Analysis Overview
SHA256
0955083a248cff54f8944f0ee729bf4a59ab594bd7288b2c0247175d1756e717
Threat Level: Known bad
The file njnj.zip was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Netwire
NanoCore
njRAT/Bladabindi
NetWire RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Modifies Installed Components in the registry
VMProtect packed file
Reads user/profile data of web browsers
Drops startup file
UPX packed file
Identifies Wine through registry keys
Executes dropped EXE
Loads dropped DLL
Checks BIOS information in registry
Adds Run key to start application
Looks up external IP address via web service
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-07 19:36
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
151s
Max time network
128s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NexonPlug.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NexonPlug.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dba12db5b44e3a4e6c7aeb23c5e2e680.exe | C:\Users\Admin\AppData\Roaming\NexonPlug.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dba12db5b44e3a4e6c7aeb23c5e2e680.exe | C:\Users\Admin\AppData\Roaming\NexonPlug.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NexonPlug.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\NexonPlug.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\dba12db5b44e3a4e6c7aeb23c5e2e680 = "\"C:\\Users\\Admin\\AppData\\Roaming\\NexonPlug.exe\" .." | C:\Users\Admin\AppData\Roaming\NexonPlug.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dba12db5b44e3a4e6c7aeb23c5e2e680 = "\"C:\\Users\\Admin\\AppData\\Roaming\\NexonPlug.exe\" .." | C:\Users\Admin\AppData\Roaming\NexonPlug.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NexonPlug.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NexonPlug.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e.exe
"C:\Users\Admin\AppData\Local\Temp\a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e.exe"
C:\Users\Admin\AppData\Roaming\NexonPlug.exe
"C:\Users\Admin\AppData\Roaming\NexonPlug.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\NexonPlug.exe" "NexonPlug.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rladnsdud2.codns.com | udp |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp | |
| N/A | 127.0.0.1:5050 | tcp |
Files
memory/2348-0-0x0000000000400000-0x00000000005E6000-memory.dmp
memory/2348-1-0x0000000077E10000-0x0000000077E12000-memory.dmp
memory/2348-2-0x00000000777C0000-0x00000000778B0000-memory.dmp
memory/2348-3-0x0000000075A30000-0x0000000075AFC000-memory.dmp
memory/2348-5-0x00000000756F0000-0x00000000756F9000-memory.dmp
memory/2348-6-0x0000000000400000-0x00000000005E6000-memory.dmp
memory/2348-4-0x0000000075590000-0x00000000755DA000-memory.dmp
memory/2348-7-0x0000000074F60000-0x000000007550B000-memory.dmp
memory/2348-8-0x0000000074F60000-0x000000007550B000-memory.dmp
memory/2348-9-0x0000000004240000-0x0000000004280000-memory.dmp
memory/2348-11-0x0000000074EB0000-0x0000000074EBB000-memory.dmp
memory/2348-10-0x0000000074F60000-0x000000007550B000-memory.dmp
memory/2348-12-0x0000000074F60000-0x000000007550B000-memory.dmp
memory/2348-13-0x0000000074D40000-0x0000000074DC0000-memory.dmp
memory/2348-16-0x0000000075590000-0x00000000755DA000-memory.dmp
memory/2348-17-0x0000000075CA0000-0x0000000075D23000-memory.dmp
memory/2348-15-0x00000000777C0000-0x00000000778B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\NexonPlug.exe
| MD5 | d2aca4967231eb63f091ddadb9a364de |
| SHA1 | 9fd9ff93b6b9905f4400df11b1e8d260e3ba3954 |
| SHA256 | a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e |
| SHA512 | 104f3da39fc6ad08fbf62d076d8f246278e5af61b3a8f64275be1d9103b49b118cfcb367edb76cdd968351439f70b21335b16f867f75c9313224d75bc375e5b2 |
C:\Users\Admin\AppData\Roaming\NexonPlug.exe
| MD5 | d2aca4967231eb63f091ddadb9a364de |
| SHA1 | 9fd9ff93b6b9905f4400df11b1e8d260e3ba3954 |
| SHA256 | a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e |
| SHA512 | 104f3da39fc6ad08fbf62d076d8f246278e5af61b3a8f64275be1d9103b49b118cfcb367edb76cdd968351439f70b21335b16f867f75c9313224d75bc375e5b2 |
\Users\Admin\AppData\Roaming\NexonPlug.exe
| MD5 | d2aca4967231eb63f091ddadb9a364de |
| SHA1 | 9fd9ff93b6b9905f4400df11b1e8d260e3ba3954 |
| SHA256 | a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e |
| SHA512 | 104f3da39fc6ad08fbf62d076d8f246278e5af61b3a8f64275be1d9103b49b118cfcb367edb76cdd968351439f70b21335b16f867f75c9313224d75bc375e5b2 |
memory/2348-21-0x0000000074F60000-0x000000007550B000-memory.dmp
\Users\Admin\AppData\Roaming\NexonPlug.exe
| MD5 | d2aca4967231eb63f091ddadb9a364de |
| SHA1 | 9fd9ff93b6b9905f4400df11b1e8d260e3ba3954 |
| SHA256 | a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e |
| SHA512 | 104f3da39fc6ad08fbf62d076d8f246278e5af61b3a8f64275be1d9103b49b118cfcb367edb76cdd968351439f70b21335b16f867f75c9313224d75bc375e5b2 |
memory/2348-27-0x0000000075D30000-0x0000000075ECD000-memory.dmp
memory/2348-28-0x0000000007520000-0x0000000007706000-memory.dmp
memory/2348-30-0x0000000004240000-0x0000000004280000-memory.dmp
memory/2348-29-0x00000000725E0000-0x000000007260E000-memory.dmp
memory/2348-32-0x0000000000400000-0x00000000005E6000-memory.dmp
memory/2348-34-0x0000000075590000-0x00000000755DA000-memory.dmp
memory/2348-36-0x0000000075A30000-0x0000000075AFC000-memory.dmp
memory/2348-39-0x0000000074D40000-0x0000000074DC0000-memory.dmp
memory/2348-40-0x0000000072490000-0x000000007249E000-memory.dmp
memory/2348-42-0x0000000074F60000-0x000000007550B000-memory.dmp
memory/2348-43-0x0000000074F60000-0x000000007550B000-memory.dmp
memory/2348-44-0x0000000075D30000-0x0000000075ECD000-memory.dmp
memory/2348-41-0x0000000075CA0000-0x0000000075D23000-memory.dmp
memory/2348-38-0x0000000071DC0000-0x00000000721CB000-memory.dmp
memory/2348-37-0x00000000725E0000-0x000000007260E000-memory.dmp
memory/2348-35-0x00000000756F0000-0x00000000756F9000-memory.dmp
memory/2348-33-0x00000000777C0000-0x00000000778B0000-memory.dmp
memory/2348-45-0x0000000074EB0000-0x0000000074EBB000-memory.dmp
memory/2568-47-0x0000000075A30000-0x0000000075AFC000-memory.dmp
C:\Users\Admin\AppData\Roaming\NexonPlug.exe
| MD5 | d2aca4967231eb63f091ddadb9a364de |
| SHA1 | 9fd9ff93b6b9905f4400df11b1e8d260e3ba3954 |
| SHA256 | a61687ff536199e54b82ceaaf5ab98319bd5d8cefad605382467927b62e0d74e |
| SHA512 | 104f3da39fc6ad08fbf62d076d8f246278e5af61b3a8f64275be1d9103b49b118cfcb367edb76cdd968351439f70b21335b16f867f75c9313224d75bc375e5b2 |
memory/2568-48-0x0000000000400000-0x00000000005E6000-memory.dmp
memory/2568-50-0x0000000074F10000-0x00000000754BB000-memory.dmp
memory/2568-51-0x0000000074F10000-0x00000000754BB000-memory.dmp
memory/2568-52-0x00000000043D0000-0x0000000004410000-memory.dmp
memory/2568-46-0x00000000777C0000-0x00000000778B0000-memory.dmp
memory/2568-55-0x00000000755D0000-0x00000000755D9000-memory.dmp
memory/2568-56-0x00000000756F0000-0x00000000756FB000-memory.dmp
memory/2568-53-0x0000000074D20000-0x0000000074DA0000-memory.dmp
memory/2568-54-0x0000000075540000-0x000000007558A000-memory.dmp
memory/2568-57-0x0000000000400000-0x00000000005E6000-memory.dmp
memory/2568-60-0x0000000075A30000-0x0000000075AFC000-memory.dmp
memory/2568-59-0x00000000777C0000-0x00000000778B0000-memory.dmp
memory/2568-62-0x0000000000400000-0x00000000005E6000-memory.dmp
memory/2568-63-0x0000000074F10000-0x00000000754BB000-memory.dmp
memory/2568-64-0x0000000074F10000-0x00000000754BB000-memory.dmp
memory/2568-65-0x00000000043D0000-0x0000000004410000-memory.dmp
memory/2568-66-0x0000000074D20000-0x0000000074DA0000-memory.dmp
memory/2568-67-0x0000000075540000-0x000000007558A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90e27466c5b95ff431a99d3481615164.exe | C:\Users\Admin\AppData\Roaming\eTMMY.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90e27466c5b95ff431a99d3481615164.exe | C:\Users\Admin\AppData\Roaming\eTMMY.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\eTMMY.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\90e27466c5b95ff431a99d3481615164 = "\"C:\\Users\\Admin\\AppData\\Roaming\\eTMMY.exe\" .." | C:\Users\Admin\AppData\Roaming\eTMMY.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\90e27466c5b95ff431a99d3481615164 = "\"C:\\Users\\Admin\\AppData\\Roaming\\eTMMY.exe\" .." | C:\Users\Admin\AppData\Roaming\eTMMY.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\eTMMY.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\eTMMY.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d.exe
"C:\Users\Admin\AppData\Local\Temp\a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\23791462.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\346799621.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\8551343.xml"
C:\Users\Admin\AppData\Roaming\eTMMY.exe
"C:\Users\Admin\AppData\Roaming\eTMMY.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\841839415.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\693988075.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\524863936.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1545423762.xml"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\eTMMY.exe" "eTMMY.exe" ENABLE
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1369208690.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1012812797.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1075572941.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2096132767.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1156480700.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1757884489.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1169604313.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\581324137.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1953255854.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\55804105.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\657207894.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1445883437.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1628131189.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1878163087.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2060410839.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1120758772.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\883850487.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2091682067.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\896974100.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\727849961.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\20082177.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1998441685.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1410161509.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1592409261.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\233601157.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2024688911.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\59453016.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1267284596.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1449532348.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2118720283.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1881811998.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1293531822.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\353879755.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1306655435.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\367003368.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1319779048.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1569810946.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1752058698.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\812406631.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\643282492.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\825530244.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1007777996.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\419497820.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2046485437.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1690089544.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1101809368.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\513529192.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1833757447.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1245477271.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\50769304.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1609972775.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\251164671.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1810368142.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\376684959.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1584516539.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1766764291.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\520352862.xml"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\Update" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2079556333.xml"
Network
| Country | Destination | Domain | Proto |
| FR | 212.83.167.116:1604 | tcp | |
| FR | 212.83.167.116:1604 | tcp | |
| FR | 212.83.167.116:1604 | tcp | |
| FR | 212.83.167.116:1604 | tcp | |
| FR | 212.83.167.116:1604 | tcp | |
| FR | 212.83.167.116:1604 | tcp |
Files
memory/2172-0-0x0000000074380000-0x000000007492B000-memory.dmp
memory/2172-1-0x0000000074380000-0x000000007492B000-memory.dmp
memory/2172-2-0x0000000002040000-0x0000000002080000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\23791462.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\346799621.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\8551343.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
