Malware Analysis Report

2024-09-22 11:25

Sample ID 230813-w658gsdg67
Target URLhaus.rar
SHA256 31fcc1a7c79fa0e760d81e479154824551be394658821275380c9fc45343ae22
Tags
hawkeye remcos host keylogger persistence rat spyware stealer trojan xmrig miner upx formbook da el azorult infostealer pony remotehost lokibot
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31fcc1a7c79fa0e760d81e479154824551be394658821275380c9fc45343ae22

Threat Level: Known bad

The file URLhaus.rar was found to be: Known bad.

Malicious Activity Summary

hawkeye remcos host keylogger persistence rat spyware stealer trojan xmrig miner upx formbook da el azorult infostealer pony remotehost lokibot

Remcos

Pony family

Azorult

Formbook

Pony,Fareit

Formbook family

HawkEye

xmrig

Lokibot

Formbook payload

Nirsoft

NirSoft WebBrowserPassView

XMRig Miner payload

NirSoft MailPassView

Formbook payload

Sets file execution options in registry

Reads user/profile data of web browsers

Drops startup file

Uses the VBS compiler for execution

UPX packed file

Deletes itself

Loads dropped DLL

Executes dropped EXE

Reads data files stored by FTP clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Enumerates connected drives

Adds Run key to start application

Creates a Windows Service

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Runs net.exe

Suspicious behavior: RenamesItself

Runs ping.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-08-13 18:33

Signatures

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Pony family

pony

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

42s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\B000CEF.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs" C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft HD Video Card = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft HD Video Card\\Microsoft HD Video Card.exe\"" C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2908 set thread context of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 768 set thread context of 1728 N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\B000CEF.exe C:\Users\Admin\AppData\Local\Temp\hkj.exe
PID 2108 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\B000CEF.exe C:\Users\Admin\AppData\Local\Temp\hkj.exe
PID 2108 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\B000CEF.exe C:\Users\Admin\AppData\Local\Temp\hkj.exe
PID 2108 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\B000CEF.exe C:\Users\Admin\AppData\Local\Temp\hkj.exe
PID 2108 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\B000CEF.exe C:\Windows\SysWOW64\WScript.exe
PID 2108 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\B000CEF.exe C:\Windows\SysWOW64\WScript.exe
PID 2108 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\B000CEF.exe C:\Windows\SysWOW64\WScript.exe
PID 2108 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\B000CEF.exe C:\Windows\SysWOW64\WScript.exe
PID 876 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 876 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 876 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 876 wrote to memory of 2908 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 2908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
PID 3024 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2780 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2780 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2780 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2780 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe
PID 2780 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe
PID 2780 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe
PID 2780 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe
PID 768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\hkj.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\B000CEF.exe

"C:\Users\Admin\AppData\Local\Temp\B000CEF.exe"

C:\Users\Admin\AppData\Local\Temp\hkj.exe

"C:\Users\Admin\AppData\Local\Temp\hkj.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe

"C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Users\Admin\AppData\Local\Temp\hkj.exe

"C:\Users\Admin\AppData\Local\Temp\hkj.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 mail.alltracklogistic.com udp

Files

memory/2108-56-0x0000000000240000-0x0000000000246000-memory.dmp

\Users\Admin\AppData\Local\Temp\hkj.exe

MD5 8ba91c5ee18ce3e77385e4ef118b6e2b
SHA1 666c3a425c580da29b4b7b45ab5454c8130131e6
SHA256 fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351
SHA512 fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e

C:\Users\Admin\AppData\Local\Temp\hkj.exe

MD5 8ba91c5ee18ce3e77385e4ef118b6e2b
SHA1 666c3a425c580da29b4b7b45ab5454c8130131e6
SHA256 fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351
SHA512 fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e

C:\Users\Admin\AppData\Local\Temp\hkj.exe

MD5 8ba91c5ee18ce3e77385e4ef118b6e2b
SHA1 666c3a425c580da29b4b7b45ab5454c8130131e6
SHA256 fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351
SHA512 fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs

MD5 7243d7fb56013167c127d817f6898fb7
SHA1 40c558090177c395def62474e43ce792b2a6b306
SHA256 2fe714713ff3bdb5451e746e1665b23dcfe343daca0e0e8669286a63ce4bda5c
SHA512 4e2f07fe1613b2fe082446c90374c5a76f47521a03421b3cf78a188ab0071a13c6320922f5024ef7b075c11e8efa0e4727194d987fcadcf85b86f6ab50b65414

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

memory/768-70-0x0000000073FF0000-0x000000007459B000-memory.dmp

\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

memory/768-75-0x0000000000990000-0x00000000009D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

memory/768-71-0x0000000073FF0000-0x000000007459B000-memory.dmp

\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

memory/768-81-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/3024-82-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

memory/3024-85-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3024-86-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 a3abafcae47dcd72799ac7e8d652a754
SHA1 5799f0fd21f9dcd89c2e103ce0dbfdb96e856bd6
SHA256 ccb37eb9a989ad65d11ef5b384e70050cb93bbb9fad83c7dfa6e0041786db8f7
SHA512 37b4b30223323f622e9aaa5d96eb3038285087c92de6972852bdfe681ba3c49afd7503518991e4abb3d95ee64dbbb3eec736d1824ee1804e78bc4c181543bbe6

memory/3024-96-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 a3abafcae47dcd72799ac7e8d652a754
SHA1 5799f0fd21f9dcd89c2e103ce0dbfdb96e856bd6
SHA256 ccb37eb9a989ad65d11ef5b384e70050cb93bbb9fad83c7dfa6e0041786db8f7
SHA512 37b4b30223323f622e9aaa5d96eb3038285087c92de6972852bdfe681ba3c49afd7503518991e4abb3d95ee64dbbb3eec736d1824ee1804e78bc4c181543bbe6

memory/768-99-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/768-100-0x0000000000990000-0x00000000009D0000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

MD5 8ba91c5ee18ce3e77385e4ef118b6e2b
SHA1 666c3a425c580da29b4b7b45ab5454c8130131e6
SHA256 fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351
SHA512 fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e

memory/768-109-0x0000000000990000-0x00000000009D0000-memory.dmp

memory/1728-110-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1728-112-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1728-113-0x0000000000400000-0x000000000041B000-memory.dmp

\Users\Admin\AppData\Local\Temp\hkj.exe

MD5 8ba91c5ee18ce3e77385e4ef118b6e2b
SHA1 666c3a425c580da29b4b7b45ab5454c8130131e6
SHA256 fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351
SHA512 fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e

memory/1972-120-0x0000000000BC0000-0x0000000000C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs

