Malware Analysis Report

2025-08-06 04:32

Sample ID 221120-gllk1sdd6v
Target 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4
SHA256 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4
Tags
pony discovery evasion persistence rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4

Threat Level: Known bad

The file 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4 was found to be: Known bad.

Malicious Activity Summary

pony discovery evasion persistence rat spyware stealer upx

Pony,Fareit

Modifies visiblity of hidden/system files in Explorer

Modifies security service

Disables taskbar notifications via registry modification

UPX packed file

Modifies Installed Components in the registry

Executes dropped EXE

Reads data files stored by FTP clients

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Maps connected drives based on registry

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

System policy modification

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-20 05:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-20 05:53

Reported

2022-11-20 05:56

Platform

win7-20221111-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" C:\Users\Admin\3nua.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\aUY5E15SY8.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\yuoud.exe N/A

Pony,Fareit

rat spyware stealer pony

Disables taskbar notifications via registry modification

evasion

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /r" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /A" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /G" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /B" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /d" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /C" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /t" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /S" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /q" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /W" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /U" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /Y" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /M" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /l" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /j" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /y" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /E" C:\Users\Admin\aUY5E15SY8.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /Q" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /D" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /L" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /T" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /O" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /e" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /P" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /b" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /m" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\A1A.exe = "C:\\Program Files (x86)\\LP\\CD14\\A1A.exe" C:\Users\Admin\3nua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /p" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /V" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /z" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /u" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /H" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /I" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /n" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /f" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /E" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /X" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /g" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /Z" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /K" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /w" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /v" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /N" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /c" C:\Users\Admin\yuoud.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\aUY5E15SY8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /a" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /i" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /x" C:\Users\Admin\yuoud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yuoud = "C:\\Users\\Admin\\yuoud.exe /h" C:\Users\Admin\yuoud.exe N/A

Checks installed software on the system

discovery

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\2nua.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\2nua.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\2nua.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\2nua.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 336 set thread context of 1576 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 set thread context of 1552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 set thread context of 1128 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 set thread context of 1892 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 set thread context of 552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LP\CD14\A1A.exe C:\Users\Admin\3nua.exe N/A
File opened for modification C:\Program Files (x86)\LP\CD14\E052.tmp C:\Users\Admin\3nua.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Windows\explorer.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\2nua.exe

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\aUY5E15SY8.exe N/A
N/A N/A C:\Users\Admin\aUY5E15SY8.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A
N/A N/A C:\Users\Admin\yuoud.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\aUY5E15SY8.exe
PID 840 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\aUY5E15SY8.exe
PID 840 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\aUY5E15SY8.exe
PID 840 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\aUY5E15SY8.exe
PID 2008 wrote to memory of 1028 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Users\Admin\yuoud.exe
PID 2008 wrote to memory of 1028 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Users\Admin\yuoud.exe
PID 2008 wrote to memory of 1028 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Users\Admin\yuoud.exe
PID 2008 wrote to memory of 1028 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Users\Admin\yuoud.exe
PID 2008 wrote to memory of 580 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 580 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 580 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 580 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 580 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 580 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 580 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 840 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\2nua.exe
PID 840 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\2nua.exe
PID 840 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\2nua.exe
PID 840 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1576 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1576 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1576 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1576 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1576 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1128 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1128 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1128 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1128 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1128 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1128 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1128 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1128 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1128 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1128 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1892 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1892 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1892 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1892 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1892 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1892 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1892 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 1892 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 336 wrote to memory of 552 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 840 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\3nua.exe
PID 840 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\3nua.exe
PID 840 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\3nua.exe
PID 840 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\3nua.exe
PID 840 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\3nua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\3nua.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe

"C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe"

C:\Users\Admin\aUY5E15SY8.exe

C:\Users\Admin\aUY5E15SY8.exe

C:\Users\Admin\yuoud.exe

"C:\Users\Admin\yuoud.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del aUY5E15SY8.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Users\Admin\2nua.exe

