Malware Analysis Report

2024-08-06 09:28

Sample ID 230211-m3msashg63
Target 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.sample
SHA256 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
Tags
ryuk persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Threat Level: Known bad

The file 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.sample was found to be: Known bad.

Malicious Activity Summary

ryuk persistence ransomware

Ryuk

Modifies extensions of user files

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Registry Run Keys / Startup Folder
T1060
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2023-02-11 10:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-11 10:59

Reported

2023-02-11 11:01

Platform

win7-20220812-en

Max time kernel

51s

Max time network

45s

Command Line

"taskhost.exe"

Signatures

Ryuk

ransomware ryuk

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\ConfirmCompress.tiff C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Users\Admin\Pictures\NewSuspend.tiff C:\Windows\system32\taskhost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\users\Public\PQveL.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\users\Public\PQveL.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\PQveL.exe" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105286.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00462_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewDblClick.js C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDBAR98.POC C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Miquelon C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00086_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14980_.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR1F.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR21F.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5 C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00120_.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00262_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00100_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00272_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00466_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\handsafe.reg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.ELM C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\PREVIEW.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.PH.XML C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14530_.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\TOOT.WAV C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Macau C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00910_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00683_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00403_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\logging.properties C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107302.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239973.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46F.GIF C:\Windows\system32\taskhost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\users\Public\PQveL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\users\Public\PQveL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe C:\users\Public\PQveL.exe
PID 1916 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe C:\users\Public\PQveL.exe
PID 1916 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe C:\users\Public\PQveL.exe
PID 1916 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe C:\users\Public\PQveL.exe
PID 1656 wrote to memory of 1616 N/A C:\users\Public\PQveL.exe C:\Windows\System32\cmd.exe
PID 1656 wrote to memory of 1616 N/A C:\users\Public\PQveL.exe C:\Windows\System32\cmd.exe
PID 1656 wrote to memory of 1616 N/A C:\users\Public\PQveL.exe C:\Windows\System32\cmd.exe
PID 1656 wrote to memory of 1128 N/A C:\users\Public\PQveL.exe C:\Windows\system32\taskhost.exe
PID 1616 wrote to memory of 844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1616 wrote to memory of 844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1616 wrote to memory of 844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1656 wrote to memory of 1192 N/A C:\users\Public\PQveL.exe C:\Windows\system32\Dwm.exe

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

"C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"

C:\users\Public\PQveL.exe

"C:\users\Public\PQveL.exe" C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\PQveL.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\PQveL.exe" /f

Network

N/A

Files

memory/1916-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

\Users\Public\PQveL.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/1656-56-0x0000000000000000-mapping.dmp

C:\Users\Public\PQveL.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/1656-58-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

memory/1616-59-0x0000000000000000-mapping.dmp

memory/1128-60-0x000000013FB20000-0x000000013FEAE000-memory.dmp

memory/844-62-0x0000000000000000-mapping.dmp

memory/1128-63-0x000000013FB20000-0x000000013FEAE000-memory.dmp

memory/1128-66-0x000000013FB20000-0x000000013FEAE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-11 10:59

Reported

2023-02-11 11:00

Platform

win10v2004-20220901-en

Max time kernel

9s

Max time network

16s

Command Line

sihost.exe

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\users\Public\qNpxX.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\users\Public\qNpxX.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\qNpxX.exe" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\users\Public\qNpxX.exe N/A
N/A N/A C:\users\Public\qNpxX.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\users\Public\qNpxX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe C:\users\Public\qNpxX.exe
PID 3440 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe C:\users\Public\qNpxX.exe
PID 1028 wrote to memory of 5016 N/A C:\users\Public\qNpxX.exe C:\Windows\System32\cmd.exe
PID 1028 wrote to memory of 5016 N/A C:\users\Public\qNpxX.exe C:\Windows\System32\cmd.exe
PID 1028 wrote to memory of 2388 N/A C:\users\Public\qNpxX.exe C:\Windows\system32\sihost.exe
PID 5016 wrote to memory of 1380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 5016 wrote to memory of 1380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1028 wrote to memory of 2400 N/A C:\users\Public\qNpxX.exe C:\Windows\system32\svchost.exe
PID 1028 wrote to memory of 2624 N/A C:\users\Public\qNpxX.exe C:\Windows\system32\taskhostw.exe
PID 1028 wrote to memory of 2032 N/A C:\users\Public\qNpxX.exe C:\Windows\system32\svchost.exe
PID 1028 wrote to memory of 3264 N/A C:\users\Public\qNpxX.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

"C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"

C:\users\Public\qNpxX.exe

"C:\users\Public\qNpxX.exe" C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\qNpxX.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\qNpxX.exe" /f

Network

Country Destination Domain Proto
US 67.24.25.254:80 tcp

Files

memory/1028-132-0x0000000000000000-mapping.dmp

C:\Users\Public\qNpxX.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

C:\users\Public\qNpxX.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/5016-135-0x0000000000000000-mapping.dmp

memory/1380-136-0x0000000000000000-mapping.dmp

memory/2388-137-0x00007FF7BF2B0000-0x00007FF7BF63E000-memory.dmp

memory/2400-138-0x00007FF7BF2B0000-0x00007FF7BF63E000-memory.dmp