MD5 7243d7fb56013167c127d817f6898fb7
SHA1 40c558090177c395def62474e43ce792b2a6b306
SHA256 2fe714713ff3bdb5451e746e1665b23dcfe343daca0e0e8669286a63ce4bda5c
SHA512 4e2f07fe1613b2fe082446c90374c5a76f47521a03421b3cf78a188ab0071a13c6320922f5024ef7b075c11e8efa0e4727194d987fcadcf85b86f6ab50b65414

memory/1972-117-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/1972-121-0x0000000073FF0000-0x000000007459B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hkj.exe

MD5 8ba91c5ee18ce3e77385e4ef118b6e2b
SHA1 666c3a425c580da29b4b7b45ab5454c8130131e6
SHA256 fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351
SHA512 fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs

MD5 7243d7fb56013167c127d817f6898fb7
SHA1 40c558090177c395def62474e43ce792b2a6b306
SHA256 2fe714713ff3bdb5451e746e1665b23dcfe343daca0e0e8669286a63ce4bda5c
SHA512 4e2f07fe1613b2fe082446c90374c5a76f47521a03421b3cf78a188ab0071a13c6320922f5024ef7b075c11e8efa0e4727194d987fcadcf85b86f6ab50b65414

\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 bfb076afe618ce5d6a3cf05d3ac4e74b
SHA1 e5fdb1ab41354d3b793015a80b98bfd17a5098f2
SHA256 c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0
SHA512 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d

memory/1972-128-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/1728-129-0x0000000000400000-0x000000000041B000-memory.dmp

memory/768-130-0x0000000000990000-0x00000000009D0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

21s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin2.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Processes

C:\Users\Admin\AppData\Local\Temp\bin2.exe

"C:\Users\Admin\AppData\Local\Temp\bin2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 log.b4mb4m.ru udp

Files

C:\Users\Admin\AppData\Roaming\pts2W6U4Q1Q9X\General\forms.txt

MD5 fbf2b0ea6fdc6fe3148bd600729d5fac
SHA1 2c0aad6ae361763eddc2668a9493f434d6a972bd
SHA256 c794c993f1d9125029477df973401ae082c56b53f1d7e461258537aa7efc5797
SHA512 29547388d261c54a031e97f0beeaf3bba67949a4a178ab5df39091d7e8e8a66415bc1f9dabd518eb7ceb7c01868b124575c7a16e41ed4e180a9df872847e57fb

Analysis: behavioral23

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

21s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Network

N/A

Files

memory/2528-54-0x00000000010E0000-0x0000000001134000-memory.dmp

memory/2528-55-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/2528-56-0x0000000004BD0000-0x0000000004C10000-memory.dmp

memory/2528-57-0x0000000000760000-0x00000000007A6000-memory.dmp

memory/2528-58-0x00000000009C0000-0x0000000000A06000-memory.dmp

memory/2528-59-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/2528-60-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

22s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uyo.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uyo.exe

"C:\Users\Admin\AppData\Local\Temp\uyo.exe"

Network

N/A

Files

memory/2552-54-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2552-55-0x0000000000400000-0x0000000000490000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

31s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b282d34fv2.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6b282d34fv2.exe

"C:\Users\Admin\AppData\Local\Temp\6b282d34fv2.exe"

Network

N/A

Files

memory/1672-54-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1672-55-0x0000000000400000-0x0000000000519000-memory.dmp

memory/1672-56-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

12s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TerracottaGUI.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TerracottaGUI.exe

"C:\Users\Admin\AppData\Local\Temp\TerracottaGUI.exe"

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

24s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\otIXAOPqOVgvIKePlwFQLX.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\otIXAOPqOVgvIKePlwFQLX.exe

"C:\Users\Admin\AppData\Local\Temp\otIXAOPqOVgvIKePlwFQLX.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 564

Network

N/A

Files

memory/3008-54-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/3008-53-0x00000000002A0000-0x0000000000330000-memory.dmp

memory/3008-55-0x00000000048D0000-0x0000000004910000-memory.dmp

memory/3008-56-0x00000000747E0000-0x0000000074ECE000-memory.dmp

memory/3008-57-0x00000000048D0000-0x0000000004910000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

31s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\scvsots.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe C:\Windows\scvsots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" C:\Windows\scvsots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" C:\Windows\scvsots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe C:\Windows\scvsots.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe C:\Windows\scvsots.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\R: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\V: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\B: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\S: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\Y: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\T: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\U: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\E: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\G: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\K: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\L: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\N: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\Q: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\W: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\X: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\Z: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\A: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\H: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\I: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\J: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\M: C:\Windows\scvsots.exe N/A
File opened (read-only) \??\O: C:\Windows\scvsots.exe N/A