C:\Users\Admin\2nua.exe

C:\Users\Admin\2nua.exe

"C:\Users\Admin\2nua.exe"

C:\Users\Admin\2nua.exe

"C:\Users\Admin\2nua.exe"

C:\Users\Admin\2nua.exe

"C:\Users\Admin\2nua.exe"

C:\Users\Admin\2nua.exe

"C:\Users\Admin\2nua.exe"

C:\Users\Admin\2nua.exe

"C:\Users\Admin\2nua.exe"

C:\Users\Admin\3nua.exe

C:\Users\Admin\3nua.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 520

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x57c

C:\Users\Admin\3nua.exe

C:\Users\Admin\3nua.exe startC:\Users\Admin\AppData\Roaming\4637B\0FFCD.exe%C:\Users\Admin\AppData\Roaming\4637B

C:\Program Files (x86)\LP\CD14\E052.tmp

"C:\Program Files (x86)\LP\CD14\E052.tmp"

C:\Users\Admin\3nua.exe

C:\Users\Admin\3nua.exe startC:\Program Files (x86)\7B8A0\lvvm.exe%C:\Program Files (x86)\7B8A0

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 csc3-2004-crl.verisign.com udp
N/A 8.8.8.8:53 highspeedinternetlosangeles.webnode.com udp
N/A 8.8.8.8:53 pxtxyv250x.cloudstorepro.com udp
N/A 217.11.242.82:80 highspeedinternetlosangeles.webnode.com tcp
N/A 8.8.8.8:53 vjzkeo0.cloudstorepro.com udp
N/A 8.8.8.8:53 TRANSERSDATAFORME.COM udp
N/A 8.8.8.8:53 2zqpq6-6w.cloudstorepro.com udp
N/A 216.58.208.100:80 www.google.com tcp
N/A 8.8.8.8:53 d929e.grizlybigtit.com udp
N/A 216.58.208.100:80 www.google.com tcp
N/A 127.0.0.1:59758 tcp
N/A 127.0.0.1:59758 tcp
N/A 216.58.208.100:80 www.google.com tcp

Files

memory/840-56-0x0000000075A91000-0x0000000075A93000-memory.dmp

\Users\Admin\aUY5E15SY8.exe

MD5 380575fdf47f22e24cc214c89f098f9d
SHA1 5d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA256 04fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA512 70ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2

\Users\Admin\aUY5E15SY8.exe

MD5 380575fdf47f22e24cc214c89f098f9d
SHA1 5d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA256 04fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA512 70ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2

memory/2008-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\aUY5E15SY8.exe

MD5 380575fdf47f22e24cc214c89f098f9d
SHA1 5d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA256 04fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA512 70ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2

C:\Users\Admin\aUY5E15SY8.exe

MD5 380575fdf47f22e24cc214c89f098f9d
SHA1 5d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA256 04fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA512 70ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2

\Users\Admin\yuoud.exe

MD5 6891a79892c5fdb0523844fd01a235d3
SHA1 d11090ac3ac07bfab9ba708dcfd099137a34ca19
SHA256 762db61e0b79bc2a4ef8e1c6051e0b1e3bdbfa95c396ad61497aeda883354b06
SHA512 e62a5860fb13c5db2bd3bcb1f16ba3497870cf595ead941cbd43e24d347cb157315ffd92f490aaa92e0eff9d512016aa5e996f8b08457da775b41b47e66b7c1a

memory/1028-67-0x0000000000000000-mapping.dmp

\Users\Admin\yuoud.exe

MD5 6891a79892c5fdb0523844fd01a235d3
SHA1 d11090ac3ac07bfab9ba708dcfd099137a34ca19
SHA256 762db61e0b79bc2a4ef8e1c6051e0b1e3bdbfa95c396ad61497aeda883354b06
SHA512 e62a5860fb13c5db2bd3bcb1f16ba3497870cf595ead941cbd43e24d347cb157315ffd92f490aaa92e0eff9d512016aa5e996f8b08457da775b41b47e66b7c1a

