Malware Analysis Report

2024-10-16 05:11

Sample ID 231011-kcd2csdc54
Target 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
SHA256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
Tags
ammyyadmin phobos rhadamanthys smokeloader backdoor collection evasion persistence ransomware rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636

Threat Level: Known bad

The file 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe was found to be: Known bad.

Malicious Activity Summary

ammyyadmin phobos rhadamanthys smokeloader backdoor collection evasion persistence ransomware rat stealer trojan

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect rhadamanthys stealer shellcode

Phobos

AmmyyAdmin payload

Rhadamanthys

Ammyy Admin

Deletes shadow copies

Modifies Windows Firewall

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Deletes itself

Drops startup file

Adds Run key to start application

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Interacts with shadow copies

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 08:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 08:27

Reported

2023-10-11 12:05

Platform

win7-20230831-en

Max time kernel

102s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1964 created 1348 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ED1D.exe C:\Users\Admin\AppData\Local\Temp\ED1D.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED1D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED1D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED1D.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ED1D = "C:\\Users\\Admin\\AppData\\Local\\ED1D.exe" C:\Users\Admin\AppData\Local\Temp\ED1D.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\ED1D = "C:\\Users\\Admin\\AppData\\Local\\ED1D.exe" C:\Users\Admin\AppData\Local\Temp\ED1D.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3185155662-718608226-894467740-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ED1D.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ED1D.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ED1D.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ED1D.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
PID 2208 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
PID 2208 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
PID 2208 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
PID 2208 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
PID 2208 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
PID 2208 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
PID 2208 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
PID 2208 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Windows\system32\certreq.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Windows\system32\certreq.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Windows\system32\certreq.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Windows\system32\certreq.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Windows\system32\certreq.exe
PID 1964 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe C:\Windows\system32\certreq.exe
PID 2016 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe
PID 2016 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe
PID 2016 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe
PID 2016 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe
PID 2016 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe
PID 2016 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe
PID 2016 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe
PID 2016 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe
PID 2016 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe
PID 2980 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2016 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe
PID 2980 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2016 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe
PID 2980 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe
PID 2980 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe

"C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe"

C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe

C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe

"C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe"

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

"C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe"

C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe

C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe

C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

C:\Users\Admin\AppData\Local\Temp\EEA4.exe

C:\Users\Admin\AppData\Local\Temp\EEA4.exe

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

"C:\Users\Admin\AppData\Local\Temp\ED1D.exe"

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Users\Admin\AppData\Local\Temp\5DC9.tmp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\5DC9.tmp\svchost.exe -debug

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 servermlogs27.xyz udp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 xemtex534.xyz udp
DE 45.131.66.222:80 xemtex534.xyz tcp
US 8.8.8.8:53 files.catbox.moe udp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
US 8.8.8.8:53 shorturl.at udp
US 172.67.69.88:443 shorturl.at tcp
US 172.67.69.88:443 shorturl.at tcp
US 172.67.69.88:443 shorturl.at tcp
US 172.67.69.88:443 shorturl.at tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp

Files

memory/2208-0-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/2208-1-0x0000000000A50000-0x0000000000C36000-memory.dmp

memory/2208-2-0x0000000002180000-0x00000000021F8000-memory.dmp

memory/2208-3-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2208-4-0x0000000002200000-0x0000000002268000-memory.dmp

memory/2208-5-0x0000000000A00000-0x0000000000A4C000-memory.dmp

memory/1964-6-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1964-7-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1964-8-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1964-9-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1964-13-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1964-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2208-15-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/1964-16-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1964-17-0x0000000000240000-0x0000000000247000-memory.dmp

memory/1964-18-0x0000000002360000-0x0000000002760000-memory.dmp

memory/1964-20-0x0000000002360000-0x0000000002760000-memory.dmp

memory/1964-19-0x0000000002360000-0x0000000002760000-memory.dmp

memory/1964-21-0x0000000002360000-0x0000000002760000-memory.dmp

memory/2632-22-0x0000000000060000-0x0000000000063000-memory.dmp

memory/1964-23-0x0000000002360000-0x0000000002760000-memory.dmp

memory/1964-24-0x0000000002360000-0x0000000002760000-memory.dmp

memory/1964-25-0x00000000002C0000-0x00000000002F6000-memory.dmp

memory/1964-32-0x0000000002360000-0x0000000002760000-memory.dmp

memory/1964-31-0x00000000002C0000-0x00000000002F6000-memory.dmp

memory/1964-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2632-34-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2632-35-0x0000000000130000-0x0000000000137000-memory.dmp