Creates a Windows Service

persistence

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zmtrwm.exe C:\Windows\TEMP\opperce.exe N/A
File opened for modification C:\Windows\SysWOW64\zmtrwm.exe C:\Windows\TEMP\opperce.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\scvsots.exe N/A
File created C:\Windows\SysWOW64\ooaaya.exe C:\Windows\TEMP\wimnat.exe N/A
File opened for modification C:\Windows\SysWOW64\ooaaya.exe C:\Windows\TEMP\wimnat.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\scvsots.exe C:\Users\Admin\AppData\Local\Temp\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\ssleay32.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\cnli-1.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\libeay32.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\coli-0.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\AppCapture_x64.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\spoolsrv.xml C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\AppCapture_x64.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\crli-0.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\trch-1.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\spoolsrv.xml C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\svchost.xml C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\svchost.exe C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\svchost.xml C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.xml C:\Windows\scvsots.exe N/A
File opened for modification C:\Windows\svchost.xml C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\libeay32.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\libxml2.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\AppCapture_x32.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\coli-0.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\crli-0.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\tibe-2.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\tucl-1.dll C:\Windows\scvsots.exe N/A
File opened for modification C:\Windows\spoolsrv.xml C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\tibe-2.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\exma-1.dll C:\Windows\scvsots.exe N/A
File opened for modification C:\Windows\InfusedAppe\Priess\ip.txt C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\svchost.xml C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\ucl.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.xml C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\ucl.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\svchost.xml C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\exma-1.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\posh-0.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.exe C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\trch-1.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\scvsots.exe C:\Users\Admin\AppData\Local\Temp\scvsots.exe N/A
File created C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exe C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\cnli-1.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\tucl-1.dll C:\Windows\scvsots.exe N/A
File opened for modification C:\Windows\ime\scvsots.exe C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\libxml2.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\ssleay32.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\trfo-2.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\svchost.exe C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\trfo-2.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\AppCapture_x32.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\xdvl-0.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\Corporate\scvhost.exe C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\Priess\ip.txt C:\Windows\scvsots.exe N/A
File created C:\Windows\ime\scvsots.exe C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\zlib1.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\spoolsrv.xml C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\posh-0.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.exe C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\UnattendGC\specials\xdvl-0.dll C:\Windows\scvsots.exe N/A
File created C:\Windows\svchost.xml C:\Windows\scvsots.exe N/A
File created C:\Windows\InfusedAppe\LocalService\specials\zlib1.dll C:\Windows\scvsots.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\ooaaya.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\ooaaya.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\scvsots.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadDecision = "0" C:\Windows\scvsots.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8\WpadDecisionTime = 4058a0ae14ced901 C:\Windows\scvsots.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\scvsots.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadDecisionTime = 4058a0ae14ced901 C:\Windows\scvsots.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\scvsots.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\ooaaya.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\scvsots.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\scvsots.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadDecisionReason = "1" C:\Windows\scvsots.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\scvsots.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f006e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\scvsots.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\26-77-e4-86-2b-a8 C:\Windows\scvsots.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\ooaaya.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadNetworkName = "Network 2" C:\Windows\scvsots.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8\WpadDecisionReason = "1" C:\Windows\scvsots.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\ooaaya.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\scvsots.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8 C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\scvsots.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8\WpadDecision = "0" C:\Windows\scvsots.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\scvsots.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\scvsots.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\ooaaya.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\scvsots.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890} C:\Windows\scvsots.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\scvsots.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\scvsots.exe N/A

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\ime\scvsots.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\SysWOW64\ooaaya.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\SysWOW64\ooaaya.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\SysWOW64\ooaaya.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\SysWOW64\ooaaya.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\SysWOW64\ooaaya.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\SysWOW64\ooaaya.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\SysWOW64\ooaaya.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\SysWOW64\ooaaya.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A
N/A N/A C:\Windows\scvsots.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\scvsots.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\scvsots.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2896 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2896 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2896 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2896 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 276 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 276 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 276 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 276 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 276 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 276 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 276 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 276 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2180 wrote to memory of 2716 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2716 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2716 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2716 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2152 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2152 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2152 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2152 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2820 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2820 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2820 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2820 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\Networks\taskmgr.exe
PID 2180 wrote to memory of 2740 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2740 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2740 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2740 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2760 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2760 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2760 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2760 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2780 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2780 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2780 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2780 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2828 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2828 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2828 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2828 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2540 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2540 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2540 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2540 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 308 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 308 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 308 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 308 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2340 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2340 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2340 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2340 N/A C:\Windows\scvsots.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2692 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\wimnat.exe
PID 2180 wrote to memory of 2692 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\wimnat.exe
PID 2180 wrote to memory of 2692 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\wimnat.exe
PID 2180 wrote to memory of 2692 N/A C:\Windows\scvsots.exe C:\Windows\TEMP\wimnat.exe
PID 2760 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2760 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2760 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2760 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 308 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 308 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 308 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 308 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\scvsots.exe

"C:\Users\Admin\AppData\Local\Temp\scvsots.exe"

C:\Windows\scvsots.exe

C:\Windows\scvsots.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /delete /tn * /f

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /delete /tn * /f

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c sc config LanmanServer start= disabled

C:\Windows\TEMP\wimnat.exe

C:\Windows\TEMP\wimnat.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Netframework" /ru system /tr "cmd /c echo Y|cacls C:\Windows\scvsots.exe /p everyone:F"

C:\Windows\SysWOW64\cmd.exe

cmd /c net stop LanmanServer

C:\Windows\SysWOW64\cmd.exe

cmd /c net stop MpsSvc

C:\Windows\SysWOW64\cmd.exe

cmd /c net stop SharedAccess

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /create /sc minute /mo 1 /tn "Flash" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /create /sc minute /mo 1 /tn "Netframework" /ru system /tr "cmd /c echo Y|cacls C:\Windows\scvsots.exe /p everyone:F"

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks /create /sc minute /mo 1 /tn "Miscfost" /ru system /tr "cmd /c C:\Windows\ime\scvsots.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Miscfost" /ru system /tr "cmd /c C:\Windows\ime\scvsots.exe"

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\net.exe

net stop LanmanServer

C:\Windows\SysWOW64\sc.exe

sc config LanmanServer start= disabled

C:\Windows\SysWOW64\net.exe

net stop SharedAccess

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Flash" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"

C:\Windows\SysWOW64\ooaaya.exe

C:\Windows\SysWOW64\ooaaya.exe

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop LanmanServer

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop SharedAccess

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\opperce.exe

C:\Windows\TEMP\opperce.exe

C:\Windows\SysWOW64\zmtrwm.exe

C:\Windows\SysWOW64\zmtrwm.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {D1562A46-51A3-4022-A1A0-2D7E6427549E} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\cmd.EXE

C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F

C:\Windows\system32\cmd.EXE

C:\Windows\system32\cmd.EXE /c C:\Windows\ime\scvsots.exe

C:\Windows\system32\cmd.EXE

C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\scvsots.exe /p everyone:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\system32\cacls.exe

cacls C:\Windows\scvsots.exe /p everyone:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\ime\scvsots.exe

C:\Windows\ime\scvsots.exe

C:\Windows\system32\cacls.exe

cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

C:\Windows\TEMP\Networks\taskmgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a88.bulehero.in udp
US 206.191.152.37:57890 a88.bulehero.in tcp
US 8.8.8.8:53 a88.heroherohero.info udp
N/A 10.127.0.110:80 tcp
N/A 10.127.0.110:80 tcp
N/A 10.127.0.1:32998 tcp
US 8.8.8.8:53 a45.bulehero.in udp
US 206.191.152.37:1356 a45.bulehero.in tcp
US 8.8.8.8:53 off.heroherohero.info udp
US 206.191.152.37:1356 a45.bulehero.in tcp
US 8.8.8.8:53 2018.ip138.com udp
CN 59.57.14.11:80 2018.ip138.com tcp
US 206.191.152.37:1356 a45.bulehero.in tcp
US 206.191.152.37:1356 a45.bulehero.in tcp
US 206.191.152.37:1356 a45.bulehero.in tcp
US 206.191.152.37:1356 a45.bulehero.in tcp
US 206.191.152.37:1356 a45.bulehero.in tcp
US 206.191.152.37:1356 a45.bulehero.in tcp