memory/2172-13-0x0000000074380000-0x000000007492B000-memory.dmp
\Users\Admin\AppData\Roaming\eTMMY.exe
| MD5 | 0dd5d8ff4fa87c8ef8473493a3634021 |
| SHA1 | 8bf0f5b86de710213be1cc25c9d866bb8a10d1ed |
| SHA256 | a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d |
| SHA512 | 6401b2d565e6f5a436c46a9c39198e2c39c6001ab423fcf1e9ba5be049785ecd7a6772f184b322004aabe99d197c85eb227a072fc892a9c3afddd0422bdedfdc |
\Users\Admin\AppData\Roaming\eTMMY.exe
| MD5 | 0dd5d8ff4fa87c8ef8473493a3634021 |
| SHA1 | 8bf0f5b86de710213be1cc25c9d866bb8a10d1ed |
| SHA256 | a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d |
| SHA512 | 6401b2d565e6f5a436c46a9c39198e2c39c6001ab423fcf1e9ba5be049785ecd7a6772f184b322004aabe99d197c85eb227a072fc892a9c3afddd0422bdedfdc |
C:\Users\Admin\AppData\Roaming\eTMMY.exe
| MD5 | 0dd5d8ff4fa87c8ef8473493a3634021 |
| SHA1 | 8bf0f5b86de710213be1cc25c9d866bb8a10d1ed |
| SHA256 | a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d |
| SHA512 | 6401b2d565e6f5a436c46a9c39198e2c39c6001ab423fcf1e9ba5be049785ecd7a6772f184b322004aabe99d197c85eb227a072fc892a9c3afddd0422bdedfdc |
C:\Users\Admin\AppData\Roaming\eTMMY.exe
| MD5 | 0dd5d8ff4fa87c8ef8473493a3634021 |
| SHA1 | 8bf0f5b86de710213be1cc25c9d866bb8a10d1ed |
| SHA256 | a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d |
| SHA512 | 6401b2d565e6f5a436c46a9c39198e2c39c6001ab423fcf1e9ba5be049785ecd7a6772f184b322004aabe99d197c85eb227a072fc892a9c3afddd0422bdedfdc |
C:\Users\Admin\AppData\Roaming\eTMMY.exe
| MD5 | 0dd5d8ff4fa87c8ef8473493a3634021 |
| SHA1 | 8bf0f5b86de710213be1cc25c9d866bb8a10d1ed |
| SHA256 | a97144cc0cdbe2afd1bbd52fa623a5e2381ee18f46064d7964a2391f2ee3578d |
| SHA512 | 6401b2d565e6f5a436c46a9c39198e2c39c6001ab423fcf1e9ba5be049785ecd7a6772f184b322004aabe99d197c85eb227a072fc892a9c3afddd0422bdedfdc |
memory/3032-24-0x0000000074380000-0x000000007492B000-memory.dmp
memory/3032-25-0x00000000022F0000-0x0000000002330000-memory.dmp
memory/2172-23-0x0000000074380000-0x000000007492B000-memory.dmp
memory/3032-26-0x0000000074380000-0x000000007492B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | ed6a5bfafc7f8c8362a14949a2fbf107 |
| SHA1 | 0fe14fbe7ce78250037b6611e4cfea04fee59c1c |
| SHA256 | 5aaac9147312ceb189ef7da5a52993108b08eb42643ef113accdb176d09b399b |
| SHA512 | 6cd8b6302db00349c0e5943480578f9515e44acbe39c9a83f68a748113dc980e7e3b17f609fcb41b149bd111181c001f30b7b5a9ff880ef1102b3eb571a1fa75 |
C:\Users\Admin\AppData\Local\Temp\841839415.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\693988075.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\693988075.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\524863936.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1545423762.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\Update.txt
| MD5 | ed6a5bfafc7f8c8362a14949a2fbf107 |
| SHA1 | 0fe14fbe7ce78250037b6611e4cfea04fee59c1c |
| SHA256 | 5aaac9147312ceb189ef7da5a52993108b08eb42643ef113accdb176d09b399b |
| SHA512 | 6cd8b6302db00349c0e5943480578f9515e44acbe39c9a83f68a748113dc980e7e3b17f609fcb41b149bd111181c001f30b7b5a9ff880ef1102b3eb571a1fa75 |
C:\Users\Admin\AppData\Local\Temp\1369208690.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
memory/3032-44-0x0000000074380000-0x000000007492B000-memory.dmp
memory/3032-45-0x00000000022F0000-0x0000000002330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1012812797.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1075572941.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\2096132767.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1156480700.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1757884489.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1169604313.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\581324137.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1953255854.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\55804105.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\657207894.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1445883437.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1628131189.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1878163087.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\2060410839.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1120758772.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\883850487.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\2091682067.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\896974100.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\727849961.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\20082177.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1998441685.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1410161509.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1592409261.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\2024688911.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\59453016.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1267284596.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1449532348.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\2118720283.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1881811998.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1293531822.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\353879755.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1306655435.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\367003368.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1319779048.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1569810946.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1752058698.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\812406631.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\643282492.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\825530244.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1007777996.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\419497820.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\2046485437.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1690089544.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1101809368.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\513529192.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1833757447.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1245477271.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\50769304.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1609972775.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\251164671.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
C:\Users\Admin\AppData\Local\Temp\1810368142.xml
| MD5 | 1a352c693ea879dac425fd5c2d2aa80b |
| SHA1 | 244b6cab4ebfcb57ec903fada67125368602df6f |
| SHA256 | 12c1e759c5fd9479ca77acac4a485dfad44987d764b67edacae0a476cefc9a83 |
| SHA512 | 21938b9c063de58c0bd7c7fe6d96f75cf82af611d36df0be20a098c7fafff0d67375ee5778c17129cebdaf4fdd54d0944aafa5ff8c5b3903d4579d23c48f02a9 |
Analysis: behavioral7
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:40
Platform
win7-20230831-en
Max time kernel
151s
Max time network
147s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c2dca75fffcc6fbac3b29081dab8b1a0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe\" .." | C:\Users\Admin\AppData\Local\Temp\b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\c2dca75fffcc6fbac3b29081dab8b1a0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe\" .." | C:\Users\Admin\AppData\Local\Temp\b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe
"C:\Users\Admin\AppData\Local\Temp\b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe"
C:\Users\Admin\AppData\Local\Temp\b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe
"C:\Users\Admin\AppData\Local\Temp\b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe" "b4a1e3f5635e6ca1f2885f92655ae24f95a0b4dbb4d7bd8ba94fb8874ab84831.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 192.210.146.60:2222 | tcp | |
| US | 192.210.146.60:2222 | tcp | |
| US | 192.210.146.60:2222 | tcp | |
| US | 192.210.146.60:2222 | tcp | |
| US | 192.210.146.60:2222 | tcp | |
| US | 192.210.146.60:2222 | tcp |
Files
memory/3052-2-0x0000000000240000-0x0000000000246000-memory.dmp
memory/3052-3-0x0000000000240000-0x0000000000246000-memory.dmp
memory/2624-4-0x0000000000020000-0x0000000000038000-memory.dmp
memory/2624-5-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2624-8-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2624-15-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2624-16-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2624-18-0x00000000005B0000-0x00000000005C0000-memory.dmp
memory/2624-17-0x00000000005B0000-0x00000000005C0000-memory.dmp
memory/2624-19-0x00000000005B0000-0x00000000005C0000-memory.dmp
memory/2624-20-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2624-21-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2624-22-0x0000000000570000-0x00000000005B0000-memory.dmp
memory/2624-23-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2624-24-0x00000000005B0000-0x00000000005C0000-memory.dmp
memory/2624-25-0x00000000005B0000-0x00000000005C0000-memory.dmp
memory/2624-26-0x00000000005B0000-0x00000000005C0000-memory.dmp
memory/2624-27-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2624-29-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2624-30-0x0000000000570000-0x00000000005B0000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1.exe
"C:\Users\Admin\AppData\Local\Temp\d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nazanm.zapto.org | udp |
Files
memory/2828-0-0x0000000074BC0000-0x000000007516B000-memory.dmp
memory/2828-1-0x0000000074BC0000-0x000000007516B000-memory.dmp
memory/2828-2-0x0000000002010000-0x0000000002050000-memory.dmp
\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | b30238ea2be78a6b74b05d320e584890 |
| SHA1 | fb20d4cb4450d8befa217085793883b1b1568583 |
| SHA256 | d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1 |
| SHA512 | ef81fea2fad1a26f654896568d19472ef294bb1e7b050f191ade70c2579172f90fdef3f28bf30fa87ef8672a212a586f16730627deca510a17d9c19b3e8ae891 |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | b30238ea2be78a6b74b05d320e584890 |
| SHA1 | fb20d4cb4450d8befa217085793883b1b1568583 |
| SHA256 | d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1 |
| SHA512 | ef81fea2fad1a26f654896568d19472ef294bb1e7b050f191ade70c2579172f90fdef3f28bf30fa87ef8672a212a586f16730627deca510a17d9c19b3e8ae891 |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | b30238ea2be78a6b74b05d320e584890 |
| SHA1 | fb20d4cb4450d8befa217085793883b1b1568583 |
| SHA256 | d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1 |
| SHA512 | ef81fea2fad1a26f654896568d19472ef294bb1e7b050f191ade70c2579172f90fdef3f28bf30fa87ef8672a212a586f16730627deca510a17d9c19b3e8ae891 |
memory/2828-10-0x0000000074BC0000-0x000000007516B000-memory.dmp
memory/2980-12-0x0000000002190000-0x00000000021D0000-memory.dmp
memory/2980-11-0x0000000074BC0000-0x000000007516B000-memory.dmp
memory/2980-13-0x0000000074BC0000-0x000000007516B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe
| MD5 | b30238ea2be78a6b74b05d320e584890 |
| SHA1 | fb20d4cb4450d8befa217085793883b1b1568583 |
| SHA256 | d5769c04e33e2b420e48cd85d8b255ba3f667305fb4b6c2f5085a674c8d939e1 |
| SHA512 | ef81fea2fad1a26f654896568d19472ef294bb1e7b050f191ade70c2579172f90fdef3f28bf30fa87ef8672a212a586f16730627deca510a17d9c19b3e8ae891 |
memory/2980-15-0x0000000074BC0000-0x000000007516B000-memory.dmp
memory/2980-16-0x0000000002190000-0x00000000021D0000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
152s
Max time network
153s
Command Line
Signatures
njRAT/Bladabindi
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\upnpcont.url | C:\Users\Admin\AppData\Local\Temp\e740d976696b7913b1586ea19833622c972482f51e3fb30e3225c94be8cbeeb5.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1192 set thread context of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\e740d976696b7913b1586ea19833622c972482f51e3fb30e3225c94be8cbeeb5.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e740d976696b7913b1586ea19833622c972482f51e3fb30e3225c94be8cbeeb5.exe
"C:\Users\Admin\AppData\Local\Temp\e740d976696b7913b1586ea19833622c972482f51e3fb30e3225c94be8cbeeb5.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| LU | 194.5.99.17:6521 | tcp | |
| LU | 194.5.99.17:6521 | tcp | |
| LU | 194.5.99.17:6521 | tcp | |
| LU | 194.5.99.17:6521 | tcp |
Files
memory/1192-0-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2180-2-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2180-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2180-1-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2180-9-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2180-8-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2180-10-0x00000000740F0000-0x00000000747DE000-memory.dmp
memory/2180-11-0x00000000740F0000-0x00000000747DE000-memory.dmp
memory/2180-12-0x0000000005060000-0x00000000050A0000-memory.dmp
memory/2180-16-0x0000000005060000-0x00000000050A0000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0303a5cd2dd2bd74a2a7da243e00c556.exe | C:\Users\Admin\AppData\Local\Temp\Troja1n.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0303a5cd2dd2bd74a2a7da243e00c556.exe | C:\Users\Admin\AppData\Local\Temp\Troja1n.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Troja1n.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\0303a5cd2dd2bd74a2a7da243e00c556 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Troja1n.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Troja1n.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0303a5cd2dd2bd74a2a7da243e00c556 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Troja1n.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Troja1n.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Troja1n.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Troja1n.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Troja1n.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66.exe