memory/2632-37-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-38-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-36-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-42-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-40-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-44-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-47-0x0000000077680000-0x0000000077829000-memory.dmp

memory/2632-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-50-0x0000000077680000-0x0000000077829000-memory.dmp

memory/2632-51-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2632-53-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe

MD5 023da58780b8e74b5638ceb76c83ce0b
SHA1 21798a0c38ffb09c8b84e08eeb562698168e2654
SHA256 817006157c9c9f0ff6dc99bcbe24c34d12777938e5841955fe8444edb3cb5a01
SHA512 b5ef4eeba466b6f14a9e95b1bb484856fcae007130f11596e857c69a2bc7e7f6498ef619bb7523adb21e0ebd855e37e92d89c5b4012424fcf6aa42f0ddb6fb02

C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe

MD5 023da58780b8e74b5638ceb76c83ce0b
SHA1 21798a0c38ffb09c8b84e08eeb562698168e2654
SHA256 817006157c9c9f0ff6dc99bcbe24c34d12777938e5841955fe8444edb3cb5a01
SHA512 b5ef4eeba466b6f14a9e95b1bb484856fcae007130f11596e857c69a2bc7e7f6498ef619bb7523adb21e0ebd855e37e92d89c5b4012424fcf6aa42f0ddb6fb02

memory/2016-59-0x0000000073630000-0x0000000073D1E000-memory.dmp

memory/2016-57-0x00000000008B0000-0x000000000091C000-memory.dmp

memory/2016-60-0x0000000000670000-0x00000000006B4000-memory.dmp

memory/2016-61-0x00000000020C0000-0x0000000002100000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/2980-64-0x0000000001310000-0x0000000001350000-memory.dmp

memory/2016-66-0x0000000000600000-0x0000000000632000-memory.dmp

memory/2980-67-0x0000000073630000-0x0000000073D1E000-memory.dmp

memory/2980-68-0x00000000006B0000-0x00000000006DC000-memory.dmp

memory/2980-65-0x00000000004D0000-0x000000000050E000-memory.dmp

memory/2980-69-0x00000000009F0000-0x0000000000A30000-memory.dmp

memory/1276-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe

MD5 023da58780b8e74b5638ceb76c83ce0b
SHA1 21798a0c38ffb09c8b84e08eeb562698168e2654
SHA256 817006157c9c9f0ff6dc99bcbe24c34d12777938e5841955fe8444edb3cb5a01
SHA512 b5ef4eeba466b6f14a9e95b1bb484856fcae007130f11596e857c69a2bc7e7f6498ef619bb7523adb21e0ebd855e37e92d89c5b4012424fcf6aa42f0ddb6fb02

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/2980-91-0x0000000073630000-0x0000000073D1E000-memory.dmp

memory/2016-87-0x0000000073630000-0x0000000073D1E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/1276-86-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1276-81-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\RM89yD.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/1276-73-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1276-71-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\gk866yx~b`.exe

MD5 023da58780b8e74b5638ceb76c83ce0b
SHA1 21798a0c38ffb09c8b84e08eeb562698168e2654
SHA256 817006157c9c9f0ff6dc99bcbe24c34d12777938e5841955fe8444edb3cb5a01
SHA512 b5ef4eeba466b6f14a9e95b1bb484856fcae007130f11596e857c69a2bc7e7f6498ef619bb7523adb21e0ebd855e37e92d89c5b4012424fcf6aa42f0ddb6fb02

memory/2632-92-0x0000000000130000-0x0000000000132000-memory.dmp

memory/2632-93-0x0000000077680000-0x0000000077829000-memory.dmp

memory/1276-95-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1348-94-0x00000000026C0000-0x00000000026D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

