Analysis Overview
SHA256
f2028b4fb0b43abc5a062bd359622b254dbf0e301f2a8b842d062896ca24692b
Threat Level: Known bad
The file f2028b4fb0b43abc5a062bd35_JC.exe was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Checks BIOS information in registry
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
GoLang User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-29 16:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-29 16:54
Reported
2023-07-29 16:57
Platform
win7-20230712-en
Max time kernel
135s
Max time network
135s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe"
C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe
"C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| NL | 185.209.161.53:80 | 185.209.161.53 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| NL | 45.159.189.33:80 | 45.159.189.33 | tcp |
Files
memory/2092-54-0x0000000002CE0000-0x0000000002DE0000-memory.dmp
memory/2092-55-0x0000000000400000-0x0000000002B4C000-memory.dmp
memory/2092-56-0x0000000000220000-0x000000000023B000-memory.dmp
memory/2092-57-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2092-135-0x0000000000400000-0x0000000002B4C000-memory.dmp
memory/2092-136-0x0000000002CE0000-0x0000000002DE0000-memory.dmp
\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe
| MD5 | 299a2d8412301a6c84f2da3c446943c2 |
| SHA1 | 0f4b455e8a8f0fc278a7fe91db90fafaccfe04fc |
| SHA256 | 51a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f |
| SHA512 | 751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a |
C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe
| MD5 | 299a2d8412301a6c84f2da3c446943c2 |
| SHA1 | 0f4b455e8a8f0fc278a7fe91db90fafaccfe04fc |
| SHA256 | 51a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f |
| SHA512 | 751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a |
memory/588-140-0x0000000001D90000-0x0000000002551000-memory.dmp
memory/568-141-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-142-0x00000000777B0000-0x0000000077959000-memory.dmp
memory/568-143-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-144-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-145-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-147-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-146-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-148-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-149-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-151-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-150-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-152-0x0000000000090000-0x0000000000851000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HJDBAFIECG.exe
| MD5 | 299a2d8412301a6c84f2da3c446943c2 |
| SHA1 | 0f4b455e8a8f0fc278a7fe91db90fafaccfe04fc |
| SHA256 | 51a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f |
| SHA512 | 751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a |
memory/588-154-0x0000000001D90000-0x0000000002551000-memory.dmp
memory/568-155-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-156-0x0000000000090000-0x0000000000851000-memory.dmp
memory/568-157-0x00000000777B0000-0x0000000077959000-memory.dmp
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | e262eb8dac4f049ec2cf698bccf225e0 |
| SHA1 | 378927058f97cf3ca9227c298e148d1223144f54 |
| SHA256 | f0c2ddbf6e3ca9da1b9d1ebe994d6dff7475d58d66869ae75337182eb34dbab7 |
| SHA512 | f508d2d75f62ff8ea687ffec934b857fc220ffbd3880d9740a4fcdd9214169a92fb7907f646d11f200fd8f67099e369662d4e13768bb60ef5202aa6139371de0 |
memory/568-163-0x0000000000090000-0x0000000000851000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 585197ffe875b710b1abb7be0a0a0b23 |
| SHA1 | f9d4a73afcdab42c0afeb692f5887277b5cef8b6 |
| SHA256 | 5bb1f9f385e2fee2a3e061603b833aa84dec1e9590de17f2851c0f9eb3b2813a |
| SHA512 | be9cc444f6e39cf4dc860b3b1a75e36cb34b48f50a069d45c758e856036b5eb75be35220391a0bcc0ffe5b646dfd9041d477ddb33c1c95410bda67aa3b3b4bde |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | e615f5d7b40e2a3fad7b5531016ea437 |
| SHA1 | fb5e387899691d6dca17818e3bc107a4b6e0aee0 |
| SHA256 | bdf37e704f5554b96301ce3aebb36229d459bca1932ebc621634b0e1d237d309 |
| SHA512 | b5454abcd7b15ca345cc3a1ac2a3fb4363b964f1f3b80f60e78f9ea869066f68510de8bea7f6d188414c8e6c503b3e8043c4953c8a494a2d50348a031ca4048f |
memory/568-161-0x0000000028640000-0x0000000028E01000-memory.dmp
memory/568-165-0x00000000777B0000-0x0000000077959000-memory.dmp
memory/620-164-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-166-0x00000000777B0000-0x0000000077959000-memory.dmp
memory/620-167-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-168-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-169-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-170-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-171-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-172-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-173-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-174-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-175-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-176-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-177-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-178-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-179-0x00000000777B0000-0x0000000077959000-memory.dmp
memory/620-180-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-181-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-182-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-183-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-186-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-187-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-188-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-189-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-190-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-191-0x0000000000CC0000-0x0000000001481000-memory.dmp
memory/620-192-0x0000000000CC0000-0x0000000001481000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-29 16:54