C:\Users\Admin\yuoud.exe

MD5 6891a79892c5fdb0523844fd01a235d3
SHA1 d11090ac3ac07bfab9ba708dcfd099137a34ca19
SHA256 762db61e0b79bc2a4ef8e1c6051e0b1e3bdbfa95c396ad61497aeda883354b06
SHA512 e62a5860fb13c5db2bd3bcb1f16ba3497870cf595ead941cbd43e24d347cb157315ffd92f490aaa92e0eff9d512016aa5e996f8b08457da775b41b47e66b7c1a

C:\Users\Admin\yuoud.exe

MD5 6891a79892c5fdb0523844fd01a235d3
SHA1 d11090ac3ac07bfab9ba708dcfd099137a34ca19
SHA256 762db61e0b79bc2a4ef8e1c6051e0b1e3bdbfa95c396ad61497aeda883354b06
SHA512 e62a5860fb13c5db2bd3bcb1f16ba3497870cf595ead941cbd43e24d347cb157315ffd92f490aaa92e0eff9d512016aa5e996f8b08457da775b41b47e66b7c1a

memory/580-72-0x0000000000000000-mapping.dmp

memory/1680-73-0x0000000000000000-mapping.dmp

\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/336-76-0x0000000000000000-mapping.dmp

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/1576-82-0x0000000000000000-mapping.dmp

memory/1552-84-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1552-85-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1552-87-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1552-88-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1552-89-0x00000000004274C0-mapping.dmp

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/1128-93-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1128-94-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1552-95-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1128-98-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1128-100-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1128-101-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1552-97-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/1128-104-0x000000000040877B-mapping.dmp

memory/1892-107-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1892-108-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1128-103-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1892-112-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1128-111-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1892-110-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1892-113-0x0000000000405790-mapping.dmp

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/552-121-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1892-120-0x0000000000400000-0x0000000000407000-memory.dmp

memory/552-118-0x0000000000400000-0x000000000040A000-memory.dmp

memory/552-123-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1892-117-0x0000000000400000-0x0000000000407000-memory.dmp

memory/552-116-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/552-125-0x00000000004084F0-mapping.dmp

memory/552-129-0x0000000000400000-0x000000000040A000-memory.dmp

memory/552-130-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1552-133-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1128-135-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1892-136-0x0000000000400000-0x0000000000407000-memory.dmp

memory/552-137-0x0000000000400000-0x000000000040A000-memory.dmp

memory/552-138-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\3nua.exe

MD5 0fcecac14065f03c4f83bf5ae6ac415b
SHA1 f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA256 79f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA512 49195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003

\Users\Admin\3nua.exe

MD5 0fcecac14065f03c4f83bf5ae6ac415b
SHA1 f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA256 79f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA512 49195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003

C:\Users\Admin\3nua.exe

MD5 0fcecac14065f03c4f83bf5ae6ac415b
SHA1 f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA256 79f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA512 49195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003

memory/1940-144-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1940-141-0x0000000000000000-mapping.dmp

memory/1940-145-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1940-146-0x00000000005BA000-0x00000000005DA000-memory.dmp

memory/1876-147-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

memory/840-148-0x0000000002900000-0x00000000033BA000-memory.dmp

memory/1900-149-0x0000000000000000-mapping.dmp

memory/1072-150-0x0000000000000000-mapping.dmp

memory/1552-151-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1128-152-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1524-153-0x0000000000000000-mapping.dmp

\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/1940-158-0x00000000005BA000-0x00000000005DA000-memory.dmp

\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

C:\Users\Admin\3nua.exe

MD5 0fcecac14065f03c4f83bf5ae6ac415b
SHA1 f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA256 79f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA512 49195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003

C:\Users\Admin\3nua.exe

MD5 0fcecac14065f03c4f83bf5ae6ac415b
SHA1 f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA256 79f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA512 49195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003

memory/1796-162-0x0000000000000000-mapping.dmp

memory/1796-166-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1796-167-0x00000000005BA000-0x00000000005DA000-memory.dmp