Files

memory/2556-54-0x0000000000400000-0x00000000007D8000-memory.dmp

C:\Windows\scvsots.exe

MD5 fd409d4d20e580215c1ec0803eed9725
SHA1 02f9cf94ed6ab9e780755215857c9ba0a3e25065
SHA256 483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79
SHA512 253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38

memory/2180-57-0x0000000000400000-0x00000000007D8000-memory.dmp

memory/2556-58-0x0000000000400000-0x00000000007D8000-memory.dmp

\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\TEMP\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

memory/2180-65-0x0000000000400000-0x00000000007D8000-memory.dmp

memory/2180-66-0x0000000000400000-0x00000000007D8000-memory.dmp

\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\TEMP\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\TEMP\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\TEMP\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

C:\Windows\Temp\wimnat.exe

MD5 2334bb8baf5e062683d8ec67b7ac531e
SHA1 5419ddccabaa0a0b98fd6783c8341012c40db522
SHA256 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e
SHA512 ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

\Windows\Temp\wimnat.exe

MD5 2334bb8baf5e062683d8ec67b7ac531e
SHA1 5419ddccabaa0a0b98fd6783c8341012c40db522
SHA256 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e
SHA512 ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

\Windows\Temp\wimnat.exe

MD5 2334bb8baf5e062683d8ec67b7ac531e
SHA1 5419ddccabaa0a0b98fd6783c8341012c40db522
SHA256 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e
SHA512 ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

C:\Windows\Temp\wimnat.exe

MD5 2334bb8baf5e062683d8ec67b7ac531e
SHA1 5419ddccabaa0a0b98fd6783c8341012c40db522
SHA256 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e
SHA512 ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

C:\Windows\scvsots.exe

MD5 fd409d4d20e580215c1ec0803eed9725
SHA1 02f9cf94ed6ab9e780755215857c9ba0a3e25065
SHA256 483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79
SHA512 253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

memory/2692-92-0x0000000010000000-0x0000000010008000-memory.dmp

C:\Windows\TEMP\wimnat.exe

MD5 2334bb8baf5e062683d8ec67b7ac531e
SHA1 5419ddccabaa0a0b98fd6783c8341012c40db522
SHA256 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e
SHA512 ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

C:\Windows\SysWOW64\ooaaya.exe

MD5 2334bb8baf5e062683d8ec67b7ac531e
SHA1 5419ddccabaa0a0b98fd6783c8341012c40db522
SHA256 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e
SHA512 ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8

C:\Windows\Temp\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

\Windows\Temp\opperce.exe

MD5 a7195beae808ba6cd4e4e373f4b540ed
SHA1 16ee2c2da78116fe3a08aeef07b25df4455a5736
SHA256 bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614
SHA512 6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3

C:\Windows\Temp\opperce.exe

MD5 a7195beae808ba6cd4e4e373f4b540ed
SHA1 16ee2c2da78116fe3a08aeef07b25df4455a5736
SHA256 bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614
SHA512 6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3

\Windows\Temp\opperce.exe

MD5 a7195beae808ba6cd4e4e373f4b540ed
SHA1 16ee2c2da78116fe3a08aeef07b25df4455a5736
SHA256 bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614
SHA512 6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3

C:\Windows\TEMP\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

C:\Windows\TEMP\opperce.exe

MD5 a7195beae808ba6cd4e4e373f4b540ed
SHA1 16ee2c2da78116fe3a08aeef07b25df4455a5736
SHA256 bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614
SHA512 6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3

C:\Windows\SysWOW64\zmtrwm.exe

MD5 a7195beae808ba6cd4e4e373f4b540ed
SHA1 16ee2c2da78116fe3a08aeef07b25df4455a5736
SHA256 bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614
SHA512 6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3

C:\Windows\InfusedAppe\LocalService\svchost.xml

MD5 09d45ae26830115fd8d9cdc2aa640ca5
SHA1 41a6ad8d88b6999ac8a3ff00dd9641a37ee20933
SHA256 cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
SHA512 1a97f62f76f6f5a7b668eadb55f08941b1d8dfed4a28c4d7a4f2494ff57e998407ec2d0fedaf7f670eb541b1fda40ca5e429d4d2a87007ec45ea5d10abd93aa5

C:\Windows\InfusedAppe\LocalService\spoolsrv.xml

MD5 497080fed2000e8b49ee2e97e54036b1
SHA1 4af3fae881a80355dd09df6e736203c30c4faac5
SHA256 756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380
SHA512 4f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df

\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\TEMP\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\TEMP\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

memory/2180-237-0x0000000000400000-0x00000000007D8000-memory.dmp

\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\TEMP\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

C:\Windows\ime\scvsots.exe

MD5 fd409d4d20e580215c1ec0803eed9725
SHA1 02f9cf94ed6ab9e780755215857c9ba0a3e25065
SHA256 483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79
SHA512 253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38

C:\Windows\IME\scvsots.exe

MD5 fd409d4d20e580215c1ec0803eed9725
SHA1 02f9cf94ed6ab9e780755215857c9ba0a3e25065
SHA256 483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79
SHA512 253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38

memory/2960-245-0x0000000000400000-0x00000000007D8000-memory.dmp

C:\Windows\TEMP\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

memory/2960-247-0x0000000000400000-0x00000000007D8000-memory.dmp

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\TEMP\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\TEMP\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\Temp\Networks\taskmgr.exe

MD5 458a2b86b2c610cc66b3aa081c45584b
SHA1 1771b2d47e29076ef9caaadc520cd3f73cbcbae2
SHA256 ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e
SHA512 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac

C:\Windows\TEMP\Networks\config.json

MD5 490fb7bd62699dadef26dac8e88eefa3
SHA1 e4bf283392140ab9c01fbb2fae68a078c17d78e5
SHA256 f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04
SHA512 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936

Analysis: behavioral17

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

21s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\glash.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\glash.exe

"C:\Users\Admin\AppData\Local\Temp\glash.exe"

Network

N/A

Files

memory/2168-54-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2168-55-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2168-56-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

23s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ted.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ted.exe

"C:\Users\Admin\AppData\Local\Temp\ted.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mydocuments1.is udp

