Analysis Overview
SHA256
fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b
Threat Level: Known bad
The file fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe was found to be: Known bad.
Malicious Activity Summary
FlawedAmmyy RAT
Phobos
Suspicious use of NtCreateUserProcessOtherParentProcess
SmokeLoader
Detect rhadamanthys stealer shellcode
AmmyyAdmin payload
Ammyy Admin
Rhadamanthys
Deletes shadow copies
Renames multiple (59) files with added filename extension
Downloads MZ/PE file
Modifies Windows Firewall
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Drops desktop.ini file(s)
Writes to the Master Boot Record (MBR)
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Interacts with shadow copies
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
outlook_win_path
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 00:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 00:42
Reported
2023-10-12 23:56
Platform
win7-20230831-en
Max time kernel
151s
Max time network
138s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
FlawedAmmyy RAT
Phobos
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2992 created 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe | C:\Windows\Explorer.EXE |
Deletes shadow copies
Renames multiple (59) files with added filename extension
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1E2B.tmp\svchost.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\B07B.exe | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B166.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B07B = "C:\\Users\\Admin\\AppData\\Local\\B07B.exe" | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\B07B = "C:\\Users\\Admin\\AppData\\Local\\B07B.exe" | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3513876443-2771975297-1923446376-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3513876443-2771975297-1923446376-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\1E2B.tmp\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1740 set thread context of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe | C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe |
| PID 2688 set thread context of 1856 | N/A | C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe | C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe |
| PID 1544 set thread context of 1064 | N/A | C:\Users\Admin\AppData\Local\Temp\B07B.exe | C:\Users\Admin\AppData\Local\Temp\B07B.exe |
| PID 620 set thread context of 484 | N/A | C:\Users\Admin\AppData\Local\Temp\B07B.exe | C:\Users\Admin\AppData\Local\Temp\B07B.exe |
| PID 2692 set thread context of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\B166.exe | C:\Users\Admin\AppData\Local\Temp\B166.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fr.txt | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\msdatl3.dll | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\nl.txt | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\oledb32.dll | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msadomd28.tlb | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak.id[FCF156B7-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ga.txt | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\Common.fxh | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\da.txt | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\el.txt.id[FCF156B7-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fi.txt | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sv.txt | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config.id[FCF156B7-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe.id[FCF156B7-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe.id[FCF156B7-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pa-in.txt | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\certreq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\certreq.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\9GB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\B166.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\B07B.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1E2B.tmp\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe"
C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe
C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
"C:\Users\Admin\AppData\Local\Microsoft\9GB.exe"
C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe
"C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe"
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe
C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe
C:\Users\Admin\AppData\Local\Temp\B07B.exe
C:\Users\Admin\AppData\Local\Temp\B07B.exe
C:\Users\Admin\AppData\Local\Temp\B166.exe
C:\Users\Admin\AppData\Local\Temp\B166.exe