Reported
2023-07-29 16:57
Platform
win10v2004-20230703-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1880 wrote to memory of 3884 | N/A | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1880 wrote to memory of 3884 | N/A | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1880 wrote to memory of 3884 | N/A | C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3884 wrote to memory of 388 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe |
| PID 3884 wrote to memory of 388 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe |
| PID 388 wrote to memory of 2228 | N/A | C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 388 wrote to memory of 2228 | N/A | C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe"
C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe
"C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| NL | 185.209.161.53:80 | 185.209.161.53 | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.161.209.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 160.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| NL | 45.159.189.33:80 | 45.159.189.33 | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.189.159.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/1880-134-0x0000000002BD0000-0x0000000002CD0000-memory.dmp
memory/1880-135-0x0000000000400000-0x0000000002B4C000-memory.dmp
memory/1880-136-0x0000000004890000-0x00000000048AB000-memory.dmp
memory/1880-137-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1880-217-0x0000000000400000-0x0000000002B4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe
| MD5 | 299a2d8412301a6c84f2da3c446943c2 |
| SHA1 | 0f4b455e8a8f0fc278a7fe91db90fafaccfe04fc |
| SHA256 | 51a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f |
| SHA512 | 751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a |
C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe
| MD5 | 299a2d8412301a6c84f2da3c446943c2 |
| SHA1 | 0f4b455e8a8f0fc278a7fe91db90fafaccfe04fc |
| SHA256 | 51a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f |
| SHA512 | 751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a |
memory/388-221-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/1880-222-0x0000000002BD0000-0x0000000002CD0000-memory.dmp
memory/388-223-0x00007FFCD78F0000-0x00007FFCD7AE5000-memory.dmp
memory/388-224-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-225-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-226-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-227-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-228-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-229-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-230-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-231-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-232-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-233-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-234-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-235-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-237-0x00007FFCD78F0000-0x00007FFCD7AE5000-memory.dmp
memory/388-238-0x0000000000580000-0x0000000000D41000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 1862c7f8b120b2f0a9133ff4b0ad7f64 |
| SHA1 | 2a2122d841257e9b671abcaf2cfda3dc358c2021 |
| SHA256 | 73927744d7a575ee4ebe651661976e182f50d5028e18e47ef498ed423c2d4702 |
| SHA512 | cbc299c6b0d68c8d9671f0942febe131ad34e27a936d561224fd4ad08c11b9ae1622cbf84bc28769b16645c0568996672cf413e33589363b469e603333472d01 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 2d2887985dd73f786a95d2b7043cc770 |
| SHA1 | a222655555866b1c73377d7cc9665fd487c4e342 |
| SHA256 | df56c0a98ad39f3c83956465e56d87225ebc76fc15a1e3157d20f9f87626ace3 |
| SHA512 | e430f7433ceef83b89da25b8baeaa58f439ab1e9d50c95b5d544f80228e484f97975fe3beeba2079b1806e3b3e881fbee53a41f9c0e350e019a39983dac5c89b |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | efb14643318e7f89c29c0e7330075b8b |
| SHA1 | 79e62d0707f005632d9b93df68adf9f8c6a849bd |
| SHA256 | b9513c15d6d94f864c85067d46a943f8418a68a42d8a82d4e7df9902c19a6b68 |
| SHA512 | 4a6836db5bd3046b8eef2c4cf7e3820e3a27f123a8f7651c636f95606e640610b16aa5b52f107823a907b4a9b9f786df4b4d218478f32064fc5656f556ab1090 |
memory/2228-243-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/388-242-0x0000000000580000-0x0000000000D41000-memory.dmp
memory/388-244-0x00007FFCD78F0000-0x00007FFCD7AE5000-memory.dmp
memory/2228-245-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-246-0x00007FFCD78F0000-0x00007FFCD7AE5000-memory.dmp
memory/2228-247-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-248-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-249-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-250-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-251-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-253-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-254-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-255-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-256-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-257-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-258-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-260-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-261-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-262-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-263-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-264-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-265-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-266-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-267-0x00007FFCD78F0000-0x00007FFCD7AE5000-memory.dmp
memory/2228-268-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-269-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-270-0x0000000000670000-0x0000000000E31000-memory.dmp
memory/2228-271-0x0000000000670000-0x0000000000E31000-memory.dmp