Files

memory/312-54-0x0000000074B50000-0x00000000750FB000-memory.dmp

memory/312-55-0x0000000074B50000-0x00000000750FB000-memory.dmp

memory/312-56-0x0000000000A90000-0x0000000000AD0000-memory.dmp

memory/312-57-0x0000000074B50000-0x00000000750FB000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

22s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\v72d8z2.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\v72d8z2.exe

"C:\Users\Admin\AppData\Local\Temp\v72d8z2.exe"

Network

N/A

Files

memory/1876-54-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1876-55-0x0000000000400000-0x0000000000515000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

13s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\WerFault.exe
PID 2364 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\WerFault.exe
PID 2364 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\WerFault.exe
PID 2364 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 560

Network

N/A

Files

memory/2364-53-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

memory/2364-54-0x0000000074420000-0x0000000074B0E000-memory.dmp

memory/2364-55-0x00000000048B0000-0x00000000048F0000-memory.dmp

memory/2364-56-0x0000000074420000-0x0000000074B0E000-memory.dmp

memory/2364-57-0x00000000048B0000-0x00000000048F0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

23s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Terracotta.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Terracotta.exe

"C:\Users\Admin\AppData\Local\Temp\Terracotta.exe"

Network

N/A

Files

memory/2988-54-0x0000000000050000-0x0000000000051000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

44s

Max time network

19s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2080 set thread context of 1272 N/A C:\Users\Admin\AppData\Local\Temp\bin.exe C:\Windows\Explorer.EXE
PID 1872 set thread context of 1272 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmstp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1272 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1272 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1272 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1272 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1272 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1272 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1872 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\bin.exe

"C:\Users\Admin\AppData\Local\Temp\bin.exe"

C:\Windows\SysWOW64\autofmt.exe

"C:\Windows\SysWOW64\autofmt.exe"

C:\Windows\SysWOW64\cmstp.exe

"C:\Windows\SysWOW64\cmstp.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"

Network

N/A

Files

memory/2080-54-0x0000000000A70000-0x0000000000D73000-memory.dmp

memory/1272-56-0x0000000000010000-0x0000000000020000-memory.dmp

memory/2080-55-0x0000000000E00000-0x0000000000E2A000-memory.dmp

memory/2080-57-0x0000000000190000-0x00000000001A4000-memory.dmp

memory/1272-58-0x00000000045A0000-0x000000000466F000-memory.dmp

memory/1872-59-0x0000000000FE0000-0x0000000000FF8000-memory.dmp

memory/1872-60-0x0000000000FE0000-0x0000000000FF8000-memory.dmp

memory/1872-61-0x00000000000D0000-0x00000000000FA000-memory.dmp

memory/1872-62-0x0000000000B90000-0x0000000000E93000-memory.dmp

memory/1272-63-0x00000000045A0000-0x000000000466F000-memory.dmp

memory/1872-65-0x0000000000960000-0x00000000009F3000-memory.dmp

memory/1872-66-0x00000000000D0000-0x00000000000FA000-memory.dmp

memory/1272-67-0x0000000006AD0000-0x0000000006BFE000-memory.dmp

memory/1272-68-0x0000000006AD0000-0x0000000006BFE000-memory.dmp

memory/1272-70-0x0000000006AD0000-0x0000000006BFE000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

22s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stealedd517v2.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stealedd517v2.exe

"C:\Users\Admin\AppData\Local\Temp\stealedd517v2.exe"

Network

N/A

Files

memory/2468-54-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2468-55-0x0000000000400000-0x0000000000521000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

21s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\steel.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\steel.exe

"C:\Users\Admin\AppData\Local\Temp\steel.exe"

Network

N/A

Files

memory/2084-54-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2084-55-0x0000000000400000-0x00000000004A4000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

18s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bg.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bg.exe

"C:\Users\Admin\AppData\Local\Temp\bg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ʱ.org udp

Files

memory/1136-53-0x00000000741F0000-0x00000000748DE000-memory.dmp

memory/1136-54-0x00000000013C0000-0x0000000001476000-memory.dmp

memory/1136-55-0x0000000006F90000-0x0000000007120000-memory.dmp

memory/1136-56-0x00000000009D0000-0x0000000000A10000-memory.dmp

memory/1136-57-0x00000000002A0000-0x00000000002C2000-memory.dmp

memory/1136-58-0x00000000741F0000-0x00000000748DE000-memory.dmp

memory/1136-59-0x00000000009D0000-0x0000000000A10000-memory.dmp

memory/1136-60-0x00000000741F0000-0x00000000748DE000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

30s

Max time network

19s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3000 set thread context of 2240 N/A C:\Users\Admin\AppData\Local\Temp\ej.exe C:\Users\Admin\AppData\Local\Temp\ej.exe
PID 2240 set thread context of 1284 N/A C:\Users\Admin\AppData\Local\Temp\ej.exe C:\Windows\Explorer.EXE
PID 2240 set thread context of 1284 N/A C:\Users\Admin\AppData\Local\Temp\ej.exe C:\Windows\Explorer.EXE
PID 2824 set thread context of 1284 N/A C:\Windows\SysWOW64\control.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ej.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ej.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ej.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ej.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\control.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ej.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ej.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ej.exe

"C:\Users\Admin\AppData\Local\Temp\ej.exe"

C:\Users\Admin\AppData\Local\Temp\ej.exe

C:\Users\Admin\AppData\Local\Temp\ej.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\SysWOW64\control.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\ej.exe"

Network

N/A

Files

memory/3000-56-0x0000000000350000-0x0000000000356000-memory.dmp

memory/3000-57-0x0000000077500000-0x00000000775D6000-memory.dmp

memory/2240-58-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2240-60-0x00000000066D0000-0x00000000069D3000-memory.dmp

memory/2240-61-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2240-62-0x0000000001C10000-0x0000000001C24000-memory.dmp

memory/1284-63-0x00000000040C0000-0x0000000004193000-memory.dmp

memory/2240-65-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2240-66-0x0000000001C50000-0x0000000001C64000-memory.dmp

memory/1284-68-0x00000000070B0000-0x00000000071F7000-memory.dmp

memory/2824-71-0x0000000000CF0000-0x0000000000D0F000-memory.dmp

memory/2824-70-0x0000000000CF0000-0x0000000000D0F000-memory.dmp

memory/2824-72-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/2824-73-0x0000000002110000-0x0000000002413000-memory.dmp

memory/1284-76-0x000007FEF5C00000-0x000007FEF5D43000-memory.dmp

memory/1284-77-0x000007FE7BB70000-0x000007FE7BB7A000-memory.dmp

memory/1284-78-0x00000000070B0000-0x00000000071F7000-memory.dmp

memory/1284-81-0x0000000000010000-0x0000000000020000-memory.dmp

memory/2824-80-0x0000000000430000-0x00000000004C3000-memory.dmp

memory/2824-79-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/1284-83-0x0000000007200000-0x000000000730A000-memory.dmp

memory/1284-84-0x0000000007200000-0x000000000730A000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