\Program Files (x86)\LP\CD14\E052.tmp

MD5 29c0a1942c5efa556fcf06cdb27e6b43
SHA1 1f4897b7091c159f7402237f093dd66419ef801b
SHA256 4f5a26e02022c8e480e3bba16fdbe3c9e19f95ccfded922fdb911403ef1ae0c4
SHA512 54389f2ec50d6447f89b15268f4daa3b9a6a0f7c0609648754eaeb6bd6e159c800f1f29f759bd56f42ab6249b246a95081d1e0e9fdd43e56ff2104a7ce458168

memory/1956-170-0x0000000000000000-mapping.dmp

\Program Files (x86)\LP\CD14\E052.tmp

MD5 29c0a1942c5efa556fcf06cdb27e6b43
SHA1 1f4897b7091c159f7402237f093dd66419ef801b
SHA256 4f5a26e02022c8e480e3bba16fdbe3c9e19f95ccfded922fdb911403ef1ae0c4
SHA512 54389f2ec50d6447f89b15268f4daa3b9a6a0f7c0609648754eaeb6bd6e159c800f1f29f759bd56f42ab6249b246a95081d1e0e9fdd43e56ff2104a7ce458168

C:\Program Files (x86)\LP\CD14\E052.tmp

MD5 29c0a1942c5efa556fcf06cdb27e6b43
SHA1 1f4897b7091c159f7402237f093dd66419ef801b
SHA256 4f5a26e02022c8e480e3bba16fdbe3c9e19f95ccfded922fdb911403ef1ae0c4
SHA512 54389f2ec50d6447f89b15268f4daa3b9a6a0f7c0609648754eaeb6bd6e159c800f1f29f759bd56f42ab6249b246a95081d1e0e9fdd43e56ff2104a7ce458168

memory/1956-173-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1956-174-0x000000000060A000-0x0000000000619000-memory.dmp

C:\Users\Admin\3nua.exe

MD5 0fcecac14065f03c4f83bf5ae6ac415b
SHA1 f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA256 79f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA512 49195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003

memory/1168-175-0x0000000000000000-mapping.dmp

memory/1956-179-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1956-180-0x000000000060A000-0x0000000000619000-memory.dmp

memory/1168-181-0x0000000000400000-0x000000000046A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-20 05:53

