dmp
memory/1160-99-0x0000000000000000-mapping.dmp
memory/1756-100-0x0000000000000000-mapping.dmp
memory/968-101-0x0000000000000000-mapping.dmp
memory/1852-102-0x0000000000000000-mapping.dmp
memory/1764-103-0x0000000000000000-mapping.dmp
memory/1556-104-0x0000000000000000-mapping.dmp
memory/1692-105-0x0000000000000000-mapping.dmp
memory/1336-106-0x0000000000000000-mapping.dmp
memory/1680-107-0x0000000000000000-mapping.dmp
memory/1656-108-0x0000000000000000-mapping.dmp
memory/1952-109-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp
memory/1816-110-0x0000000000000000-mapping.dmp
memory/1520-111-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Reported
0001-01-01 00:00