C:\Users\Admin\AppData\Local\Temp\B07B.exe
C:\Users\Admin\AppData\Local\Temp\B07B.exe
C:\Users\Admin\AppData\Local\Temp\B07B.exe
"C:\Users\Admin\AppData\Local\Temp\B07B.exe"
C:\Users\Admin\AppData\Local\Temp\B07B.exe
C:\Users\Admin\AppData\Local\Temp\B07B.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Users\Admin\AppData\Local\Temp\B166.exe
"C:\Users\Admin\AppData\Local\Temp\B166.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\1E2B.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\1E2B.tmp\svchost.exe -debug
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amxt25.xyz | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| US | 8.8.8.8:53 | servermlogs27.xyz | udp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | kmsox815.xyz | udp |
| DE | 45.89.127.0:80 | kmsox815.xyz | tcp |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| CA | 108.181.20.35:443 | files.catbox.moe | tcp |
| CA | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | shorturl.at | udp |
| US | 104.26.8.129:443 | shorturl.at | tcp |
| US | 104.26.8.129:443 | shorturl.at | tcp |
| US | 104.26.8.129:443 | shorturl.at | tcp |
| US | 104.26.8.129:443 | shorturl.at | tcp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp | |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | www.ammyy.com | udp |
| DE | 136.243.18.118:80 | www.ammyy.com | tcp |
Files
memory/1740-0-0x00000000012F0000-0x0000000001376000-memory.dmp
memory/1740-1-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/1740-2-0x0000000000720000-0x0000000000798000-memory.dmp
memory/1740-3-0x0000000000F20000-0x0000000000F60000-memory.dmp
memory/1740-4-0x0000000000BC0000-0x0000000000C28000-memory.dmp
memory/1740-5-0x0000000000210000-0x000000000025C000-memory.dmp
memory/2992-6-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2992-7-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2992-8-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2992-9-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2992-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2992-12-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1740-14-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/2992-15-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2992-16-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2992-17-0x0000000000090000-0x0000000000097000-memory.dmp
memory/2992-18-0x0000000000AD0000-0x0000000000ED0000-memory.dmp
memory/2992-19-0x0000000000AD0000-0x0000000000ED0000-memory.dmp
memory/2992-20-0x0000000000AD0000-0x0000000000ED0000-memory.dmp
memory/2992-21-0x0000000000AD0000-0x0000000000ED0000-memory.dmp
memory/2712-22-0x0000000000060000-0x0000000000063000-memory.dmp
memory/2992-23-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2712-24-0x0000000000060000-0x0000000000063000-memory.dmp
memory/2992-25-0x00000000001F0000-0x0000000000226000-memory.dmp
memory/2992-31-0x0000000000AD0000-0x0000000000ED0000-memory.dmp
memory/2992-33-0x0000000000AD0000-0x0000000000ED0000-memory.dmp
memory/2992-32-0x00000000001F0000-0x0000000000226000-memory.dmp
memory/2992-34-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2992-35-0x0000000000AD0000-0x0000000000ED0000-memory.dmp
memory/2712-37-0x0000000000120000-0x0000000000127000-memory.dmp
memory/2712-38-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-40-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-41-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-43-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-42-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-47-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-48-0x0000000076F80000-0x0000000077129000-memory.dmp
memory/2712-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-50-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-51-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2712-53-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/2972-57-0x0000000001130000-0x0000000001170000-memory.dmp
memory/2972-58-0x0000000000350000-0x000000000038E000-memory.dmp
memory/2972-61-0x0000000073880000-0x0000000073F6E000-memory.dmp
memory/2712-62-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2972-63-0x00000000049E0000-0x0000000004A20000-memory.dmp
memory/2972-60-0x0000000000460000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe
| MD5 | e309ba230ef51a9393d53d59fad04e48 |
| SHA1 | 770e1e6e48f92bceb08c77a8e849469dd70adec0 |
| SHA256 | 43877bdeb2e14fc99ba1d35b0fb495209fa44ec97aafcab10f9f82c642a94476 |
| SHA512 | df3bb1fee46f06f10c0d20b6b8d9cde2e535761f14b0a188dfca609089872a0b90f8da1f35e2ba6ac9bf7f863ae49f29982b375bcfdd84a016622018ef11cac7 |
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe
| MD5 | e309ba230ef51a9393d53d59fad04e48 |
| SHA1 | 770e1e6e48f92bceb08c77a8e849469dd70adec0 |