20s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe"

Signatures

Azorult

trojan infostealer azorult

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe

"C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 frontrabot.info udp
US 8.8.8.8:53 frontrabot.info udp

Files

memory/2164-55-0x00000000009C0000-0x0000000000D0A000-memory.dmp

memory/2164-56-0x00000000777A0000-0x00000000777A1000-memory.dmp

memory/2164-57-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2164-62-0x0000000076C80000-0x0000000076D90000-memory.dmp

memory/2164-64-0x00000000009C0000-0x0000000000D0A000-memory.dmp

memory/2164-63-0x00000000009C0000-0x0000000000D0A000-memory.dmp

memory/2164-66-0x00000000009C0000-0x0000000000D0A000-memory.dmp

memory/2164-65-0x00000000009C0000-0x0000000000D0A000-memory.dmp

memory/2164-69-0x00000000009C0000-0x0000000000D0A000-memory.dmp

memory/2164-68-0x00000000009C0000-0x0000000000D0A000-memory.dmp

memory/2164-67-0x00000000009C0000-0x0000000000D0A000-memory.dmp

memory/2164-70-0x00000000009C0000-0x0000000000D0A000-memory.dmp

memory/2164-72-0x00000000009C0000-0x0000000000D0A000-memory.dmp

memory/2164-73-0x0000000010000000-0x000000001006A000-memory.dmp

memory/2164-82-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2164-81-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2164-78-0x0000000010000000-0x000000001006A000-memory.dmp

memory/2164-83-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2164-84-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2164-88-0x0000000000670000-0x00000000009B5000-memory.dmp

memory/2164-94-0x0000000010000000-0x000000001006A000-memory.dmp

memory/2164-97-0x000000007EFDF000-0x000000007EFE0000-memory.dmp

memory/2164-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2164-95-0x000000007EFDB000-0x000000007EFDE000-memory.dmp

memory/2164-98-0x0000000010000000-0x000000001006A000-memory.dmp

memory/2164-99-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2164-104-0x0000000076C80000-0x0000000076D90000-memory.dmp

memory/2164-103-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2164-105-0x0000000002F80000-0x0000000003080000-memory.dmp

memory/2164-106-0x0000000003230000-0x0000000003240000-memory.dmp

memory/2164-107-0x0000000003410000-0x0000000003510000-memory.dmp

memory/2164-108-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/2164-109-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2164-111-0x0000000003190000-0x00000000031A0000-memory.dmp

memory/2164-110-0x0000000003510000-0x0000000003610000-memory.dmp

memory/2164-112-0x0000000010000000-0x000000001006A000-memory.dmp

memory/2164-113-0x00000000009C0000-0x0000000000D0A000-memory.dmp

memory/2164-114-0x00000000777A0000-0x00000000777A1000-memory.dmp

memory/2164-115-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2164-116-0x0000000076C80000-0x0000000076D90000-memory.dmp

C:\Users\Admin\AppData\Local\Turbo.net\Sandbox\GOVNO\8.4.1.1\xsandbox.bin

MD5 ec3d19e8e9b05d025cb56c2a98ead8e7
SHA1 748532edeb86496c8efe5e2327501d89ec1f13df
SHA256 edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4
SHA512 175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

memory/2164-119-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2164-121-0x0000000076C80000-0x0000000076D90000-memory.dmp

memory/2164-122-0x00000000009C0000-0x0000000000D0A000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

40s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shit.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\shit.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\shit.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\shit.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\shit.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\shit.exe

"C:\Users\Admin\AppData\Local\Temp\shit.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\259481735.bat" "C:\Users\Admin\AppData\Local\Temp\shit.exe" "

Network

Country Destination Domain Proto
RU 185.222.202.114:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\259481735.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

C:\Users\Admin\AppData\Local\Temp\259481735.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Analysis: behavioral30

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

21s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\update_z.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\update_z.exe

"C:\Users\Admin\AppData\Local\Temp\update_z.exe"

Network

N/A

Files

memory/2464-53-0x0000000000400000-0x0000000000480000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

20s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Builder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

23s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\POVOFJYqCoZfOoPkWOsSBcVYWIu.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\POVOFJYqCoZfOoPkWOsSBcVYWIu.exe

"C:\Users\Admin\AppData\Local\Temp\POVOFJYqCoZfOoPkWOsSBcVYWIu.exe"

Network

N/A

Files

memory/3056-54-0x0000000000850000-0x00000000008A6000-memory.dmp

memory/3056-56-0x0000000000250000-0x0000000000290000-memory.dmp

memory/3056-55-0x0000000074300000-0x00000000749EE000-memory.dmp

memory/3056-57-0x00000000004D0000-0x0000000000516000-memory.dmp

memory/3056-58-0x0000000000810000-0x0000000000856000-memory.dmp

memory/3056-59-0x0000000074300000-0x00000000749EE000-memory.dmp

memory/3056-60-0x0000000000250000-0x0000000000290000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Zver.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Zver.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Zver.exe C:\Windows\SysWOW64\WerFault.exe
PID 2388 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Zver.exe C:\Windows\SysWOW64\WerFault.exe
PID 2388 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Zver.exe C:\Windows\SysWOW64\WerFault.exe
PID 2388 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Zver.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Zver.exe

"C:\Users\Admin\AppData\Local\Temp\Zver.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 564

Network

N/A

Files

memory/2388-54-0x0000000000B30000-0x0000000000B72000-memory.dmp

memory/2388-55-0x0000000074B30000-0x000000007521E000-memory.dmp

memory/2388-56-0x0000000004420000-0x0000000004460000-memory.dmp

memory/2388-57-0x0000000074B30000-0x000000007521E000-memory.dmp

memory/2388-58-0x0000000004420000-0x0000000004460000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

28s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 856 N/A C:\Users\Admin\AppData\Local\Temp\a.exe C:\Users\Admin\AppData\Local\Temp\a.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

Network

Country Destination Domain Proto
SE 194.68.59.44:9074 tcp
SE 194.68.59.44:9074 tcp
SE 194.68.59.44:9074 tcp
SE 194.68.59.44:9074 tcp
SE 194.68.59.44:9074 tcp