"C:\Users\Admin\AppData\Local\Temp\f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66.exe"
C:\Users\Admin\AppData\Local\Temp\Troja1n.exe
"C:\Users\Admin\AppData\Local\Temp\Troja1n.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Troja1n.exe" "Troja1n.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | m123.no-ip.biz | udp |
| GB | 78.159.131.121:1177 | m123.no-ip.biz | tcp |
| GB | 78.159.131.121:1177 | m123.no-ip.biz | tcp |
| GB | 78.159.131.121:1177 | m123.no-ip.biz | tcp |
| US | 8.8.8.8:53 | m123.no-ip.biz | udp |
| GB | 78.159.131.121:1177 | m123.no-ip.biz | tcp |
| GB | 78.159.131.121:1177 | m123.no-ip.biz | tcp |
| GB | 78.159.131.121:1177 | m123.no-ip.biz | tcp |
| US | 8.8.8.8:53 | m123.no-ip.biz | udp |
| GB | 78.159.131.121:1177 | m123.no-ip.biz | tcp |
Files
memory/1168-0-0x0000000074790000-0x0000000074D3B000-memory.dmp
memory/1168-1-0x0000000074790000-0x0000000074D3B000-memory.dmp
memory/1168-2-0x0000000000B90000-0x0000000000BD0000-memory.dmp
\Users\Admin\AppData\Local\Temp\Troja1n.exe
| MD5 | 96783917c067f4a74c0dd2f56643eea1 |
| SHA1 | 5a65e81d674500fac979aa8c2d854ac230bf598b |
| SHA256 | f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66 |
| SHA512 | 979a5210896e8a7405c415bf683984e8d514a9c15ca87a90c8333b5658f2e08df3ae69736e9eba74f8e35c76163f98c54ac928d21f21e5538183179d2db4b632 |
C:\Users\Admin\AppData\Local\Temp\Troja1n.exe
| MD5 | 96783917c067f4a74c0dd2f56643eea1 |
| SHA1 | 5a65e81d674500fac979aa8c2d854ac230bf598b |
| SHA256 | f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66 |
| SHA512 | 979a5210896e8a7405c415bf683984e8d514a9c15ca87a90c8333b5658f2e08df3ae69736e9eba74f8e35c76163f98c54ac928d21f21e5538183179d2db4b632 |
C:\Users\Admin\AppData\Local\Temp\Troja1n.exe
| MD5 | 96783917c067f4a74c0dd2f56643eea1 |
| SHA1 | 5a65e81d674500fac979aa8c2d854ac230bf598b |
| SHA256 | f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66 |
| SHA512 | 979a5210896e8a7405c415bf683984e8d514a9c15ca87a90c8333b5658f2e08df3ae69736e9eba74f8e35c76163f98c54ac928d21f21e5538183179d2db4b632 |
memory/2328-10-0x0000000074790000-0x0000000074D3B000-memory.dmp
memory/1168-11-0x0000000074790000-0x0000000074D3B000-memory.dmp
memory/2328-12-0x0000000000B70000-0x0000000000BB0000-memory.dmp
memory/2328-13-0x0000000074790000-0x0000000074D3B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0303a5cd2dd2bd74a2a7da243e00c556.exe
| MD5 | 96783917c067f4a74c0dd2f56643eea1 |
| SHA1 | 5a65e81d674500fac979aa8c2d854ac230bf598b |
| SHA256 | f74c4be87625e208f41572ce61c610114e3cf12c73c38cea3967f91e19107d66 |
| SHA512 | 979a5210896e8a7405c415bf683984e8d514a9c15ca87a90c8333b5658f2e08df3ae69736e9eba74f8e35c76163f98c54ac928d21f21e5538183179d2db4b632 |
memory/2328-15-0x0000000074790000-0x0000000074D3B000-memory.dmp
memory/2328-16-0x0000000000B70000-0x0000000000BB0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
150s
Max time network
130s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1.exe
"C:\Users\Admin\AppData\Local\Temp\c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Network
Files
memory/1096-0-0x0000000074310000-0x00000000748BB000-memory.dmp
memory/1096-1-0x0000000074310000-0x00000000748BB000-memory.dmp
memory/1096-2-0x00000000003E0000-0x0000000000420000-memory.dmp
\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 467d44fbd5546afd2fec88d34d1e8791 |
| SHA1 | 8520c2890b3a898695126e8d782d966403ea071f |
| SHA256 | c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1 |
| SHA512 | 75f713fefd4eb00c182bdb7d437ccc95142ac48f0f6908e0a2b46baf12a3439e2fd8b3c7d10fe5f2810defa15a5e1bf64ba88637766c78361947c11b6865b72c |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 467d44fbd5546afd2fec88d34d1e8791 |
| SHA1 | 8520c2890b3a898695126e8d782d966403ea071f |
| SHA256 | c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1 |
| SHA512 | 75f713fefd4eb00c182bdb7d437ccc95142ac48f0f6908e0a2b46baf12a3439e2fd8b3c7d10fe5f2810defa15a5e1bf64ba88637766c78361947c11b6865b72c |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 467d44fbd5546afd2fec88d34d1e8791 |
| SHA1 | 8520c2890b3a898695126e8d782d966403ea071f |
| SHA256 | c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1 |
| SHA512 | 75f713fefd4eb00c182bdb7d437ccc95142ac48f0f6908e0a2b46baf12a3439e2fd8b3c7d10fe5f2810defa15a5e1bf64ba88637766c78361947c11b6865b72c |
memory/2196-11-0x0000000074310000-0x00000000748BB000-memory.dmp
memory/1096-12-0x0000000074310000-0x00000000748BB000-memory.dmp
memory/2196-13-0x0000000000680000-0x00000000006C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe
| MD5 | 467d44fbd5546afd2fec88d34d1e8791 |
| SHA1 | 8520c2890b3a898695126e8d782d966403ea071f |
| SHA256 | c986e48ec535ca8d1b3835058374994252c87d0684cb8c4d5e839eb31e1179f1 |
| SHA512 | 75f713fefd4eb00c182bdb7d437ccc95142ac48f0f6908e0a2b46baf12a3439e2fd8b3c7d10fe5f2810defa15a5e1bf64ba88637766c78361947c11b6865b72c |
memory/2196-14-0x0000000074310000-0x00000000748BB000-memory.dmp
memory/2196-15-0x0000000074310000-0x00000000748BB000-memory.dmp
memory/2196-16-0x0000000000680000-0x00000000006C0000-memory.dmp
memory/2196-17-0x0000000074310000-0x00000000748BB000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:37
Platform
win7-20230831-en
Max time kernel
36s
Max time network
23s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c5dbc4b5114eccb1261dfdb2194089a8.exe | C:\Users\Admin\AppData\Roaming\winsec.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c5dbc4b5114eccb1261dfdb2194089a8.exe | C:\Users\Admin\AppData\Roaming\winsec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winsec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winsec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\c5dbc4b5114eccb1261dfdb2194089a8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsec.exe\" .." | C:\Users\Admin\AppData\Roaming\winsec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c5dbc4b5114eccb1261dfdb2194089a8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsec.exe\" .." | C:\Users\Admin\AppData\Roaming\winsec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2604 set thread context of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de.exe | C:\Users\Admin\AppData\Local\Temp\ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de.exe |
| PID 2664 set thread context of 2544 | N/A | C:\Users\Admin\AppData\Roaming\winsec.exe | C:\Users\Admin\AppData\Roaming\winsec.exe |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de.exe
"C:\Users\Admin\AppData\Local\Temp\ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de.exe"
C:\Users\Admin\AppData\Local\Temp\ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de.exe
"C:\Users\Admin\AppData\Local\Temp\ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de.exe"
C:\Users\Admin\AppData\Roaming\winsec.exe
"C:\Users\Admin\AppData\Roaming\winsec.exe"
C:\Users\Admin\AppData\Roaming\winsec.exe
"C:\Users\Admin\AppData\Roaming\winsec.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winsec.exe" "winsec.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 199.241.146.179:31922 | tcp | |
| US | 199.241.146.179:31922 | tcp | |
| US | 199.241.146.179:31922 | tcp | |
| US | 199.241.146.179:31922 | tcp | |
| US | 199.241.146.179:31922 | tcp | |
| US | 199.241.146.179:31922 | tcp |
Files
memory/2604-0-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2604-1-0x0000000000AC0000-0x0000000000B00000-memory.dmp
memory/2604-2-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2604-3-0x0000000000AC0000-0x0000000000B00000-memory.dmp
memory/2604-5-0x00000000002E0000-0x00000000003E0000-memory.dmp
memory/2612-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2612-8-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2604-10-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2612-11-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2612-13-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2612-14-0x0000000073BE0000-0x000000007418B000-memory.dmp
memory/2612-15-0x0000000073BE0000-0x000000007418B000-memory.dmp
memory/2612-16-0x00000000004E0000-0x0000000000520000-memory.dmp
\Users\Admin\AppData\Roaming\winsec.exe
| MD5 | ed00beeccdd96f42c60aefc4d1dde58e |
| SHA1 | 7d25d5d149370846b10c4ea91695ced647a32d82 |
| SHA256 | ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de |
| SHA512 | 448d6fc8af70c1e1769be48fab8d60966f217889ff9b646b14070b527ccfa02ec389f6e1c6bedca28e28f6e5d6e44068554a7409532a5d972f21cc72911a263d |
C:\Users\Admin\AppData\Roaming\winsec.exe
| MD5 | ed00beeccdd96f42c60aefc4d1dde58e |
| SHA1 | 7d25d5d149370846b10c4ea91695ced647a32d82 |
| SHA256 | ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de |
| SHA512 | 448d6fc8af70c1e1769be48fab8d60966f217889ff9b646b14070b527ccfa02ec389f6e1c6bedca28e28f6e5d6e44068554a7409532a5d972f21cc72911a263d |
C:\Users\Admin\AppData\Roaming\winsec.exe
| MD5 | ed00beeccdd96f42c60aefc4d1dde58e |
| SHA1 | 7d25d5d149370846b10c4ea91695ced647a32d82 |
| SHA256 | ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de |
| SHA512 | 448d6fc8af70c1e1769be48fab8d60966f217889ff9b646b14070b527ccfa02ec389f6e1c6bedca28e28f6e5d6e44068554a7409532a5d972f21cc72911a263d |
memory/2664-24-0x0000000073BE0000-0x000000007418B000-memory.dmp
memory/2664-25-0x0000000000B90000-0x0000000000BD0000-memory.dmp
memory/2664-26-0x0000000000B90000-0x0000000000BD0000-memory.dmp
memory/2664-27-0x0000000073BE0000-0x000000007418B000-memory.dmp
memory/2612-28-0x0000000073BE0000-0x000000007418B000-memory.dmp
memory/2612-29-0x0000000073BE0000-0x000000007418B000-memory.dmp
memory/2664-32-0x00000000002A0000-0x00000000003A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\winsec.exe
| MD5 | ed00beeccdd96f42c60aefc4d1dde58e |
| SHA1 | 7d25d5d149370846b10c4ea91695ced647a32d82 |
| SHA256 | ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de |
| SHA512 | 448d6fc8af70c1e1769be48fab8d60966f217889ff9b646b14070b527ccfa02ec389f6e1c6bedca28e28f6e5d6e44068554a7409532a5d972f21cc72911a263d |
memory/2664-37-0x0000000073BE0000-0x000000007418B000-memory.dmp
memory/2544-41-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2544-42-0x0000000000A90000-0x0000000000AD0000-memory.dmp
memory/2544-43-0x0000000074190000-0x000000007473B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c5dbc4b5114eccb1261dfdb2194089a8.exe
| MD5 | ed00beeccdd96f42c60aefc4d1dde58e |
| SHA1 | 7d25d5d149370846b10c4ea91695ced647a32d82 |
| SHA256 | ce855258530137d0993d4d914e063ed04acb24743401a5532ee9387ddfd497de |
| SHA512 | 448d6fc8af70c1e1769be48fab8d60966f217889ff9b646b14070b527ccfa02ec389f6e1c6bedca28e28f6e5d6e44068554a7409532a5d972f21cc72911a263d |
memory/2544-45-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2544-46-0x0000000000A90000-0x0000000000AD0000-memory.dmp
memory/2544-47-0x0000000074190000-0x000000007473B000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:40
Platform
win7-20230831-en
Max time kernel
182s
Max time network
203s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsvc.exe" | C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1976 set thread context of 2736 | N/A | C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe | C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DHCP Service\dhcpsvc.exe | C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Service\dhcpsvc.exe | C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe
"C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe"
C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe
"C:\Users\Admin\AppData\Local\Temp\eb6f04c51a43a810c46ec4fb253af6789bcba802df77add63d09be8b83e058c6.exe"
Network
| Country | Destination | Domain | Proto |
| CZ | 77.48.28.247:5378 | tcp | |
| CZ | 77.48.28.247:5378 | tcp | |
| CZ | 77.48.28.247:5378 | tcp | |
| CZ | 77.48.28.247:5378 | tcp | |
| CZ | 77.48.28.247:5378 | tcp | |
| CZ | 77.48.28.247:5378 | tcp |
Files
memory/1976-0-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/1976-1-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/1976-2-0x0000000000980000-0x00000000009C0000-memory.dmp
memory/1976-3-0x0000000000980000-0x00000000009C0000-memory.dmp
memory/1976-4-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/1976-5-0x0000000000980000-0x00000000009C0000-memory.dmp
memory/1976-6-0x0000000000980000-0x00000000009C0000-memory.dmp
memory/2736-8-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2736-7-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2736-9-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2736-11-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2736-15-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2736-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2736-17-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2736-19-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2736-20-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/2736-21-0x00000000024C0000-0x0000000002500000-memory.dmp
memory/1976-23-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/2736-22-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/2736-26-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/2736-27-0x00000000024C0000-0x0000000002500000-memory.dmp
memory/2736-28-0x0000000074630000-0x0000000074BDB000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
149s
Max time network
134s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab.exe