| SHA256 | 43877bdeb2e14fc99ba1d35b0fb495209fa44ec97aafcab10f9f82c642a94476 |
| SHA512 | df3bb1fee46f06f10c0d20b6b8d9cde2e535761f14b0a188dfca609089872a0b90f8da1f35e2ba6ac9bf7f863ae49f29982b375bcfdd84a016622018ef11cac7 |
memory/2688-76-0x0000000000EB0000-0x0000000000F44000-memory.dmp
memory/2972-77-0x0000000073880000-0x0000000073F6E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/2712-78-0x0000000076F80000-0x0000000077129000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/2688-79-0x0000000073880000-0x0000000073F6E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/2688-80-0x00000000003C0000-0x0000000000404000-memory.dmp
memory/2688-82-0x00000000004F0000-0x0000000000522000-memory.dmp
memory/2688-81-0x0000000004810000-0x0000000004850000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\9GB.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/1856-83-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1856-84-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1856-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\D`2D]e.exe
| MD5 | e309ba230ef51a9393d53d59fad04e48 |
| SHA1 | 770e1e6e48f92bceb08c77a8e849469dd70adec0 |
| SHA256 | 43877bdeb2e14fc99ba1d35b0fb495209fa44ec97aafcab10f9f82c642a94476 |
| SHA512 | df3bb1fee46f06f10c0d20b6b8d9cde2e535761f14b0a188dfca609089872a0b90f8da1f35e2ba6ac9bf7f863ae49f29982b375bcfdd84a016622018ef11cac7 |
memory/1856-87-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2688-89-0x0000000073880000-0x0000000073F6E000-memory.dmp
memory/1856-90-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2712-91-0x0000000000120000-0x0000000000122000-memory.dmp
memory/2712-92-0x0000000076F80000-0x0000000077129000-memory.dmp
memory/1856-94-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1288-93-0x00000000025C0000-0x00000000025D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B07B.exe
| MD5 | 584d363e021429371823a54a4e3e99df |
| SHA1 | 0aae921d0d774bc745ba72cb40054509e6f71340 |
| SHA256 | e742f1395238135fdf5ad6399442b362ae7d41a4be43d717027dd99215244e48 |
| SHA512 | 9eebda791ef83468bd816aa0e9b169a854f0f94443323b1bae5aba0fd06646229301f450cc9ad66f76019f2c1436926f84563bec08ccacf72d210fb8287b450b |
C:\Users\Admin\AppData\Local\Temp\B07B.exe
| MD5 | 584d363e021429371823a54a4e3e99df |
| SHA1 | 0aae921d0d774bc745ba72cb40054509e6f71340 |
| SHA256 | e742f1395238135fdf5ad6399442b362ae7d41a4be43d717027dd99215244e48 |
| SHA512 | 9eebda791ef83468bd816aa0e9b169a854f0f94443323b1bae5aba0fd06646229301f450cc9ad66f76019f2c1436926f84563bec08ccacf72d210fb8287b450b |
memory/1544-108-0x0000000001000000-0x0000000001098000-memory.dmp
memory/1544-110-0x0000000000980000-0x00000000009C6000-memory.dmp
memory/1544-113-0x0000000000A20000-0x0000000000A54000-memory.dmp
memory/1544-112-0x00000000005F0000-0x0000000000630000-memory.dmp
memory/1544-111-0x0000000073F70000-0x000000007465E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B166.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
C:\Users\Admin\AppData\Local\Temp\B166.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
memory/2692-121-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/2692-118-0x0000000001120000-0x000000000119C000-memory.dmp
memory/1064-123-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1064-125-0x0000000000400000-0x0000000000413000-memory.dmp
\Users\Admin\AppData\Local\Temp\B07B.exe
| MD5 | 584d363e021429371823a54a4e3e99df |
| SHA1 | 0aae921d0d774bc745ba72cb40054509e6f71340 |
| SHA256 | e742f1395238135fdf5ad6399442b362ae7d41a4be43d717027dd99215244e48 |
| SHA512 | 9eebda791ef83468bd816aa0e9b169a854f0f94443323b1bae5aba0fd06646229301f450cc9ad66f76019f2c1436926f84563bec08ccacf72d210fb8287b450b |
memory/1064-120-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1064-127-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1064-129-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1064-131-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1064-133-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1064-135-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2692-136-0x00000000055B0000-0x00000000055F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B07B.exe
| MD5 | 584d363e021429371823a54a4e3e99df |
| SHA1 | 0aae921d0d774bc745ba72cb40054509e6f71340 |
| SHA256 | e742f1395238135fdf5ad6399442b362ae7d41a4be43d717027dd99215244e48 |
| SHA512 | 9eebda791ef83468bd816aa0e9b169a854f0f94443323b1bae5aba0fd06646229301f450cc9ad66f76019f2c1436926f84563bec08ccacf72d210fb8287b450b |
memory/1544-139-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/1064-140-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1064-141-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2692-142-0x0000000000850000-0x0000000000892000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B07B.exe