Files

memory/2492-54-0x0000000074F10000-0x00000000754BB000-memory.dmp

memory/2492-56-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/2492-55-0x0000000074F10000-0x00000000754BB000-memory.dmp

memory/856-57-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-59-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-61-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-63-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-65-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/856-68-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-70-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2492-71-0x0000000074F10000-0x00000000754BB000-memory.dmp

memory/856-73-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-75-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-77-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-76-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-79-0x0000000000400000-0x000000000041B000-memory.dmp

memory/856-81-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

22s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\update_b.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\update_b.exe

"C:\Users\Admin\AppData\Local\Temp\update_b.exe"

Network

N/A

Files

memory/2192-53-0x0000000000400000-0x0000000000480000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

17s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe"

Signatures

Azorult

trojan infostealer azorult

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe

"C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 frontrabot.info udp
US 8.8.8.8:53 frontrabot.info udp

Files

memory/2372-54-0x0000000000930000-0x0000000000C7A000-memory.dmp

memory/2372-56-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2372-55-0x0000000077A40000-0x0000000077A41000-memory.dmp

memory/2372-57-0x0000000077510000-0x0000000077620000-memory.dmp

memory/2372-62-0x0000000000930000-0x0000000000C7A000-memory.dmp

memory/2372-63-0x0000000000930000-0x0000000000C7A000-memory.dmp

memory/2372-64-0x0000000000930000-0x0000000000C7A000-memory.dmp

memory/2372-65-0x0000000000930000-0x0000000000C7A000-memory.dmp

memory/2372-68-0x0000000000930000-0x0000000000C7A000-memory.dmp

memory/2372-67-0x0000000000930000-0x0000000000C7A000-memory.dmp

memory/2372-66-0x0000000000930000-0x0000000000C7A000-memory.dmp

memory/2372-69-0x0000000000930000-0x0000000000C7A000-memory.dmp

memory/2372-71-0x0000000000930000-0x0000000000C7A000-memory.dmp

memory/2372-77-0x0000000010000000-0x000000001006A000-memory.dmp

memory/2372-72-0x0000000010000000-0x000000001006A000-memory.dmp

memory/2372-80-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2372-84-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2372-83-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2372-87-0x00000000005E0000-0x0000000000925000-memory.dmp

memory/2372-93-0x0000000010000000-0x000000001006A000-memory.dmp

memory/2372-91-0x0000000000E70000-0x0000000000EB0000-memory.dmp

memory/2372-94-0x000000007EFDB000-0x000000007EFDE000-memory.dmp

memory/2372-96-0x000000007EFDF000-0x000000007EFE0000-memory.dmp

memory/2372-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2372-97-0x0000000010000000-0x000000001006A000-memory.dmp

memory/2372-98-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2372-102-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2372-103-0x0000000077510000-0x0000000077620000-memory.dmp

memory/2372-104-0x0000000002D50000-0x0000000002E50000-memory.dmp

memory/2372-105-0x0000000010000000-0x000000001006A000-memory.dmp

memory/2372-106-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/2372-107-0x0000000003560000-0x0000000003660000-memory.dmp

memory/2372-108-0x0000000002FE0000-0x00000000030E0000-memory.dmp

memory/2372-110-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

memory/2372-109-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2372-111-0x0000000003660000-0x0000000003760000-memory.dmp

memory/2372-112-0x0000000000930000-0x0000000000C7A000-memory.dmp

memory/2372-113-0x0000000077A40000-0x0000000077A41000-memory.dmp

memory/2372-114-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2372-115-0x0000000077510000-0x0000000077620000-memory.dmp

C:\Users\Admin\AppData\Local\Turbo.net\Sandbox\GOVNO\8.4.1.1\xsandbox.bin

MD5 ec3d19e8e9b05d025cb56c2a98ead8e7
SHA1 748532edeb86496c8efe5e2327501d89ec1f13df
SHA256 edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4
SHA512 175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

memory/2372-119-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2372-121-0x0000000077510000-0x0000000077620000-memory.dmp

memory/2372-122-0x0000000000930000-0x0000000000C7A000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

38s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ktg.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ktg.exe

"C:\Users\Admin\AppData\Local\Temp\ktg.exe"

Network

N/A

Files

memory/2228-54-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2228-55-0x0000000000400000-0x000000000048E000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

15s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ss.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url C:\Users\Admin\AppData\Local\Temp\ss.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2688 set thread context of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ss.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2688 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2688 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2688 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1916 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1916 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1916 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1916 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2688 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2616 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 3060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ss.exe

"C:\Users\Admin\AppData\Local\Temp\ss.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC4D.tmp" "c:\Users\Admin\AppData\Local\Temp\traigy22\CSC78D03A35B7984DF6A7F03117A8B1DFFB.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\259446729.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "

Network

N/A

Files

memory/2688-54-0x00000000008A0000-0x00000000008FE000-memory.dmp

memory/2688-55-0x0000000074130000-0x000000007481E000-memory.dmp

memory/2688-56-0x0000000000810000-0x0000000000850000-memory.dmp

memory/2688-57-0x00000000001F0000-0x00000000001F8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.cmdline

MD5 21abb1e56326228edcd5bb5be040110c
SHA1 a2909111f5931db17748529b7565c458a78c9884
SHA256 820b0969fc10287878289d67337872449403ae59ec6c4976c54302b8266bb9e2
SHA512 30b6b4668041a7980ad9464fd38a1bc084d1ad41bfc40193ad534b7f84ded05a624599fb771f7a975fd71ffc23068f90f7a970ea6482f92293e1950207d9f8c1

\??\c:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.0.cs

MD5 be3ee94e0df736f6079cf3f82039b9b9
SHA1 b1e5a6f2cf3790dd17e19dbe9d4f881b7922c817
SHA256 44b89526f2f795feff6e5c6762e55466699f8e6b09f74aff7968b94c1249e1fd
SHA512 655b49fcd792823219e5381e2e232606e86296d46e8b6b37c1c2656eb98927bce532aca4179584a595b00c612c569ee870da00a5f8684cb461d2a29d948aedb7

\??\c:\Users\Admin\AppData\Local\Temp\traigy22\CSC78D03A35B7984DF6A7F03117A8B1DFFB.TMP