"C:\Users\Admin\AppData\Local\Temp\f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lmyq19.no-ip.biz | udp |
Files
memory/1312-0-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/1312-2-0x00000000005B0000-0x00000000005F0000-memory.dmp
memory/1312-1-0x0000000074630000-0x0000000074BDB000-memory.dmp
\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | dc5cd2992a219d51a2b2e0878eeda416 |
| SHA1 | 04b058f5e3087fd6ee63e97a87b08d228d9cc76f |
| SHA256 | f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab |
| SHA512 | 41c0a582931dee21cdb83e621a029f0ab14addf265a72596104db6153f474342d859eab37f099b1bcf2e3e1ede72cab1c04a72ffe094ff6755da97b65551b2ee |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | dc5cd2992a219d51a2b2e0878eeda416 |
| SHA1 | 04b058f5e3087fd6ee63e97a87b08d228d9cc76f |
| SHA256 | f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab |
| SHA512 | 41c0a582931dee21cdb83e621a029f0ab14addf265a72596104db6153f474342d859eab37f099b1bcf2e3e1ede72cab1c04a72ffe094ff6755da97b65551b2ee |
memory/2168-11-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/2168-12-0x00000000021D0000-0x0000000002210000-memory.dmp
memory/2168-13-0x0000000074630000-0x0000000074BDB000-memory.dmp
memory/1312-10-0x0000000074630000-0x0000000074BDB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | dc5cd2992a219d51a2b2e0878eeda416 |
| SHA1 | 04b058f5e3087fd6ee63e97a87b08d228d9cc76f |
| SHA256 | f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab |
| SHA512 | 41c0a582931dee21cdb83e621a029f0ab14addf265a72596104db6153f474342d859eab37f099b1bcf2e3e1ede72cab1c04a72ffe094ff6755da97b65551b2ee |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe
| MD5 | dc5cd2992a219d51a2b2e0878eeda416 |
| SHA1 | 04b058f5e3087fd6ee63e97a87b08d228d9cc76f |
| SHA256 | f858bb58de7036188683c06ae6b39827d0d32e2d09617ded718ead5a6a2d6bab |
| SHA512 | 41c0a582931dee21cdb83e621a029f0ab14addf265a72596104db6153f474342d859eab37f099b1bcf2e3e1ede72cab1c04a72ffe094ff6755da97b65551b2ee |
memory/2168-15-0x0000000074630000-0x0000000074BDB000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 832 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 832 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc96e837e9902d3941210eeee94d79f9d268f9715fb966945bdb20cb93c9e497.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc96e837e9902d3941210eeee94d79f9d268f9715fb966945bdb20cb93c9e497.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
122s
Max time network
132s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2936 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2936 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2936 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2936 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c.exe
"C:\Users\Admin\AppData\Local\Temp\b0e6f404115933d8d445c6c354ecef885347be61da45a37e3dcdbdb71eddbb9c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1432
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
Files
memory/2936-0-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
memory/2936-1-0x0000000074E90000-0x000000007557E000-memory.dmp
memory/2936-2-0x0000000004CF0000-0x0000000004D30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4839.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar485B.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2936-37-0x0000000074E90000-0x000000007557E000-memory.dmp
memory/2936-38-0x0000000004CF0000-0x0000000004D30000-memory.dmp
memory/2936-39-0x0000000074E90000-0x000000007557E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cd9e051ed80df1a0c0b000059793bab8.exe | C:\ProgramData\Trojan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cd9e051ed80df1a0c0b000059793bab8.exe | C:\ProgramData\Trojan.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Trojan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\cd9e051ed80df1a0c0b000059793bab8 = "\"C:\\ProgramData\\Trojan.exe\" .." | C:\ProgramData\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cd9e051ed80df1a0c0b000059793bab8 = "\"C:\\ProgramData\\Trojan.exe\" .." | C:\ProgramData\Trojan.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Trojan.exe | N/A |
| N/A | N/A | C:\ProgramData\Trojan.exe | N/A |
| N/A | N/A | C:\ProgramData\Trojan.exe | N/A |
| N/A | N/A | C:\ProgramData\Trojan.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Trojan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121.exe
"C:\Users\Admin\AppData\Local\Temp\b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121.exe"
C:\ProgramData\Trojan.exe
"C:\ProgramData\Trojan.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\ProgramData\Trojan.exe" "Trojan.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp | |
| N/A | 127.0.0.1:1777 | tcp |
Files
memory/1524-0-0x0000000074BD0000-0x000000007517B000-memory.dmp
memory/1524-1-0x0000000074BD0000-0x000000007517B000-memory.dmp
memory/1524-2-0x0000000001F90000-0x0000000001FD0000-memory.dmp
\ProgramData\Trojan.exe
| MD5 | b58f170bed7f9957bc929ad9fe669692 |
| SHA1 | 55dfe9b436059ad1fc007e9264e942ab4ba4f986 |
| SHA256 | b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121 |
| SHA512 | 089dc07e7bdb591b69fa16a3e7d9087138e2981747613ed3d10929ad7a8a4314ee2a3c04a04af1144861e293b856678cd227d25f9a363c92f9f106c0e30ed6d8 |
C:\ProgramData\Trojan.exe
| MD5 | b58f170bed7f9957bc929ad9fe669692 |
| SHA1 | 55dfe9b436059ad1fc007e9264e942ab4ba4f986 |
| SHA256 | b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121 |
| SHA512 | 089dc07e7bdb591b69fa16a3e7d9087138e2981747613ed3d10929ad7a8a4314ee2a3c04a04af1144861e293b856678cd227d25f9a363c92f9f106c0e30ed6d8 |
C:\ProgramData\Trojan.exe
| MD5 | b58f170bed7f9957bc929ad9fe669692 |
| SHA1 | 55dfe9b436059ad1fc007e9264e942ab4ba4f986 |
| SHA256 | b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121 |
| SHA512 | 089dc07e7bdb591b69fa16a3e7d9087138e2981747613ed3d10929ad7a8a4314ee2a3c04a04af1144861e293b856678cd227d25f9a363c92f9f106c0e30ed6d8 |
memory/3020-10-0x0000000074BD0000-0x000000007517B000-memory.dmp
memory/3020-11-0x0000000000230000-0x0000000000270000-memory.dmp
memory/1524-12-0x0000000074BD0000-0x000000007517B000-memory.dmp
memory/3020-13-0x0000000074BD0000-0x000000007517B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cd9e051ed80df1a0c0b000059793bab8.exe
| MD5 | b58f170bed7f9957bc929ad9fe669692 |
| SHA1 | 55dfe9b436059ad1fc007e9264e942ab4ba4f986 |
| SHA256 | b332a1fcf2562fcec7a61d9c2b281f7039dd9d310c31bd7ad916585029fea121 |
| SHA512 | 089dc07e7bdb591b69fa16a3e7d9087138e2981747613ed3d10929ad7a8a4314ee2a3c04a04af1144861e293b856678cd227d25f9a363c92f9f106c0e30ed6d8 |
memory/3020-15-0x0000000074BD0000-0x000000007517B000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:40
Platform
win7-20230831-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b53fcca86fa3b578e636240aaef0423decca19869b56a3e1d49357d913976225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b53fcca86fa3b578e636240aaef0423decca19869b56a3e1d49357d913976225.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b53fcca86fa3b578e636240aaef0423decca19869b56a3e1d49357d913976225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b53fcca86fa3b578e636240aaef0423decca19869b56a3e1d49357d913976225.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b53fcca86fa3b578e636240aaef0423decca19869b56a3e1d49357d913976225.exe
"C:\Users\Admin\AppData\Local\Temp\b53fcca86fa3b578e636240aaef0423decca19869b56a3e1d49357d913976225.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.aucma365.com | udp |
| HK | 45.204.127.170:80 | www.aucma365.com | tcp |
Files
memory/2964-1-0x0000000000400000-0x0000000000B85000-memory.dmp
memory/2964-3-0x0000000002960000-0x0000000002B2D000-memory.dmp
memory/2964-5-0x0000000002960000-0x0000000002B2D000-memory.dmp
C:\sy.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2964-30-0x0000000002960000-0x0000000002B2D000-memory.dmp
memory/2964-29-0x0000000000400000-0x0000000000B85000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e.exe
"C:\Users\Admin\AppData\Local\Temp\cd4f0b526d8f4d2cbc8eb91893b86f2eb767a8cf1982a235c8d4f28fb5ca235e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab3D9E.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar3DEF.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
Analysis: behavioral18
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
149s
Max time network
129s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3.exe
"C:\Users\Admin\AppData\Local\Temp\dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xvxvxv.no-ip.biz | udp |
Files
memory/2196-0-0x0000000074780000-0x0000000074D2B000-memory.dmp
memory/2196-1-0x0000000074780000-0x0000000074D2B000-memory.dmp
memory/2196-2-0x0000000000D60000-0x0000000000DA0000-memory.dmp
\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 00683c2668d0329457a67a5d5523d1ef |
| SHA1 | 8831515122545e6eb889bfefc66615b78cd0df2e |
| SHA256 | dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3 |
| SHA512 | 6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 00683c2668d0329457a67a5d5523d1ef |
| SHA1 | 8831515122545e6eb889bfefc66615b78cd0df2e |
| SHA256 | dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3 |
| SHA512 | 6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 00683c2668d0329457a67a5d5523d1ef |
| SHA1 | 8831515122545e6eb889bfefc66615b78cd0df2e |
| SHA256 | dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3 |
| SHA512 | 6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff |
memory/2288-12-0x0000000000770000-0x00000000007B0000-memory.dmp
memory/2196-11-0x0000000074780000-0x0000000074D2B000-memory.dmp
memory/2288-10-0x0000000074780000-0x0000000074D2B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe
| MD5 | 00683c2668d0329457a67a5d5523d1ef |
| SHA1 | 8831515122545e6eb889bfefc66615b78cd0df2e |
| SHA256 | dd0f55e997999bfddd040f676fd616b99afe386daf1a69c3a02a8324274baba3 |
| SHA512 | 6c3668a590fd26abbdbf35a6da03dbd76c755a05be2b7192dad3c777fc8937346029903bd76de3fdea941cb81916d01a122f36f116ee9d99a0fa097c16f4d4ff |
memory/2288-14-0x0000000074780000-0x0000000074D2B000-memory.dmp
memory/2288-15-0x0000000074780000-0x0000000074D2B000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\9ca1f39c0d0f413de016bbb7dd511829 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe\" .." | C:\Users\Admin\AppData\Local\Temp\df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9ca1f39c0d0f413de016bbb7dd511829 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe\" .." | C:\Users\Admin\AppData\Local\Temp\df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe
"C:\Users\Admin\AppData\Local\Temp\df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe"
C:\Users\Admin\AppData\Local\Temp\df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe
"C:\Users\Admin\AppData\Local\Temp\df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe" "df92a2bd49df3ebd8f015c918b6ad5d5d8861d43339e8adeea0575ac369ac9aa.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 192.210.146.60:1111 | tcp | |
| US | 192.210.146.60:1111 | tcp | |
| US | 192.210.146.60:1111 | tcp | |
| US | 192.210.146.60:1111 | tcp |
Files
memory/2088-2-0x0000000000300000-0x0000000000306000-memory.dmp
memory/2088-3-0x0000000000300000-0x0000000000306000-memory.dmp
memory/2780-5-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2780-6-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2780-4-0x0000000000020000-0x000000000003A000-memory.dmp
memory/2780-15-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2780-16-0x0000000000270000-0x0000000000280000-memory.dmp
memory/2780-17-0x0000000000270000-0x0000000000280000-memory.dmp
memory/2780-18-0x0000000074270000-0x000000007481B000-memory.dmp
memory/2780-19-0x0000000074270000-0x000000007481B000-memory.dmp
memory/2780-20-0x0000000002020000-0x0000000002060000-memory.dmp
memory/2780-21-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2780-22-0x0000000000270000-0x0000000000280000-memory.dmp
memory/2780-23-0x0000000000270000-0x0000000000280000-memory.dmp
memory/2780-24-0x0000000000270000-0x0000000000280000-memory.dmp
memory/2780-25-0x0000000074270000-0x000000007481B000-memory.dmp
memory/2780-26-0x0000000074270000-0x000000007481B000-memory.dmp
memory/2780-28-0x0000000002020000-0x0000000002060000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:40
Platform
win7-20230831-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Local\Temp\f9c60c7b4de2e4b14abd165cfe72dce93b224f64c515b1be72ea7b9e7e4432b4.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3028 set thread context of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\f9c60c7b4de2e4b14abd165cfe72dce93b224f64c515b1be72ea7b9e7e4432b4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9c60c7b4de2e4b14abd165cfe72dce93b224f64c515b1be72ea7b9e7e4432b4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9c60c7b4de2e4b14abd165cfe72dce93b224f64c515b1be72ea7b9e7e4432b4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f9c60c7b4de2e4b14abd165cfe72dce93b224f64c515b1be72ea7b9e7e4432b4.exe
"C:\Users\Admin\AppData\Local\Temp\f9c60c7b4de2e4b14abd165cfe72dce93b224f64c515b1be72ea7b9e7e4432b4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nqekc3kj\nqekc3kj.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C6D.tmp" "c:\Users\Admin\AppData\Local\Temp\nqekc3kj\CSC217D96A272E04CE3B090D5C291E2E0E1.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "RegAsm.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | akilay.kingx.info | udp |
| DE | 3.64.163.50:1177 | akilay.kingx.info | tcp |
| DE | 3.64.163.50:1177 | akilay.kingx.info | tcp |
| DE | 3.64.163.50:1177 | akilay.kingx.info | tcp |
| DE | 3.64.163.50:1177 | akilay.kingx.info | tcp |