MD5 364c08d05c35eff9c5a96e40959b1193
SHA1 f25408e1eb5f28e7c81534616e0889dcb1cf690a
SHA256 03266d9d249608b995c60addea4e46ceff45ce2afaa60f433110bbc3973a188d
SHA512 9050d609ab5044c7c62efe8bc821681764affebe88a59b114813c279e6f9cf83c490a72aa12c72fb0672b04c63c17e67e7e125c0660af2a14aa0f07fd42db4ba

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

MD5 364c08d05c35eff9c5a96e40959b1193
SHA1 f25408e1eb5f28e7c81534616e0889dcb1cf690a
SHA256 03266d9d249608b995c60addea4e46ceff45ce2afaa60f433110bbc3973a188d
SHA512 9050d609ab5044c7c62efe8bc821681764affebe88a59b114813c279e6f9cf83c490a72aa12c72fb0672b04c63c17e67e7e125c0660af2a14aa0f07fd42db4ba

memory/1596-110-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/1596-109-0x00000000009E0000-0x0000000000A50000-memory.dmp

memory/1596-113-0x0000000000990000-0x00000000009D6000-memory.dmp

memory/1472-117-0x0000000001090000-0x000000000110C000-memory.dmp

memory/1472-119-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/1596-118-0x0000000001FE0000-0x0000000002014000-memory.dmp

memory/1596-120-0x0000000002340000-0x0000000002380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEA4.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

C:\Users\Admin\AppData\Local\Temp\EEA4.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

\Users\Admin\AppData\Local\Temp\ED1D.exe

MD5 364c08d05c35eff9c5a96e40959b1193
SHA1 f25408e1eb5f28e7c81534616e0889dcb1cf690a
SHA256 03266d9d249608b995c60addea4e46ceff45ce2afaa60f433110bbc3973a188d
SHA512 9050d609ab5044c7c62efe8bc821681764affebe88a59b114813c279e6f9cf83c490a72aa12c72fb0672b04c63c17e67e7e125c0660af2a14aa0f07fd42db4ba

memory/936-123-0x0000000000400000-0x0000000000413000-memory.dmp

memory/936-125-0x0000000000400000-0x0000000000413000-memory.dmp

memory/936-135-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1596-140-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/936-141-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

MD5 364c08d05c35eff9c5a96e40959b1193
SHA1 f25408e1eb5f28e7c81534616e0889dcb1cf690a
SHA256 03266d9d249608b995c60addea4e46ceff45ce2afaa60f433110bbc3973a188d
SHA512 9050d609ab5044c7c62efe8bc821681764affebe88a59b114813c279e6f9cf83c490a72aa12c72fb0672b04c63c17e67e7e125c0660af2a14aa0f07fd42db4ba

memory/936-137-0x0000000000400000-0x0000000000413000-memory.dmp

memory/936-133-0x0000000000400000-0x0000000000413000-memory.dmp

memory/936-131-0x0000000000400000-0x0000000000413000-memory.dmp

memory/936-129-0x0000000000400000-0x0000000000413000-memory.dmp

memory/936-127-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

MD5 364c08d05c35eff9c5a96e40959b1193
SHA1 f25408e1eb5f28e7c81534616e0889dcb1cf690a
SHA256 03266d9d249608b995c60addea4e46ceff45ce2afaa60f433110bbc3973a188d
SHA512 9050d609ab5044c7c62efe8bc821681764affebe88a59b114813c279e6f9cf83c490a72aa12c72fb0672b04c63c17e67e7e125c0660af2a14aa0f07fd42db4ba

memory/396-143-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/396-144-0x0000000004B00000-0x0000000004B40000-memory.dmp

\Users\Admin\AppData\Local\Temp\ED1D.exe

MD5 364c08d05c35eff9c5a96e40959b1193
SHA1 f25408e1eb5f28e7c81534616e0889dcb1cf690a
SHA256 03266d9d249608b995c60addea4e46ceff45ce2afaa60f433110bbc3973a188d
SHA512 9050d609ab5044c7c62efe8bc821681764affebe88a59b114813c279e6f9cf83c490a72aa12c72fb0672b04c63c17e67e7e125c0660af2a14aa0f07fd42db4ba