MD5 e10a9737bef7b773cdb882880be67d01
SHA1 12ea760cd7650c709e0721a5426066ebb41ead05
SHA256 d9ac258e58a435cd703b9593d951e9b194810d425fb2b5cb215cdb0a9430c6af
SHA512 695fd374a5ece2ff5695156003bde2b6d125febfedd9fd7181f551b6479d9e63f48cbe19185e8dc536aea7c803e8c65d6b5463eacd83ab89aba73f221f2b2416

C:\Users\Admin\AppData\Local\Temp\RESBC4D.tmp

MD5 59813bc7aa219b3ef2948d4a941855c1
SHA1 8869c3383a92e88d4d315278020137f45d62807c
SHA256 358382c169d7534361a663728db1f347f60b0a1bc872e8c5cefac61b808cccf7
SHA512 a9c6bd411423d5d196996da95ac512425509c5256d6f25f5077a565f7fd22c8ba1b78a294991ed6ab22e4b929def8c13eed0986a397c317ededc01e899604f5d

C:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.dll

MD5 ba381278aac27444670bef56e3318fa9
SHA1 4895543d6548cab0b6822c3772fb81032998c65b
SHA256 0f9de8452cb226183eb90e291dcaf90fc9e53e681e875107cb44ece721c22d52
SHA512 d2c91cee6af3b7a04ae0e8439a06ba98fc2635cd528366549a74be8d70af409820d6ecd0369cf411828ba7435c18656cc9db0fbccab05f546325285d963126bc

C:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.pdb

MD5 7e4c9c63fb43c38f20030d053991f891
SHA1 800752c72739dcc64924fc03c9d648871df3bab0
SHA256 b5dc5baf8b8577b9fdb704da3af6654c19d2ca1586150ae54469f0be534418a9
SHA512 30554be574af975618b5ed4e3c8592bd7cad0d67e6b4bb09eba2e39fc55f6e7be4df25db65349fd2c484aa04ec118fea35e66473c853360d665a5ac1779aabfc

memory/2688-72-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2688-74-0x0000000000600000-0x0000000000626000-memory.dmp

memory/2688-75-0x00000000002A0000-0x00000000002AC000-memory.dmp

memory/2688-78-0x0000000000570000-0x0000000000589000-memory.dmp

memory/2616-79-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2616-80-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2616-81-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2616-82-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2616-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2616-85-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2616-87-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2688-88-0x0000000074130000-0x000000007481E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259446729.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

memory/2616-97-0x0000000000420000-0x0000000000487000-memory.dmp

memory/2616-98-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259446729.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

29s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1221.exe"

Signatures

Lokibot

trojan spyware stealer lokibot

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3060 set thread context of 2580 N/A C:\Users\Admin\AppData\Local\Temp\1221.exe C:\Users\Admin\AppData\Local\Temp\1221.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1221.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1221.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1221.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1221.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1221.exe

"C:\Users\Admin\AppData\Local\Temp\1221.exe"

C:\Users\Admin\AppData\Local\Temp\1221.exe

"C:\Users\Admin\AppData\Local\Temp\1221.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 botnet.americaircairmakan.com udp

Files

memory/3060-53-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/3060-54-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3060-55-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2580-56-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/3060-57-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2580-59-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2580-60-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4219371764-2579186923-3390623117-1000\0f5007522459c86e95ffcc62f32308f1_a858d4fe-e318-4442-a90a-f02c78216cd3

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4219371764-2579186923-3390623117-1000\0f5007522459c86e95ffcc62f32308f1_a858d4fe-e318-4442-a90a-f02c78216cd3

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/2580-102-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

31s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe

"C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\259460457.bat" "C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe" "

Network

Country Destination Domain Proto
RU 185.222.202.114:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\259460457.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

C:\Users\Admin\AppData\Local\Temp\259460457.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Analysis: behavioral16

Detonation Overview

Submitted

2023-08-13 18:33

Reported

2023-08-13 18:34

Platform

win7-20230712-en

Max time kernel

36s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fban4.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs" C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fban4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fban4.exe

"C:\Users\Admin\AppData\Local\Temp\fban4.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"

Network

N/A

Files

memory/2580-56-0x0000000000270000-0x0000000000276000-memory.dmp

memory/2580-57-0x0000000077620000-0x00000000776F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs

MD5 61303679134d10e8f1f35236fec661e6
SHA1 ed31726523d21be75c47e699eec4b76aeaa376d5
SHA256 047c78d7dbb5709dc8eee29b69d2a42aebe9249723105a56b8689c4657cb5331
SHA512 8fe11c1e624fbbc600f0402514b67f1b61c5123eba826bb50113858b96f283792cc9defdf1aa5c101c64e8ef65c0dd9ed6032debcb6f94dcbf8fcde90f2c3610

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 b71a202427c3900cf14b4f0226883074
SHA1 a44ccbf7f1f59986075dad8b31b11ba69c12e00c
SHA256 c8be7b87eaf410f1eb7de57f7050f9435103b9a07a1e6579cf606ce4b868bada
SHA512 9b5f826fa0c4872d98409a66704d279e55931897853a73b9737e8acd8f2b368ba538fd0ec9844911ca1eebe9afb43402f13544db95c60ff72aa98ab2bff3bdb1

\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 b71a202427c3900cf14b4f0226883074
SHA1 a44ccbf7f1f59986075dad8b31b11ba69c12e00c
SHA256 c8be7b87eaf410f1eb7de57f7050f9435103b9a07a1e6579cf606ce4b868bada
SHA512 9b5f826fa0c4872d98409a66704d279e55931897853a73b9737e8acd8f2b368ba538fd0ec9844911ca1eebe9afb43402f13544db95c60ff72aa98ab2bff3bdb1

\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 b71a202427c3900cf14b4f0226883074
SHA1 a44ccbf7f1f59986075dad8b31b11ba69c12e00c
SHA256 c8be7b87eaf410f1eb7de57f7050f9435103b9a07a1e6579cf606ce4b868bada
SHA512 9b5f826fa0c4872d98409a66704d279e55931897853a73b9737e8acd8f2b368ba538fd0ec9844911ca1eebe9afb43402f13544db95c60ff72aa98ab2bff3bdb1

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe

MD5 b71a202427c3900cf14b4f0226883074
SHA1 a44ccbf7f1f59986075dad8b31b11ba69c12e00c
SHA256 c8be7b87eaf410f1eb7de57f7050f9435103b9a07a1e6579cf606ce4b868bada
SHA512 9b5f826fa0c4872d98409a66704d279e55931897853a73b9737e8acd8f2b368ba538fd0ec9844911ca1eebe9afb43402f13544db95c60ff72aa98ab2bff3bdb1