| DE | 3.64.163.50:1177 | akilay.kingx.info | tcp |
| DE | 3.64.163.50:1177 | akilay.kingx.info | tcp |
| DE | 3.64.163.50:1177 | tcp |
Files
memory/3028-0-0x0000000001210000-0x000000000122A000-memory.dmp
memory/3028-1-0x0000000074E30000-0x000000007551E000-memory.dmp
memory/3028-2-0x00000000010D0000-0x0000000001110000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\nqekc3kj\nqekc3kj.cmdline
| MD5 | cb153ccd11f1e774dc3a5bb398422509 |
| SHA1 | 2193045cad697e945b9b870cb734acf979cdc5b3 |
| SHA256 | e364d1e2de312f9f8416d7cb13eba25c032d48636b1ae0dd86bb9432fa62abf8 |
| SHA512 | 9f5eb38689f88d27fcf90e4b4d4de12c32730845132908341a241ce43aecd905a03ae4217de2b7985d1d894df934cfb4c1197482088a312fb1ae2ed15a436259 |
\??\c:\Users\Admin\AppData\Local\Temp\nqekc3kj\nqekc3kj.0.cs
| MD5 | 3a6608b47e56154666054183e35daef3 |
| SHA1 | d2bbb8a680c6295b1b6e9a33c032d07f61a8fd32 |
| SHA256 | 1e7fc6c721c16fde819b1cd7ffe997794898cb1809b00231fde4e85ddefc19f4 |
| SHA512 | 71cfa9e9148601ab548fc0ba52dc32a784142f5eba1894b971348b298c4000bd1ea344e946ee9f7f94fb3d29a3f7f3848e4cbbb04a813d42345b5c7e99f8ae58 |
\??\c:\Users\Admin\AppData\Local\Temp\nqekc3kj\CSC217D96A272E04CE3B090D5C291E2E0E1.TMP
| MD5 | e2cd91070c7e47793b64bf6d1d9a86ab |
| SHA1 | 5c86b4eb1763cc862d2902fceb9dae2b13ddc155 |
| SHA256 | 468d5fe831c979b138da77e93e0b5d6c1f0e58702d97e1bd68eed3f3e86ae569 |
| SHA512 | 4d1435a73fcb761c96a2101397de2503c64605b58db1bf718607459a6f7fafa61dd234a0653a0f9fb391b8ec17afec34df65364456d94236c048fdf8af5b720e |
C:\Users\Admin\AppData\Local\Temp\RES2C6D.tmp
| MD5 | 12524502d4d00e2702178b7d4efa1fc1 |
| SHA1 | ee9eb200299663aa9948f40ee06cc1e6b8824a50 |
| SHA256 | 06fc185ef27ac6ec3f4de229c54a4ea16a119628095850b2fdbaee72e9764983 |
| SHA512 | be53b016b85601d3c480a9f21a9bc549156163651202bc083d659bf749fd9543241dd2308f6c118d038f32c9f78c70c490e46bb66c25eee0669f21b6021bd69b |
C:\Users\Admin\AppData\Local\Temp\nqekc3kj\nqekc3kj.dll
| MD5 | fd9c6f5c5658510ead1c9e9e095b1d58 |
| SHA1 | 0fbc292df986a07f81028ef1aa8110d40ab3f609 |
| SHA256 | 2131d51dacc468d079e90d568a946513ff74aa00aeca319f4eff8d8dc45946fa |
| SHA512 | 6923c8534e8c03aa787862a857437220edf25d4c2d2094334df88da6430b9e97a973e1b4d0a0347aa0d48f252759b528efd1aa9c14a843aea9f7f41ad3dd6196 |
C:\Users\Admin\AppData\Local\Temp\nqekc3kj\nqekc3kj.pdb
| MD5 | 89869d0bcfa17e371fc1787dd572cdde |
| SHA1 | da4173f960dddd450cbe8b555c43d5255ec9d53d |
| SHA256 | 4abdf1fe7624a78a2395861aca43fc54c15e95199814409f5874f611cb4b1418 |
| SHA512 | 041d89e6fbea25ab3e4121eb98d2dac60b52bccbd76eedf5f955ab101481a0693ae82babc30f0777e0d056de86d9e38dc70d5b9d5eccc29a05635ee6815cddfa |
memory/3028-17-0x0000000000380000-0x0000000000388000-memory.dmp
memory/3028-19-0x00000000003B0000-0x00000000003C6000-memory.dmp
memory/3028-20-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3028-23-0x0000000000670000-0x000000000067C000-memory.dmp
memory/2700-26-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2700-24-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2700-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2700-29-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2700-28-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2700-32-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2700-34-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2700-36-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3028-37-0x0000000074E30000-0x000000007551E000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
152s
Max time network
158s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\GoogleChrome\GoogleChrome.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\GoogleChrome\GoogleChrome.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fac93c30912ddcb200dde77e3a2976e606f4d6668fc4f79d170865c536064d96.exe | N/A |
| N/A | N/A | C:\GoogleChrome\GoogleChrome.exe | N/A |
| N/A | N/A | C:\GoogleChrome\GoogleChrome.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\GoogleChrome\\WindowsUpdate.lnk" | C:\GoogleChrome\GoogleChrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\GoogleChrome\\WindowsUpdate.lnk" | C:\GoogleChrome\GoogleChrome.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\GoogleChrome\\GoogleUpdate.lnk" | C:\GoogleChrome\GoogleChrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdopeUpdate = "C:\\GoogleChrome\\GoogleUpdate.lnk" | C:\GoogleChrome\GoogleChrome.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NewJavaInstall = "C:\\GoogleChrome\\GoogleChrome.exe /AutoIt3ExecuteScript C:\\GoogleChrome\\GoogleChrome.a3x" | C:\GoogleChrome\GoogleChrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdopeFlash = "C:\\GoogleChrome\\GoogleChrome.exe /AutoIt3ExecuteScript C:\\GoogleChrome\\GoogleChrome.a3x" | C:\GoogleChrome\GoogleChrome.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\j: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\m: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\n: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\o: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\p: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\w: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\b: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\i: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\z: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\h: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\r: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\y: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\g: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\u: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\k: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\l: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\q: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\s: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\t: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\v: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\a: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\e: | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File opened (read-only) | \??\x: | C:\GoogleChrome\GoogleChrome.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Program Files (x86)\Program Files (x86).lnk | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File created | \??\c:\Program Files (x86)\My Music.lnk | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File created | \??\c:\Program Files\Program Files.lnk | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File created | \??\c:\Program Files\My Music.lnk | C:\GoogleChrome\GoogleChrome.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\Windows.lnk | C:\GoogleChrome\GoogleChrome.exe | N/A |
| File created | \??\c:\Windows\My Music.lnk | C:\GoogleChrome\GoogleChrome.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fac93c30912ddcb200dde77e3a2976e606f4d6668fc4f79d170865c536064d96.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fac93c30912ddcb200dde77e3a2976e606f4d6668fc4f79d170865c536064d96.exe
"C:\Users\Admin\AppData\Local\Temp\fac93c30912ddcb200dde77e3a2976e606f4d6668fc4f79d170865c536064d96.exe"
C:\GoogleChrome\GoogleChrome.exe
C:\GoogleChrome\GoogleChrome.exe C:\GoogleChrome\GoogleChrome.a3x
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\GoogleChrome\GoogleChrome.exe" "GoogleChrome.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | googleserviceads.publicvm.com | udp |
| DE | 45.147.228.196:223 | googleserviceads.publicvm.com | tcp |
Files
C:\GoogleChrome\GoogleChrome.a3x
| MD5 | 966584b0905f8ca7d613756ba035f846 |
| SHA1 | 26aab10187bdf20edc15c42b70e58874e96dcf82 |
| SHA256 | 385e126893bf39f8d1ec7e3d09d56b4ab04d2a74521639de92623cf3949b6bd0 |
| SHA512 | 59ce6f79f7513cc7f570d1ebdb128be9474f9df6964cc3019d199866541b1012664acf8d4b10eb5de216329d25c54ce73b394e389da14e30005980516bee964b |
\GoogleChrome\GoogleChrome.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\GoogleChrome\GoogleChrome.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\GoogleChrome\GoogleChrome.a3x
| MD5 | 966584b0905f8ca7d613756ba035f846 |
| SHA1 | 26aab10187bdf20edc15c42b70e58874e96dcf82 |
| SHA256 | 385e126893bf39f8d1ec7e3d09d56b4ab04d2a74521639de92623cf3949b6bd0 |
| SHA512 | 59ce6f79f7513cc7f570d1ebdb128be9474f9df6964cc3019d199866541b1012664acf8d4b10eb5de216329d25c54ce73b394e389da14e30005980516bee964b |
\GoogleChrome\GoogleChrome.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\GoogleChrome\GoogleChrome.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
\GoogleChrome\GoogleChrome.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\MozillaFirefox\GoogleChrome.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\GoogleChrome\GoogleUpdate.lnk
| MD5 | 430dd23ca9618fd47d26963d27f9f866 |
| SHA1 | 3c09f322b7ddb30ac4bf0b05b4bb97dc025fe066 |
| SHA256 | 63659a169a8bfc4ae3d26d0d7edf8070305ee77c2fd1895f009b066c79fb7f58 |
| SHA512 | ece574f1a488ccdb7301106827d33630a7764f3bea04e84117e26ec1d92cf2be2fb28e707d2d164b79035902d56ff8324ac0527d5e73a8d327d467d63a0d093a |
C:\GoogleChrome\WindowsUpdate.lnk
| MD5 | a60ffff00a46f59186715b19a4e21300 |
| SHA1 | 94c70a9d02bab574a4408a8ab7af17762aa9aadf |
| SHA256 | 1e8a4b5f91544bb5e566db4822028bfc5438e69acd4b43c1dc5c7da947019182 |
| SHA512 | eb98c02278a69331c4285b71ae5fef7c0ad0545e7fa5e81e0c733f8a4dedd8c5c4dd4551528f5744b42d5b0cac62787758d5a84638fe30057d48651fb5f0cf79 |
C:\GoogleChrome\GoogleChrome.lnk
| MD5 | ccf35a0d6daea3c2f71aa943a56e0c30 |
| SHA1 | 9b2c56bb236e31a3e7ac8c54bbbac9afea56c252 |
| SHA256 | 1cfc48cb5a6374f68957e726ba52ea0c6cc98cf7806f5df80513fe7a4e177a45 |
| SHA512 | 0ac6062dbebc5369228c964075764148adc72eaad5ad7e6f79cf2610a7be2386c86aa4ec503b8400a6740c28801405c14f4fbb56609f4d695840faebdfc869e5 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.lnk
| MD5 | 4cc52e0f63e9c4d01cb0c0215ae4f959 |
| SHA1 | c2a8e0ce0adac04c4cdcfa525400697cb62d3764 |
| SHA256 | d1a101a8380dbca6dcc8d282f7f28f065c885bcb963984ed3fb2cb874c79d692 |
| SHA512 | 2baf7ec0a7c545e8ec7162ad0fc9108e9abde0ae37bde30997a234475ee095b365d175abb19ec11b4d9650a791af799854d1ef5d6d2d26b83bd9695c0de78d06 |
Analysis: behavioral9
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
151s
Max time network
124s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00873Y32-6U30-7YV1-H8UC-3IWTQ12184BG} | C:\Users\Admin\AppData\Local\Temp\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00873Y32-6U30-7YV1-H8UC-3IWTQ12184BG}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe\"" | C:\Users\Admin\AppData\Local\Temp\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdechangepin.url | C:\Users\Admin\AppData\Local\Temp\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe" | C:\Users\Admin\AppData\Local\Temp\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2880 set thread context of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe | C:\Users\Admin\AppData\Local\Temp\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe
"C:\Users\Admin\AppData\Local\Temp\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe"
C:\Users\Admin\AppData\Local\Temp\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe
"C:\Users\Admin\AppData\Local\Temp\bfd66ffd0d79cefd7f2199b181c011574cb3053e374a043668c4ed9591f0f646.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | henry.dvrcam.info | udp |
| BR | 177.188.141.71:5509 | henry.dvrcam.info | tcp |
| US | 8.8.8.8:53 | henry.dvrcam.info | udp |
| BR | 177.188.141.71:5509 | henry.dvrcam.info | tcp |
Files
memory/2880-3-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2332-4-0x0000000000080000-0x00000000000AC000-memory.dmp
memory/2332-6-0x0000000000080000-0x00000000000AC000-memory.dmp
memory/2332-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2332-17-0x0000000000080000-0x00000000000AC000-memory.dmp
memory/2880-18-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
151s
Max time network
165s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31e68c5230c737766d0bca9d8a3e9590.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31e68c5230c737766d0bca9d8a3e9590.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\287688388\287688388.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\31e68c5230c737766d0bca9d8a3e9590 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\31e68c5230c737766d0bca9d8a3e9590 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d252bfd7bacd90fd0ab8bd70db07188a7053d9fa7b1f732b490ff46c53214e87.exe
"C:\Users\Admin\AppData\Local\Temp\d252bfd7bacd90fd0ab8bd70db07188a7053d9fa7b1f732b490ff46c53214e87.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\E2C1.tmp\E2F1.tmp\E2F2.ps1
C:\Users\Admin\AppData\Local\Temp\287688388\287688388.exe
"C:\Users\Admin\AppData\Local\Temp\287688388\287688388.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\FB8E.tmp\FB8F.tmp\FB90.vbs //Nologo
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ocsp.thawte.com | udp |
| US | 152.195.50.149:80 | ocsp.thawte.com | tcp |
| US | 8.8.8.8:53 | crl.thawte.com | udp |
| US | 192.229.221.95:80 | crl.thawte.com | tcp |
| US | 8.8.8.8:53 | th.symcd.com | udp |
| US | 152.195.50.149:80 | th.symcd.com | tcp |
| RU | 62.109.11.164:5552 | tcp | |
| RU | 62.109.11.164:5552 | tcp | |
| RU | 62.109.11.164:5552 | tcp | |
| RU | 62.109.11.164:5552 | tcp | |
| RU | 62.109.11.164:5552 | tcp |
Files
memory/3056-0-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/2208-6-0x000000001B270000-0x000000001B552000-memory.dmp
memory/2208-7-0x0000000002420000-0x0000000002428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E2C1.tmp\E2F1.tmp\E2F2.ps1
| MD5 | f6e8145a451dedf876ed5a167e532cb2 |
| SHA1 | ba170ea95a6742194466308136aeae303c6767f8 |
| SHA256 | 8d56668dd0f08ec331b94fa4e5d62098681d7b91726b4c23251a2b1cd7e94762 |