\Users\Admin\AppData\Local\Temp\ED1D.exe

MD5 364c08d05c35eff9c5a96e40959b1193
SHA1 f25408e1eb5f28e7c81534616e0889dcb1cf690a
SHA256 03266d9d249608b995c60addea4e46ceff45ce2afaa60f433110bbc3973a188d
SHA512 9050d609ab5044c7c62efe8bc821681764affebe88a59b114813c279e6f9cf83c490a72aa12c72fb0672b04c63c17e67e7e125c0660af2a14aa0f07fd42db4ba

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

MD5 364c08d05c35eff9c5a96e40959b1193
SHA1 f25408e1eb5f28e7c81534616e0889dcb1cf690a
SHA256 03266d9d249608b995c60addea4e46ceff45ce2afaa60f433110bbc3973a188d
SHA512 9050d609ab5044c7c62efe8bc821681764affebe88a59b114813c279e6f9cf83c490a72aa12c72fb0672b04c63c17e67e7e125c0660af2a14aa0f07fd42db4ba

C:\Users\Admin\AppData\Local\Temp\ED1D.exe

MD5 364c08d05c35eff9c5a96e40959b1193
SHA1 f25408e1eb5f28e7c81534616e0889dcb1cf690a
SHA256 03266d9d249608b995c60addea4e46ceff45ce2afaa60f433110bbc3973a188d
SHA512 9050d609ab5044c7c62efe8bc821681764affebe88a59b114813c279e6f9cf83c490a72aa12c72fb0672b04c63c17e67e7e125c0660af2a14aa0f07fd42db4ba

memory/396-159-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/1692-161-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1472-163-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/1172-164-0x0000000000060000-0x000000000006C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ED1D.exe

MD5 364c08d05c35eff9c5a96e40959b1193
SHA1 f25408e1eb5f28e7c81534616e0889dcb1cf690a
SHA256 03266d9d249608b995c60addea4e46ceff45ce2afaa60f433110bbc3973a188d
SHA512 9050d609ab5044c7c62efe8bc821681764affebe88a59b114813c279e6f9cf83c490a72aa12c72fb0672b04c63c17e67e7e125c0660af2a14aa0f07fd42db4ba

memory/936-185-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1640-189-0x0000000004B00000-0x0000000004B40000-memory.dmp

memory/1640-191-0x0000000000060000-0x000000000006F000-memory.dmp

memory/1452-207-0x0000000000060000-0x000000000006F000-memory.dmp

memory/1452-208-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1472-209-0x00000000003B0000-0x00000000003F0000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[A884AB88-3483].[[email protected]].8base

MD5 f7819e2e96817cdcbeee9b2d5e2ea5ad
SHA1 babf23f14a313ce2004127d6b01bb6364e1a6759
SHA256 63eb23f22522ac558f651f5ec5398b6a938e1d8c39a13b5adb05a37b3d1ce264
SHA512 cacfaab5dcca1cfcace4daf6576e33ca8a7198508267b27cf068ad2a23cd8ead6c49792f8c5f0bba50b2e38b7e025c474d5241ebaba31b0832b9b0436565e989

memory/2868-220-0x0000000000090000-0x0000000000094000-memory.dmp

memory/2556-228-0x00000000000E0000-0x00000000000E9000-memory.dmp

memory/2868-229-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1748-230-0x00000000003C0000-0x000000000042B000-memory.dmp

memory/1756-234-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1676-240-0x00000000003C0000-0x000000000042B000-memory.dmp

memory/2528-241-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/1688-247-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1752-248-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1676-245-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1752-251-0x0000000000080000-0x000000000008B000-memory.dmp

\Users\Admin\AppData\Local\Temp\5DC9.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

\Users\Admin\AppData\Local\Temp\5DC9.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\5DC9.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\5DC9.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\5DC9.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 08:27

Reported

2023-10-11 12:06

Platform

win10v2004-20230915-en

Max time kernel

42s

Max time network

11s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe

"C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636_JC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A