Reported

2022-11-20 05:56

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\aUY5E15SY8.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\jonog.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\aUY5E15SY8.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\3nua.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\aUY5E15SY8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /j" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /L" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /A" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /r" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /c" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /Y" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /D" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /l" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /p" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /W" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /G" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /n" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /s" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /I" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /B" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /m" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /k" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /M" C:\Users\Admin\jonog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /V" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /w" C:\Users\Admin\jonog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\aUY5E15SY8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /N" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /d" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /Q" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /q" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /y" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /P" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /R" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /x" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /b" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /Z" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /O" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /f" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /S" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /U" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /K" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /E" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /h" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /z" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /g" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /i" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /T" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /X" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /C" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /e" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /t" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /Z" C:\Users\Admin\aUY5E15SY8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /a" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /F" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /u" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /J" C:\Users\Admin\jonog.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jonog = "C:\\Users\\Admin\\jonog.exe /o" C:\Users\Admin\jonog.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\2nua.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\2nua.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\2nua.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\2nua.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4844 set thread context of 1392 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 set thread context of 1056 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 set thread context of 5068 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 set thread context of 4980 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 set thread context of 2076 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\aUY5E15SY8.exe N/A
N/A N/A C:\Users\Admin\aUY5E15SY8.exe N/A
N/A N/A C:\Users\Admin\aUY5E15SY8.exe N/A
N/A N/A C:\Users\Admin\aUY5E15SY8.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\2nua.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A
N/A N/A C:\Users\Admin\jonog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\aUY5E15SY8.exe
PID 764 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\aUY5E15SY8.exe
PID 764 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\aUY5E15SY8.exe
PID 764 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\2nua.exe
PID 764 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\2nua.exe
PID 764 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\2nua.exe
PID 1256 wrote to memory of 2444 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Users\Admin\jonog.exe
PID 1256 wrote to memory of 2444 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Users\Admin\jonog.exe
PID 1256 wrote to memory of 2444 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Users\Admin\jonog.exe
PID 1256 wrote to memory of 4872 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 4872 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 4872 N/A C:\Users\Admin\aUY5E15SY8.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 1392 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 1392 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 1392 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 1392 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 1056 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 1056 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 1056 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 1056 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 1056 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 1056 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 1056 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 1056 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 5068 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 5068 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 5068 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 5068 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 5068 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 5068 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 5068 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 5068 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 5068 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 4980 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 4980 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 4980 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 4980 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 4980 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 4980 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 4980 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 4980 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 2076 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 2076 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 2076 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 2076 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 2076 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 2076 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 2076 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 4844 wrote to memory of 2076 N/A C:\Users\Admin\2nua.exe C:\Users\Admin\2nua.exe
PID 764 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\3nua.exe
PID 764 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\3nua.exe
PID 764 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe C:\Users\Admin\3nua.exe
PID 4872 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4872 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4872 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2444 wrote to memory of 1368 N/A C:\Users\Admin\jonog.exe C:\Windows\SysWOW64\tasklist.exe
PID 2444 wrote to memory of 1368 N/A C:\Users\Admin\jonog.exe C:\Windows\SysWOW64\tasklist.exe
PID 2444 wrote to memory of 1368 N/A C:\Users\Admin\jonog.exe C:\Windows\SysWOW64\tasklist.exe
PID 2444 wrote to memory of 1368 N/A C:\Users\Admin\jonog.exe C:\Windows\SysWOW64\tasklist.exe
PID 2444 wrote to memory of 1368 N/A C:\Users\Admin\jonog.exe C:\Windows\SysWOW64\tasklist.exe
PID 2444 wrote to memory of 1368 N/A C:\Users\Admin\jonog.exe C:\Windows\SysWOW64\tasklist.exe
PID 2444 wrote to memory of 1368 N/A C:\Users\Admin\jonog.exe C:\Windows\SysWOW64\tasklist.exe
PID 2444 wrote to memory of 1368 N/A C:\Users\Admin\jonog.exe C:\Windows\SysWOW64\tasklist.exe
PID 2444 wrote to memory of 1368 N/A C:\Users\Admin\jonog.exe C:\Windows\SysWOW64\tasklist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe

"C:\Users\Admin\AppData\Local\Temp\96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe"

C:\Users\Admin\aUY5E15SY8.exe

C:\Users\Admin\aUY5E15SY8.exe

C:\Users\Admin\2nua.exe

C:\Users\Admin\2nua.exe

C:\Users\Admin\jonog.exe

"C:\Users\Admin\jonog.exe"

C:\Users\Admin\2nua.exe

"C:\Users\Admin\2nua.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del aUY5E15SY8.exe

C:\Users\Admin\2nua.exe

"C:\Users\Admin\2nua.exe"

C:\Users\Admin\2nua.exe

"C:\Users\Admin\2nua.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1392 -ip 1392

C:\Users\Admin\2nua.exe

"C:\Users\Admin\2nua.exe"

C:\Users\Admin\2nua.exe

"C:\Users\Admin\2nua.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 80

C:\Users\Admin\3nua.exe

C:\Users\Admin\3nua.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1776 -ip 1776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 632

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del 96ef3f01a6f2853e3ea2e57ac5a9b4350e4128d4600a2977a8e0ef6917d63fb4.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

Network

Country Destination Domain Proto
N/A 178.79.208.1:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 face-book.uk.to udp
N/A 127.0.0.2:80 tcp
N/A 20.224.254.73:443 tcp
N/A 20.42.72.131:443 tcp
N/A 8.253.135.241:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.253.135.241:80 tcp

Files

memory/1256-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\aUY5E15SY8.exe

MD5 380575fdf47f22e24cc214c89f098f9d
SHA1 5d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA256 04fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA512 70ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2