| SHA512 | 716dbff1ccc4fd8e281002cb6f29b8b05980b681f82359c9f27c4bd8ec94d225f7d1701da394c74bbd350f0056d022263552f0d96206152f4d16a9c9a18d1f75 |
memory/2208-9-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp
memory/2208-10-0x0000000002590000-0x0000000002610000-memory.dmp
memory/2208-11-0x0000000002590000-0x0000000002610000-memory.dmp
memory/2208-12-0x0000000002590000-0x0000000002610000-memory.dmp
memory/2208-13-0x0000000002590000-0x0000000002610000-memory.dmp
memory/2208-14-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp
\Users\Admin\AppData\Local\Temp\287688388\287688388.exe
| MD5 | d34f033d3583537e1c9e68354b916c7d |
| SHA1 | 06bd7330a17e088667c27b78c9a1fd6809dd5cd6 |
| SHA256 | bc2b68beb603a571b667ea860f5bc4a714a266759f982faacbdf2394c2b2e333 |
| SHA512 | 9f0189c7447882a7a64f1980ed66ea30dfb3d23a91304e286d2915f48ca6c6f86b1eadfdd1ee6ae9e583ce38fc8665fab2bd4673a437428e73f89c3863925d2e |
memory/2208-18-0x0000000140000000-0x0000000140010000-memory.dmp
\Users\Admin\AppData\Local\Temp\287688388\287688388.exe
| MD5 | d34f033d3583537e1c9e68354b916c7d |
| SHA1 | 06bd7330a17e088667c27b78c9a1fd6809dd5cd6 |
| SHA256 | bc2b68beb603a571b667ea860f5bc4a714a266759f982faacbdf2394c2b2e333 |
| SHA512 | 9f0189c7447882a7a64f1980ed66ea30dfb3d23a91304e286d2915f48ca6c6f86b1eadfdd1ee6ae9e583ce38fc8665fab2bd4673a437428e73f89c3863925d2e |
C:\Users\Admin\AppData\Local\Temp\287688388\287688388.exe
| MD5 | d34f033d3583537e1c9e68354b916c7d |
| SHA1 | 06bd7330a17e088667c27b78c9a1fd6809dd5cd6 |
| SHA256 | bc2b68beb603a571b667ea860f5bc4a714a266759f982faacbdf2394c2b2e333 |
| SHA512 | 9f0189c7447882a7a64f1980ed66ea30dfb3d23a91304e286d2915f48ca6c6f86b1eadfdd1ee6ae9e583ce38fc8665fab2bd4673a437428e73f89c3863925d2e |
memory/2208-24-0x0000000140000000-0x000000014011F000-memory.dmp
\Users\Admin\AppData\Local\Temp\287688388\287688388.exe
| MD5 | d34f033d3583537e1c9e68354b916c7d |
| SHA1 | 06bd7330a17e088667c27b78c9a1fd6809dd5cd6 |
| SHA256 | bc2b68beb603a571b667ea860f5bc4a714a266759f982faacbdf2394c2b2e333 |
| SHA512 | 9f0189c7447882a7a64f1980ed66ea30dfb3d23a91304e286d2915f48ca6c6f86b1eadfdd1ee6ae9e583ce38fc8665fab2bd4673a437428e73f89c3863925d2e |
memory/2084-26-0x0000000140000000-0x000000014011F000-memory.dmp
memory/2208-27-0x0000000140000000-0x0000000140010000-memory.dmp
memory/3056-28-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/2208-29-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FB8E.tmp\FB8F.tmp\FB90.vbs
| MD5 | 307d6da377a376226a097b97be7286d1 |
| SHA1 | 02c67e6331d538271c7adad6b047e623f43636a7 |
| SHA256 | 60b1ab92688fd75a1667d9dcfe7afe06eb269dc6a5235c4d297a954f21402225 |
| SHA512 | 37600251a5314942e8af4069a298787c9cfd817fed4d65c33ae320f39120d64d15901c890d3e8cc7b8452125aea4e01fff68c3554998ef21b1305f4cfa5a04ab |
memory/2084-31-0x0000000140000000-0x000000014011F000-memory.dmp
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
| MD5 | d384ae9c0dfad3d71946b8ded1000415 |
| SHA1 | d11524d54f768076ff41b84e18041cbc26a7e271 |
| SHA256 | 39b57386e3ef886e11a6c848a9d5fda86b036c0ace414bab77a768f8428389b9 |
| SHA512 | 772edc5064f4799913931af5ffbad455437565b0c0fda09678a5ef49b7ee5a362679d002f01cd62f5706935bdac4f6700743fa65005a775035ee2203c7083804 |
memory/2084-39-0x0000000140000000-0x000000014011F000-memory.dmp
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
| MD5 | d384ae9c0dfad3d71946b8ded1000415 |
| SHA1 | d11524d54f768076ff41b84e18041cbc26a7e271 |
| SHA256 | 39b57386e3ef886e11a6c848a9d5fda86b036c0ace414bab77a768f8428389b9 |
| SHA512 | 772edc5064f4799913931af5ffbad455437565b0c0fda09678a5ef49b7ee5a362679d002f01cd62f5706935bdac4f6700743fa65005a775035ee2203c7083804 |
memory/2760-41-0x0000000074A20000-0x0000000074FCB000-memory.dmp
memory/2760-42-0x0000000074A20000-0x0000000074FCB000-memory.dmp
memory/2760-43-0x0000000000AB0000-0x0000000000AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5EC5.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar6010.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2760-135-0x0000000074A20000-0x0000000074FCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | d384ae9c0dfad3d71946b8ded1000415 |
| SHA1 | d11524d54f768076ff41b84e18041cbc26a7e271 |
| SHA256 | 39b57386e3ef886e11a6c848a9d5fda86b036c0ace414bab77a768f8428389b9 |
| SHA512 | 772edc5064f4799913931af5ffbad455437565b0c0fda09678a5ef49b7ee5a362679d002f01cd62f5706935bdac4f6700743fa65005a775035ee2203c7083804 |
memory/2760-137-0x0000000000AB0000-0x0000000000AF0000-memory.dmp
\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | d384ae9c0dfad3d71946b8ded1000415 |
| SHA1 | d11524d54f768076ff41b84e18041cbc26a7e271 |
| SHA256 | 39b57386e3ef886e11a6c848a9d5fda86b036c0ace414bab77a768f8428389b9 |
| SHA512 | 772edc5064f4799913931af5ffbad455437565b0c0fda09678a5ef49b7ee5a362679d002f01cd62f5706935bdac4f6700743fa65005a775035ee2203c7083804 |
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | d384ae9c0dfad3d71946b8ded1000415 |
| SHA1 | d11524d54f768076ff41b84e18041cbc26a7e271 |
| SHA256 | 39b57386e3ef886e11a6c848a9d5fda86b036c0ace414bab77a768f8428389b9 |
| SHA512 | 772edc5064f4799913931af5ffbad455437565b0c0fda09678a5ef49b7ee5a362679d002f01cd62f5706935bdac4f6700743fa65005a775035ee2203c7083804 |
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | d384ae9c0dfad3d71946b8ded1000415 |
| SHA1 | d11524d54f768076ff41b84e18041cbc26a7e271 |
| SHA256 | 39b57386e3ef886e11a6c848a9d5fda86b036c0ace414bab77a768f8428389b9 |
| SHA512 | 772edc5064f4799913931af5ffbad455437565b0c0fda09678a5ef49b7ee5a362679d002f01cd62f5706935bdac4f6700743fa65005a775035ee2203c7083804 |
memory/1436-144-0x0000000074A20000-0x0000000074FCB000-memory.dmp
memory/1436-145-0x0000000000AF0000-0x0000000000B30000-memory.dmp
memory/1436-153-0x0000000074A20000-0x0000000074FCB000-memory.dmp
memory/2760-152-0x0000000074A20000-0x0000000074FCB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61
| MD5 | f94e28382769d415b19897603ea3361f |
| SHA1 | 2984ad1b53114338ecc06224ab6baa94e5c76599 |
| SHA256 | f4f55b39b79ab27a5a2ecd449e6f9f08ab477953f472ecbd0408db0106f0fa75 |
| SHA512 | e69d29d847a8072e2b6fcf1f2bd08123e413d124d86d1ae5e1fc15a1daf297a17694b6135b9873ba2a312f2ecb894886eafa04f0493bbaa13418d37f37009203 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61
| MD5 | 24204ce0f478962bedf642ad1b022a89 |
| SHA1 | 5f1e782917bf1aae6e95a3d5e5b5a1dbbb2f89e0 |
| SHA256 | 913528ca1c4abc153193ee5d77b165ad7d97e0f14437577a88139bbea944a373 |
| SHA512 | 0184613210acc8e6196455f7c0284e09ad4689143a51ba31c997e0b35f56f35e3d11974975822dea1894c464b2b521698cd06c7186528fa69bbc6df1505f75fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf3b8c182936fbdab91f913624eb54e7 |
| SHA1 | 83623187536b59625257f4743753217ba4dda6a2 |
| SHA256 | dd0e963ef67cfd9d1bcdc53ca9ba7c4e4a2a481397a4df25778924dfdb3ef8d6 |
| SHA512 | f0519a89bf1e8611c24d57eac4babe9f7fedb9909c6a728e10aab819702e0b2b184122f1c38b62235891c3a2c64ddf571e4e49c02120a2cca124fd75f50da9f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B
| MD5 | 03718b4f76836714c039bc0ef579d42e |
| SHA1 | b6a093de2e89f5b5c0e4617b8fa44cf0947bd6f2 |
| SHA256 | e8f768349130882ab9851a702e3441db353cec11b354fb6efe6201a0aa2e32af |
| SHA512 | 7822026118c469161b454bbd251df6859720c175257340ee623b7731463bc7ef65c16c8cac2318fcd66aa704caa00de835044e85106fc6a13ee923619a0c3594 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B
| MD5 | 277cf209fb5f0d09259d6a7fce4a97d5 |
| SHA1 | 896ce26db26cf2dbbd6ea86d5bb3fd3177bfec4b |
| SHA256 | 7fd070228e8d4233407287f96f35e3ff989463cd0fcb072a6bdc031641dcedce |
| SHA512 | 4aefbe5382c558bb8497c899c86937a31fbc845d5cf80e210b8ef2bf4571b18a16de06773ee7860a73fa438d244cd5579984877d870ca9965b773a5e2998a635 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9
| MD5 | a3419139df49bd8ff83952346e5578b0 |
| SHA1 | f9ac7ced2968b72633f3d2b73e3e5c6d6ea32428 |
| SHA256 | 2afa6988cdd89607285dafdcf6838fe68a0da55b63817aaac44b5de82deb89e8 |
| SHA512 | 10cf356f689018604a44afba4caddbd7e8edca448dcfc05fb7791537c2c014e4288f994c6731bd1da16149574bb79041fd6d250308aa5a2b9111ede8437d6665 |
memory/1436-164-0x0000000074A20000-0x0000000074FCB000-memory.dmp
memory/1436-165-0x0000000000AF0000-0x0000000000B30000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:40
Platform
win7-20230831-en
Max time kernel
183s
Max time network
202s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashUpdate.exe | C:\Users\Admin\AppData\Local\Temp\c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashUpdate.exe | C:\Users\Admin\AppData\Local\Temp\c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2700 set thread context of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106.exe
"C:\Users\Admin\AppData\Local\Temp\c05e67fce14e993249debb8eb7dead8c04a6057f0f15c23dcee71ce08b3a8106.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 808080.ml | udp |
Files
memory/2700-0-0x0000000074E10000-0x00000000753BB000-memory.dmp
memory/2700-1-0x0000000074E10000-0x00000000753BB000-memory.dmp
memory/2700-2-0x0000000001EE0000-0x0000000001F20000-memory.dmp
memory/2700-3-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-4-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-6-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-8-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-10-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-12-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-20-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-26-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-34-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-42-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-46-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-44-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-40-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-38-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-36-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-32-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-30-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-28-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-24-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-22-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-18-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-16-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-14-0x00000000005D0000-0x00000000005ED000-memory.dmp
memory/2700-47-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/2568-48-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2568-50-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2568-52-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2568-54-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2568-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2568-58-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2568-61-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2568-63-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2700-64-0x0000000074E10000-0x00000000753BB000-memory.dmp
memory/2568-65-0x0000000074D90000-0x000000007533B000-memory.dmp
memory/2568-66-0x0000000074D90000-0x000000007533B000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74002079\bthd.com | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\74002079\\bthd.com C:\\Users\\Admin\\AppData\\Local\\Temp\\74002079\\ELFRWR~1.XSB" | C:\Users\Admin\AppData\Local\Temp\74002079\bthd.com | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1460 set thread context of 1260 | N/A | C:\Users\Admin\AppData\Local\Temp\74002079\bthd.com | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd5034dcb25f245382e610ded811f03d85dadeab0865aebb048fdec9a575e93c.exe
"C:\Users\Admin\AppData\Local\Temp\dd5034dcb25f245382e610ded811f03d85dadeab0865aebb048fdec9a575e93c.exe"
C:\Users\Admin\AppData\Local\Temp\74002079\bthd.com
"C:\Users\Admin\AppData\Local\Temp\74002079\bthd.com" elfrwrftt.xsb
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | linkadrum.nl | udp |
| GB | 185.140.53.144:5552 | linkadrum.nl | tcp |
| GB | 185.140.53.144:5552 | linkadrum.nl | tcp |
| US | 8.8.8.8:53 | linkadrum.nl | udp |
| GB | 185.140.53.144:5552 | linkadrum.nl | tcp |
| GB | 185.140.53.144:5552 | linkadrum.nl | tcp |
| US | 8.8.8.8:53 | linkadrum.nl | udp |
| GB | 185.140.53.144:5552 | linkadrum.nl | tcp |
| GB | 185.140.53.144:5552 | linkadrum.nl | tcp |
Files
\Users\Admin\AppData\Local\Temp\74002079\bthd.com
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Local\Temp\74002079\bthd.com
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
\Users\Admin\AppData\Local\Temp\74002079\bthd.com
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
\Users\Admin\AppData\Local\Temp\74002079\bthd.com
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
\Users\Admin\AppData\Local\Temp\74002079\bthd.com
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Local\Temp\74002079\bthd.com
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Local\Temp\74002079\elfrwrftt.xsb
| MD5 | bbbb523cb14ac114a6d0526aa4194a7a |
| SHA1 | de23da47070e2fab7e106506a21b3affd198697c |
| SHA256 | 1b7d9f60376a4f6ee779f3185db1c2b24883646a05fe92b5769e90fee2e72619 |
| SHA512 | adafedea7499fc01ad56577717bbfcfbdeccc6532418a3c6ae152cfb1119ddd67258b31dbc1cfc3e59df9b405048fbc13d099810970b6aa87db5e61d9af16ce4 |
C:\Users\Admin\AppData\Local\Temp\74002079\rfqgsfnt.txt
| MD5 | 2f1cfc88b13882b00b1095b110f4d935 |
| SHA1 | e17a21c3f680e80cc2e5446c05975f4f568c8027 |
| SHA256 | 8b39464036939aae71f1d241950b352f417f678e0e54d9e590de07582dddf93a |
| SHA512 | 1cc26d239d88c6b2bec32ae792132e5e698f568aa790c723b4af3eb2ba526968bb4bf853b2a3b06f429041b060b1fc75cc7c07cbfe439900930fd9394f26c5ae |
memory/1260-166-0x00000000011D0000-0x00000000021D0000-memory.dmp
memory/1260-168-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1260-169-0x00000000011D0000-0x00000000021D0000-memory.dmp
memory/1260-171-0x00000000011D0000-0x00000000021D0000-memory.dmp
memory/1260-173-0x00000000011D0000-0x00000000021D0000-memory.dmp
memory/1260-174-0x00000000011D0000-0x00000000011E6000-memory.dmp
memory/1260-175-0x00000000740D0000-0x00000000747BE000-memory.dmp
memory/1260-176-0x0000000000D70000-0x0000000000DB0000-memory.dmp
memory/1260-177-0x00000000740D0000-0x00000000747BE000-memory.dmp
memory/1260-178-0x0000000000D70000-0x0000000000DB0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:40
Platform
win7-20230831-en
Max time kernel
180s
Max time network
141s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2f6d138161c7b1e5b6fd8e205c417d59.exe | C:\Users\Admin\AppData\Local\Temp\google.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2f6d138161c7b1e5b6fd8e205c417d59.exe | C:\Users\Admin\AppData\Local\Temp\google.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\google.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024.exe
"C:\Users\Admin\AppData\Local\Temp\de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024.exe"
C:\Users\Admin\AppData\Local\Temp\google.exe
"C:\Users\Admin\AppData\Local\Temp\google.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\google.exe" "google.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | new4love.myftp.biz | udp |
Files
memory/2184-0-0x0000000000EF0000-0x0000000000F2A000-memory.dmp
memory/2184-1-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2184-2-0x0000000000370000-0x000000000037C000-memory.dmp
memory/2184-3-0x0000000004D90000-0x0000000004DD0000-memory.dmp
\Users\Admin\AppData\Local\Temp\google.exe
| MD5 | 700c0c3cb81bc180b2a5157b183c1664 |
| SHA1 | 170914b526bb391b3b00d502ea4ba2e78038ae79 |
| SHA256 | de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024 |
| SHA512 | 6d149a9e0060de6da1309de21352f56c71ffbaf9b9599df52b26b5f9b75b0fad260fc517a68f19eb99d946e649623370d85bf10c4b3bf1e4c0d6e2a97580b861 |
C:\Users\Admin\AppData\Local\Temp\google.exe
| MD5 | 700c0c3cb81bc180b2a5157b183c1664 |
| SHA1 | 170914b526bb391b3b00d502ea4ba2e78038ae79 |
| SHA256 | de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024 |
| SHA512 | 6d149a9e0060de6da1309de21352f56c71ffbaf9b9599df52b26b5f9b75b0fad260fc517a68f19eb99d946e649623370d85bf10c4b3bf1e4c0d6e2a97580b861 |
C:\Users\Admin\AppData\Local\Temp\google.exe
| MD5 | 700c0c3cb81bc180b2a5157b183c1664 |
| SHA1 | 170914b526bb391b3b00d502ea4ba2e78038ae79 |
| SHA256 | de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024 |
| SHA512 | 6d149a9e0060de6da1309de21352f56c71ffbaf9b9599df52b26b5f9b75b0fad260fc517a68f19eb99d946e649623370d85bf10c4b3bf1e4c0d6e2a97580b861 |
memory/2672-11-0x0000000000AC0000-0x0000000000AFA000-memory.dmp
memory/2672-12-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2672-13-0x00000000009F0000-0x0000000000A30000-memory.dmp
memory/2184-14-0x0000000074B70000-0x000000007525E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2f6d138161c7b1e5b6fd8e205c417d59.exe
| MD5 | 700c0c3cb81bc180b2a5157b183c1664 |
| SHA1 | 170914b526bb391b3b00d502ea4ba2e78038ae79 |
| SHA256 | de73100c81c41d50dbc77ed2e78fcd84b7c74ef3ade339687ae23727ca3ec024 |
| SHA512 | 6d149a9e0060de6da1309de21352f56c71ffbaf9b9599df52b26b5f9b75b0fad260fc517a68f19eb99d946e649623370d85bf10c4b3bf1e4c0d6e2a97580b861 |
memory/2672-16-0x0000000074B70000-0x000000007525E000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
150s
Max time network
132s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716.exe
"C:\Users\Admin\AppData\Local\Temp\e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zio-123.no-ip.biz | udp |
Files
memory/2896-0-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2896-2-0x0000000000BD0000-0x0000000000C10000-memory.dmp
memory/2896-1-0x00000000741D0000-0x000000007477B000-memory.dmp
\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 0d40af16eec3e4b461fee10897ce7793 |
| SHA1 | 6aded66dabd7e5b7d787892d0b1d1975cd9ee2ec |
| SHA256 | e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716 |
| SHA512 | 3efb11616472ceb24e1032c295ab1deca5a8317d12f45bea2381bca20c74a832d5a99319e0720c09548def4227dc4f16f2b1ca3370524d60a1b9c3ca1e4c6173 |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 0d40af16eec3e4b461fee10897ce7793 |
| SHA1 | 6aded66dabd7e5b7d787892d0b1d1975cd9ee2ec |
| SHA256 | e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716 |
| SHA512 | 3efb11616472ceb24e1032c295ab1deca5a8317d12f45bea2381bca20c74a832d5a99319e0720c09548def4227dc4f16f2b1ca3370524d60a1b9c3ca1e4c6173 |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 0d40af16eec3e4b461fee10897ce7793 |
| SHA1 | 6aded66dabd7e5b7d787892d0b1d1975cd9ee2ec |
| SHA256 | e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716 |
| SHA512 | 3efb11616472ceb24e1032c295ab1deca5a8317d12f45bea2381bca20c74a832d5a99319e0720c09548def4227dc4f16f2b1ca3370524d60a1b9c3ca1e4c6173 |
memory/2632-11-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2896-10-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2632-12-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe
| MD5 | 0d40af16eec3e4b461fee10897ce7793 |
| SHA1 | 6aded66dabd7e5b7d787892d0b1d1975cd9ee2ec |
| SHA256 | e4b7ed427f4d70783e2ec5e482778d412688dedea09c9b2dc72ae92f83ad4716 |
| SHA512 | 3efb11616472ceb24e1032c295ab1deca5a8317d12f45bea2381bca20c74a832d5a99319e0720c09548def4227dc4f16f2b1ca3370524d60a1b9c3ca1e4c6173 |
memory/2632-14-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2632-15-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2632-16-0x0000000000220000-0x0000000000260000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows 10 Update = "C:\\Users\\Admin\\AppData\\Roaming\\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe" | C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1744 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe |
| PID 1624 set thread context of 2452 | N/A | C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe |
Enumerates system info in registry
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe
"C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe"
C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe
"C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe"
C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe
"C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe"
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
"C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c bfsvc.exe "true" "true" "true" "true"
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
bfsvc.exe "true" "true" "true" "true"
C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe
"C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe" C:\Users\Admin\AppData\Local\Temp\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe
C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe
"C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 8440
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
"C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c bfsvc.exe "true" "true" "true" "true"
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
bfsvc.exe "true" "true" "true" "true"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | puu.sh | udp |
| US | 162.243.129.169:80 | puu.sh | tcp |
| US | 162.243.129.169:443 | puu.sh | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.68:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 162.243.129.169:80 | puu.sh | tcp |
| US | 162.243.129.169:443 | puu.sh | tcp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
Files
memory/1744-0-0x00000000001A0000-0x00000000001D0000-memory.dmp
memory/1744-1-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/1744-2-0x0000000004DC0000-0x0000000004E00000-memory.dmp
memory/1744-3-0x00000000003A0000-0x00000000003C6000-memory.dmp
memory/1744-4-0x00000000003C0000-0x00000000003E2000-memory.dmp
memory/1744-5-0x0000000000420000-0x0000000000444000-memory.dmp
memory/1744-6-0x0000000000440000-0x0000000000452000-memory.dmp
memory/1744-7-0x0000000000460000-0x0000000000463000-memory.dmp
memory/2648-8-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2648-10-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2648-12-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2648-13-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2648-14-0x00000000020C0000-0x0000000002100000-memory.dmp
\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
| MD5 | 0d282d4eb8db6d5152b4e5fd3e2064b5 |
| SHA1 | 72cec747647d5d0f6ef2e5ddb34f1db68fc183e5 |
| SHA256 | 8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061 |
| SHA512 | 16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72 |
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
| MD5 | 0d282d4eb8db6d5152b4e5fd3e2064b5 |
| SHA1 | 72cec747647d5d0f6ef2e5ddb34f1db68fc183e5 |
| SHA256 | 8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061 |
| SHA512 | 16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72 |
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
| MD5 | 0d282d4eb8db6d5152b4e5fd3e2064b5 |
| SHA1 | 72cec747647d5d0f6ef2e5ddb34f1db68fc183e5 |
| SHA256 | 8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061 |
| SHA512 | 16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72 |
memory/1712-24-0x0000000010390000-0x0000000010398000-memory.dmp
memory/1712-26-0x0000000000340000-0x0000000000348000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WebCam_Capture.dll
| MD5 | 94306f6cf69f7e7c0b4f10ea499f73dd |
| SHA1 | 3228b4c2ca9109aa86f2810afc3d528947501c92 |
| SHA256 | ed937977d846c19ea5a721c8f720dafc4c697c2b136c17d66d7b6a4200090a7e |
| SHA512 | d6c19775a96dedbd40be96d5b3aa3fb0db3d52749e0d54667b38a2f677c94b630ab543457708a1c123776ec473e9f40f18eb4080703ee9adf08110c417dea136 |
memory/1712-27-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp
memory/1712-28-0x0000000001E60000-0x0000000001EE0000-memory.dmp
memory/1744-29-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/1712-30-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp
memory/1712-31-0x0000000001E60000-0x0000000001EE0000-memory.dmp
memory/1744-32-0x0000000004DC0000-0x0000000004E00000-memory.dmp
memory/2648-33-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2648-34-0x00000000020C0000-0x0000000002100000-memory.dmp
memory/1712-35-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
| MD5 | 7bfcf811a47c0ca77ee2c95333f0476e |
| SHA1 | f3580c33ae27018d627ea12ffc41fb925367524f |
| SHA256 | f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531 |
| SHA512 | 4386eb26bad23945ac7fe71a226a8f6a5a261f7e704e2389b360ad6f0864460137fbf95bc51abb3e90beb8328d4e854d7b5b0f04383a5460cc6dea5f28529c3b |
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
| MD5 | 7bfcf811a47c0ca77ee2c95333f0476e |
| SHA1 | f3580c33ae27018d627ea12ffc41fb925367524f |
| SHA256 | f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531 |
| SHA512 | 4386eb26bad23945ac7fe71a226a8f6a5a261f7e704e2389b360ad6f0864460137fbf95bc51abb3e90beb8328d4e854d7b5b0f04383a5460cc6dea5f28529c3b |
\Users\Admin\AppData\Local\Temp\bfsvc.exe
| MD5 | 7bfcf811a47c0ca77ee2c95333f0476e |
| SHA1 | f3580c33ae27018d627ea12ffc41fb925367524f |
| SHA256 | f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531 |
| SHA512 | 4386eb26bad23945ac7fe71a226a8f6a5a261f7e704e2389b360ad6f0864460137fbf95bc51abb3e90beb8328d4e854d7b5b0f04383a5460cc6dea5f28529c3b |
memory/2164-41-0x0000000001030000-0x0000000001038000-memory.dmp
memory/2164-42-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2164-43-0x00000000003E0000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab6CC9.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar6D68.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 77f7dcb55ae638c939079940adf932d8 |
| SHA1 | 46975420fdd99990a054c21b11bb4c9e9a03d2a5 |
| SHA256 | 1ebd792c376a0ab1953f5a520c2a33b35fc6aeecd495467e36ce71b5d7f996cc |
| SHA512 | 9f2b53486c56bcbc54ece3ccc2bae708bd9ba938fb6e017beac7c372c5a4ac7e5dc37f3c3865afffc38ed7b8c069260fbe8296181d7d41b0128d6a754c831c62 |
memory/2164-105-0x0000000074420000-0x0000000074B0E000-memory.dmp
C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe
| MD5 | a086f197a46fe757785c767048f2d9f3 |
| SHA1 | 62100a3d908db60faf193caf24515e0fcf5f625e |
| SHA256 | f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b |
| SHA512 | 1aa399f46bb9212d72adf75c17bb7df436b6d6cd0bfb83d9f08927e9ad21f48b7bfb30682c4021ac1fc3f547fbe9fdb4a9488f981ad9a06255849399ba87ae15 |
memory/1624-108-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2648-107-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/1624-109-0x0000000000480000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Roaming\f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b.exe
| MD5 | a086f197a46fe757785c767048f2d9f3 |
| SHA1 | 62100a3d908db60faf193caf24515e0fcf5f625e |
| SHA256 | f82be76715904271476b96c75a5b9adb1b18cf529e5c6d13717083294875252b |
| SHA512 | 1aa399f46bb9212d72adf75c17bb7df436b6d6cd0bfb83d9f08927e9ad21f48b7bfb30682c4021ac1fc3f547fbe9fdb4a9488f981ad9a06255849399ba87ae15 |
memory/2452-116-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2452-117-0x00000000043D0000-0x0000000004410000-memory.dmp
memory/1744-118-0x000000007EEC0000-0x000000007EFA8000-memory.dmp
memory/1624-119-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/1624-120-0x0000000004C60000-0x0000000004CA0000-memory.dmp
memory/1744-121-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2452-122-0x0000000074420000-0x0000000074B0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
| MD5 | 0d282d4eb8db6d5152b4e5fd3e2064b5 |