C:\Users\Admin\aUY5E15SY8.exe

MD5 380575fdf47f22e24cc214c89f098f9d
SHA1 5d5584fab3dc5267ffacfd4c331555f4f7703fb6
SHA256 04fc572ba5e2e941d3510ed1504cc04490c7f5ff3ec651e6c8ffd6645ef2e0c9
SHA512 70ce73ac9a14224c608e1ab60e21dd8bbd5ebcc8c75bb670c0861c8fc4a478965d39a450d32907ff90baa3a8a2fc9e50a9cc8d7385a330b373d3c9854cc8e7e2

memory/4844-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/2444-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\jonog.exe

MD5 d6099020829a02dc26fe7df6283b330b
SHA1 ae0445340db92124e88afeb72987738626e4bf22
SHA256 a5180b8cdfd32bc7b154b0c4c64d9fbd3f26896e02f05768231518cde7e16bca
SHA512 00d3a4df1b1fb33d9ecc140f574b7e416bdf932a005806c044ebc2b73f28afb11f976919514f818c68d422d5479f0d7834dff32e5201380bcb767381f0180229

C:\Users\Admin\jonog.exe

MD5 d6099020829a02dc26fe7df6283b330b
SHA1 ae0445340db92124e88afeb72987738626e4bf22
SHA256 a5180b8cdfd32bc7b154b0c4c64d9fbd3f26896e02f05768231518cde7e16bca
SHA512 00d3a4df1b1fb33d9ecc140f574b7e416bdf932a005806c044ebc2b73f28afb11f976919514f818c68d422d5479f0d7834dff32e5201380bcb767381f0180229

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/1056-152-0x0000000000000000-mapping.dmp

memory/1392-149-0x0000000000000000-mapping.dmp

memory/4872-147-0x0000000000000000-mapping.dmp

memory/1056-153-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1056-156-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/5068-157-0x0000000000000000-mapping.dmp

memory/1056-160-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5068-162-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4980-164-0x0000000000000000-mapping.dmp

memory/4980-165-0x0000000000400000-0x0000000000407000-memory.dmp

memory/5068-163-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/5068-159-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1056-158-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/4980-168-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2076-169-0x0000000000000000-mapping.dmp

memory/2076-170-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4980-171-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\2nua.exe

MD5 b64185be04a7c3882871c07358450544
SHA1 6dd00c5f29490e210639ac155e732f7c33e746af
SHA256 c7968bba96e5bc1c47dd24c4b61763eb9d227e89bb259add8ac010711a875f0d
SHA512 604aa723229eddd5225c13d64993966d9a79f0e34aa6b31bb8cfc00e1765319886eaefff276222831e6c5a82cf50634f04a9d59c141329b07a632fc586e4ed21

memory/2076-176-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2076-174-0x0000000000400000-0x000000000040A000-memory.dmp

memory/5068-180-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4980-181-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2076-182-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1776-183-0x0000000000000000-mapping.dmp

C:\Users\Admin\3nua.exe

MD5 0fcecac14065f03c4f83bf5ae6ac415b
SHA1 f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA256 79f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA512 49195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003

memory/1776-186-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2076-187-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\3nua.exe

MD5 0fcecac14065f03c4f83bf5ae6ac415b
SHA1 f71aa4708e16a2a3bf15e2a99cc0ce609b08769b
SHA256 79f4527215b4a213f69cf618440202131afa6eb61d2bc6046b718dd4b4ddb787
SHA512 49195c9f00c434228dd76151042dc03f7f87b77438734861face0f4ec40391649ed784aaf82b756113a55d55126c9b18c27e44d0c47ca75564ea079eed161003

memory/1368-188-0x0000000000000000-mapping.dmp

memory/1056-189-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1828-190-0x0000000000000000-mapping.dmp

memory/3364-191-0x0000000000000000-mapping.dmp

memory/5068-192-0x0000000000400000-0x0000000000459000-memory.dmp