| SHA1 | 72cec747647d5d0f6ef2e5ddb34f1db68fc183e5 |
| SHA256 | 8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061 |
| SHA512 | 16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72 |
\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
| MD5 | 0d282d4eb8db6d5152b4e5fd3e2064b5 |
| SHA1 | 72cec747647d5d0f6ef2e5ddb34f1db68fc183e5 |
| SHA256 | 8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061 |
| SHA512 | 16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72 |
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
| MD5 | 0d282d4eb8db6d5152b4e5fd3e2064b5 |
| SHA1 | 72cec747647d5d0f6ef2e5ddb34f1db68fc183e5 |
| SHA256 | 8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061 |
| SHA512 | 16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72 |
C:\Users\Admin\AppData\Local\Temp\HQUHlwGxWA.exe
| MD5 | 0d282d4eb8db6d5152b4e5fd3e2064b5 |
| SHA1 | 72cec747647d5d0f6ef2e5ddb34f1db68fc183e5 |
| SHA256 | 8663bef0304a937fe47af465c03b8930a5db2dad39bf4dd1cc6baa64cc272061 |
| SHA512 | 16b2551711afa27baf9aa95d37c2d1b0689c32930ca5a4c7fabe66ea05513f460c58b36fdb96efb26963f10cdc518934dd3f5b623d424a2f299cc47d150f1e72 |
memory/1868-132-0x0000000010770000-0x0000000010778000-memory.dmp
memory/1868-134-0x0000000000460000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WebCam_Capture.dll
| MD5 | 94306f6cf69f7e7c0b4f10ea499f73dd |
| SHA1 | 3228b4c2ca9109aa86f2810afc3d528947501c92 |
| SHA256 | ed937977d846c19ea5a721c8f720dafc4c697c2b136c17d66d7b6a4200090a7e |
| SHA512 | d6c19775a96dedbd40be96d5b3aa3fb0db3d52749e0d54667b38a2f677c94b630ab543457708a1c123776ec473e9f40f18eb4080703ee9adf08110c417dea136 |
memory/1868-135-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/1868-136-0x0000000000660000-0x00000000006E0000-memory.dmp
memory/1868-137-0x0000000000660000-0x00000000006E0000-memory.dmp
memory/2452-138-0x00000000043D0000-0x0000000004410000-memory.dmp
memory/1868-139-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/1868-140-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
| MD5 | 7bfcf811a47c0ca77ee2c95333f0476e |
| SHA1 | f3580c33ae27018d627ea12ffc41fb925367524f |
| SHA256 | f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531 |
| SHA512 | 4386eb26bad23945ac7fe71a226a8f6a5a261f7e704e2389b360ad6f0864460137fbf95bc51abb3e90beb8328d4e854d7b5b0f04383a5460cc6dea5f28529c3b |
\Users\Admin\AppData\Local\Temp\bfsvc.exe
| MD5 | 7bfcf811a47c0ca77ee2c95333f0476e |
| SHA1 | f3580c33ae27018d627ea12ffc41fb925367524f |
| SHA256 | f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531 |
| SHA512 | 4386eb26bad23945ac7fe71a226a8f6a5a261f7e704e2389b360ad6f0864460137fbf95bc51abb3e90beb8328d4e854d7b5b0f04383a5460cc6dea5f28529c3b |
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
| MD5 | 7bfcf811a47c0ca77ee2c95333f0476e |
| SHA1 | f3580c33ae27018d627ea12ffc41fb925367524f |
| SHA256 | f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531 |
| SHA512 | 4386eb26bad23945ac7fe71a226a8f6a5a261f7e704e2389b360ad6f0864460137fbf95bc51abb3e90beb8328d4e854d7b5b0f04383a5460cc6dea5f28529c3b |
memory/1488-147-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/1488-146-0x00000000010F0000-0x00000000010F8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18066a882cb3dc38c573c405368972df |
| SHA1 | 06a3f227f27b4341af1f6151569a5f79f1df7668 |
| SHA256 | e269db39f292015ff67009392d34fa9c0fff2330399b5b6a2fad5166c27b6bf5 |
| SHA512 | 59b8c20b4816dcd0feaf69ad93d6edd50d17676f0fc7261e329f58df3cba5224a8ce44e0fd44c81edc67bb5a0b72f9f0f8099ae468d76011b5c86d6141922e35 |
memory/1488-165-0x0000000074420000-0x0000000074B0E000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
122s
Max time network
130s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1648 wrote to memory of 1700 | N/A | C:\Users\Admin\AppData\Local\Temp\dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1648 wrote to memory of 1700 | N/A | C:\Users\Admin\AppData\Local\Temp\dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1648 wrote to memory of 1700 | N/A | C:\Users\Admin\AppData\Local\Temp\dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1648 wrote to memory of 1700 | N/A | C:\Users\Admin\AppData\Local\Temp\dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25.exe
"C:\Users\Admin\AppData\Local\Temp\dea47b5e48829026f154e9548c556b97aca6a986162a5c1bec7f44b750df4b25.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1436
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
Files
memory/1648-0-0x0000000074920000-0x000000007500E000-memory.dmp
memory/1648-1-0x0000000000920000-0x000000000093E000-memory.dmp
memory/1648-2-0x00000000049B0000-0x00000000049F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4DF3.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar4E15.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/1648-37-0x0000000074920000-0x000000007500E000-memory.dmp
memory/1648-38-0x00000000049B0000-0x00000000049F0000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
152s
Max time network
132s
Command Line
Signatures
njRAT/Bladabindi
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0.exe
"C:\Users\Admin\AppData\Local\Temp\ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wolfdiana2017.ddns.net | udp |
Files
memory/2892-0-0x0000000000870000-0x0000000000C80000-memory.dmp
memory/2892-1-0x00000000774D0000-0x00000000774D2000-memory.dmp
memory/2892-2-0x0000000074F40000-0x000000007500C000-memory.dmp
memory/2892-3-0x0000000074DB0000-0x0000000074DB9000-memory.dmp
memory/2892-4-0x0000000075EE0000-0x0000000075FD0000-memory.dmp
memory/2892-5-0x0000000074BC0000-0x0000000074C0A000-memory.dmp
memory/2892-6-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2892-7-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2892-8-0x0000000004DF0000-0x0000000004E30000-memory.dmp
memory/2892-9-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2892-10-0x00000000744E0000-0x00000000744EB000-memory.dmp
memory/2892-11-0x0000000074460000-0x00000000744E0000-memory.dmp
memory/2892-12-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2892-14-0x00000000754D0000-0x0000000075553000-memory.dmp
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | b34fc356387febf6a41b22b6845a0913 |
| SHA1 | 6c0514a134e8f6fa4bf3d709ded7b9feae7aa9f6 |
| SHA256 | ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0 |
| SHA512 | a32efac4708b746e2a7d4aa84211be9ed73da90caefdce7948c749f8ebd3b46f44b3d5ef4f9f3225302853e9ce7047c3fd8caaf598029cccedcd900e7d02469f |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | b34fc356387febf6a41b22b6845a0913 |
| SHA1 | 6c0514a134e8f6fa4bf3d709ded7b9feae7aa9f6 |
| SHA256 | ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0 |
| SHA512 | a32efac4708b746e2a7d4aa84211be9ed73da90caefdce7948c749f8ebd3b46f44b3d5ef4f9f3225302853e9ce7047c3fd8caaf598029cccedcd900e7d02469f |
memory/2892-20-0x0000000075010000-0x00000000751AD000-memory.dmp
memory/2892-23-0x0000000071CF0000-0x0000000071D1E000-memory.dmp
memory/2892-22-0x0000000000870000-0x0000000000C80000-memory.dmp
memory/2680-24-0x0000000000C90000-0x00000000010A0000-memory.dmp
memory/2892-25-0x00000000738F0000-0x00000000738FE000-memory.dmp
memory/2892-26-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2892-27-0x0000000075010000-0x00000000751AD000-memory.dmp
memory/2892-28-0x0000000074DB0000-0x0000000074DB9000-memory.dmp
memory/2892-29-0x0000000074F40000-0x000000007500C000-memory.dmp
memory/2892-30-0x0000000075EE0000-0x0000000075FD0000-memory.dmp
memory/2680-31-0x0000000074DB0000-0x0000000074DB9000-memory.dmp
memory/2680-32-0x0000000075EE0000-0x0000000075FD0000-memory.dmp
memory/2680-33-0x0000000074F40000-0x000000007500C000-memory.dmp
memory/2680-34-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2680-35-0x0000000003720000-0x0000000003760000-memory.dmp
memory/2680-36-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2680-37-0x00000000744E0000-0x00000000744EB000-memory.dmp
memory/2680-38-0x0000000074460000-0x00000000744E0000-memory.dmp
memory/2680-39-0x0000000075EE0000-0x0000000075FD0000-memory.dmp
memory/2892-40-0x00000000079B0000-0x0000000007DC0000-memory.dmp
memory/2680-41-0x0000000074BC0000-0x0000000074C0A000-memory.dmp
memory/2892-42-0x0000000075EE0000-0x0000000075FD0000-memory.dmp
memory/2892-43-0x0000000074BC0000-0x0000000074C0A000-memory.dmp
memory/2892-44-0x00000000744E0000-0x00000000744EB000-memory.dmp
memory/2892-45-0x0000000074460000-0x00000000744E0000-memory.dmp
memory/2892-46-0x00000000754D0000-0x0000000075553000-memory.dmp
memory/2892-47-0x0000000071CF0000-0x0000000071D1E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe
| MD5 | b34fc356387febf6a41b22b6845a0913 |
| SHA1 | 6c0514a134e8f6fa4bf3d709ded7b9feae7aa9f6 |
| SHA256 | ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0 |
| SHA512 | a32efac4708b746e2a7d4aa84211be9ed73da90caefdce7948c749f8ebd3b46f44b3d5ef4f9f3225302853e9ce7047c3fd8caaf598029cccedcd900e7d02469f |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | b34fc356387febf6a41b22b6845a0913 |
| SHA1 | 6c0514a134e8f6fa4bf3d709ded7b9feae7aa9f6 |
| SHA256 | ec3461092c6ae25962e3480397f9b9c4240cda862dc66085b412561657c48cd0 |
| SHA512 | a32efac4708b746e2a7d4aa84211be9ed73da90caefdce7948c749f8ebd3b46f44b3d5ef4f9f3225302853e9ce7047c3fd8caaf598029cccedcd900e7d02469f |
memory/2680-51-0x0000000000C90000-0x00000000010A0000-memory.dmp
memory/2680-52-0x0000000075EE0000-0x0000000075FD0000-memory.dmp
memory/2680-53-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2680-54-0x0000000003720000-0x0000000003760000-memory.dmp
memory/2680-55-0x0000000074460000-0x00000000744E0000-memory.dmp
memory/2680-56-0x0000000075EE0000-0x0000000075FD0000-memory.dmp
memory/2680-57-0x0000000074BC0000-0x0000000074C0A000-memory.dmp
memory/2680-70-0x0000000003720000-0x0000000003760000-memory.dmp
memory/2680-72-0x0000000003720000-0x0000000003760000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
122s
Max time network
134s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2352 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b02c56d29447690cdafd8f2f6877d526d1f6efcaae74017719c460d9b3ee38b8.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b02c56d29447690cdafd8f2f6877d526d1f6efcaae74017719c460d9b3ee38b8.dll,#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
118s
Max time network
130s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\c0a9e9fd6ab4965981c06e373ea6d75b1d6e31ad8041f9657b9c6fb895ef883d.exe
"C:\Users\Admin\AppData\Local\Temp\c0a9e9fd6ab4965981c06e373ea6d75b1d6e31ad8041f9657b9c6fb895ef883d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.qachi.ir | udp |
| IR | 185.81.97.178:80 | www.qachi.ir | tcp |
Files
memory/2152-0-0x0000000000140000-0x000000000014E000-memory.dmp
memory/2152-1-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2152-2-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2152-3-0x0000000000170000-0x00000000001F0000-memory.dmp
memory/2152-4-0x0000000000170000-0x00000000001F0000-memory.dmp
memory/2152-5-0x0000000000170000-0x00000000001F0000-memory.dmp
memory/2152-6-0x0000000000170000-0x00000000001F0000-memory.dmp
memory/2152-8-0x0000000000170000-0x00000000001F0000-memory.dmp
memory/2152-7-0x0000000000170000-0x00000000001F0000-memory.dmp
memory/2152-9-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2152-10-0x0000000000170000-0x00000000001F0000-memory.dmp
memory/2152-11-0x0000000000170000-0x00000000001F0000-memory.dmp
memory/2152-12-0x0000000000170000-0x00000000001F0000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2023-09-07 19:36
Reported
2023-09-07 19:39
Platform
win7-20230831-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8.exe
"C:\Users\Admin\AppData\Local\Temp\d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ss15md.no-ip.info | udp |
Files
memory/2216-0-0x0000000074520000-0x0000000074ACB000-memory.dmp
memory/2216-1-0x0000000074520000-0x0000000074ACB000-memory.dmp
memory/2216-2-0x0000000001F80000-0x0000000001FC0000-memory.dmp
\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 1c29c38b0799dd67080c657ec1b9fc3b |
| SHA1 | 6517029f4bfbf6f55aa6b34f51447d37ef38c4af |
| SHA256 | d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8 |
| SHA512 | 07fa0227dd2f4b107524b595845d9adadd56571967503638618a3e8d914d684c06a463ec77bc043027aa13c8fe5a584df3a35f9d1dd9badbefdcbd4d6ed196b2 |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 1c29c38b0799dd67080c657ec1b9fc3b |
| SHA1 | 6517029f4bfbf6f55aa6b34f51447d37ef38c4af |
| SHA256 | d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8 |
| SHA512 | 07fa0227dd2f4b107524b595845d9adadd56571967503638618a3e8d914d684c06a463ec77bc043027aa13c8fe5a584df3a35f9d1dd9badbefdcbd4d6ed196b2 |
memory/2116-11-0x0000000074520000-0x0000000074ACB000-memory.dmp
memory/2116-12-0x0000000000B90000-0x0000000000BD0000-memory.dmp
memory/2216-10-0x0000000074520000-0x0000000074ACB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 1c29c38b0799dd67080c657ec1b9fc3b |
| SHA1 | 6517029f4bfbf6f55aa6b34f51447d37ef38c4af |
| SHA256 | d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8 |
| SHA512 | 07fa0227dd2f4b107524b595845d9adadd56571967503638618a3e8d914d684c06a463ec77bc043027aa13c8fe5a584df3a35f9d1dd9badbefdcbd4d6ed196b2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe
| MD5 | 1c29c38b0799dd67080c657ec1b9fc3b |
| SHA1 | 6517029f4bfbf6f55aa6b34f51447d37ef38c4af |
| SHA256 | d70f8173a43eee427661e3122bf4c43dec1226588fc32f357d15852dec7145f8 |
| SHA512 | 07fa0227dd2f4b107524b595845d9adadd56571967503638618a3e8d914d684c06a463ec77bc043027aa13c8fe5a584df3a35f9d1dd9badbefdcbd4d6ed196b2 |
memory/2116-14-0x0000000074520000-0x0000000074ACB000-memory.dmp
memory/2116-15-0x0000000074520000-0x0000000074ACB000-memory.dmp