| MD5 | 584d363e021429371823a54a4e3e99df |
| SHA1 | 0aae921d0d774bc745ba72cb40054509e6f71340 |
| SHA256 | e742f1395238135fdf5ad6399442b362ae7d41a4be43d717027dd99215244e48 |
| SHA512 | 9eebda791ef83468bd816aa0e9b169a854f0f94443323b1bae5aba0fd06646229301f450cc9ad66f76019f2c1436926f84563bec08ccacf72d210fb8287b450b |
memory/620-144-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/620-145-0x00000000045C0000-0x0000000004600000-memory.dmp
\Users\Admin\AppData\Local\Temp\B07B.exe
| MD5 | 584d363e021429371823a54a4e3e99df |
| SHA1 | 0aae921d0d774bc745ba72cb40054509e6f71340 |
| SHA256 | e742f1395238135fdf5ad6399442b362ae7d41a4be43d717027dd99215244e48 |
| SHA512 | 9eebda791ef83468bd816aa0e9b169a854f0f94443323b1bae5aba0fd06646229301f450cc9ad66f76019f2c1436926f84563bec08ccacf72d210fb8287b450b |
C:\Users\Admin\AppData\Local\Temp\B07B.exe
| MD5 | 584d363e021429371823a54a4e3e99df |
| SHA1 | 0aae921d0d774bc745ba72cb40054509e6f71340 |
| SHA256 | e742f1395238135fdf5ad6399442b362ae7d41a4be43d717027dd99215244e48 |
| SHA512 | 9eebda791ef83468bd816aa0e9b169a854f0f94443323b1bae5aba0fd06646229301f450cc9ad66f76019f2c1436926f84563bec08ccacf72d210fb8287b450b |
memory/620-158-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/484-160-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1436-162-0x00000000001D0000-0x0000000000245000-memory.dmp
memory/1436-164-0x00000000000C0000-0x000000000012B000-memory.dmp
memory/1436-177-0x00000000000C0000-0x000000000012B000-memory.dmp
memory/1436-178-0x00000000001D0000-0x0000000000245000-memory.dmp
memory/920-181-0x0000000000060000-0x000000000006C000-memory.dmp
memory/920-180-0x0000000000070000-0x0000000000077000-memory.dmp
memory/2692-182-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/2372-184-0x00000000000D0000-0x00000000000D4000-memory.dmp
memory/2372-185-0x00000000000C0000-0x00000000000C9000-memory.dmp
memory/1636-188-0x0000000000080000-0x000000000008B000-memory.dmp
memory/1636-187-0x0000000000090000-0x000000000009A000-memory.dmp
memory/2692-189-0x0000000000450000-0x000000000046A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B07B.exe
| MD5 | 584d363e021429371823a54a4e3e99df |
| SHA1 | 0aae921d0d774bc745ba72cb40054509e6f71340 |
| SHA256 | e742f1395238135fdf5ad6399442b362ae7d41a4be43d717027dd99215244e48 |
| SHA512 | 9eebda791ef83468bd816aa0e9b169a854f0f94443323b1bae5aba0fd06646229301f450cc9ad66f76019f2c1436926f84563bec08ccacf72d210fb8287b450b |
\Users\Admin\AppData\Local\Temp\B166.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.id[FCF156B7-3483].[[email protected]].8base
| MD5 | 1673fefec99cbf28de7581ce0992e9a0 |
| SHA1 | e8522f484030bc1254fd4d02be9b8373ad2b8cbf |
| SHA256 | 4631f844d13cde56cedc11f1908f230086a4f2f53846743f376ef2ae10634316 |
| SHA512 | 3685d885945ff25ae22d3ed012728c7102976e4d4558a3661627d8c6acbb3d5b25486d377bf20be84dd89639ca88e1866ca4053e99309d127d4e18ee1f0f3bd9 |
C:\Users\Admin\AppData\Local\Temp\1E2B.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\1E2B.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
\Users\Admin\AppData\Local\Temp\1E2B.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
\Users\Admin\AppData\Local\Temp\1E2B.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\1E2B.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\B166.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 00:42
Reported
2023-10-12 23:57
Platform
win10v2004-20230915-en
Max time kernel
115s
Max time network
154s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1196 created 3200 | N/A | C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\ZvM0)I3O.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 728 set thread context of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe | C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\certreq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\certreq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe"
C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe
C:\Users\Admin\AppData\Local\Temp\fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b_JC.exe
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Users\Admin\AppData\Local\Microsoft\ZvM0)I3O.exe
"C:\Users\Admin\AppData\Local\Microsoft\ZvM0)I3O.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amxt25.xyz | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| US | 8.8.8.8:53 | 61.66.131.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
Files
memory/728-0-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/728-1-0x00000000001E0000-0x0000000000266000-memory.dmp
memory/728-2-0x0000000004D00000-0x0000000004D78000-memory.dmp
memory/728-3-0x0000000004D80000-0x0000000004D90000-memory.dmp
memory/728-4-0x0000000004E90000-0x0000000004EF8000-memory.dmp
memory/728-5-0x0000000004F00000-0x0000000004F4C000-memory.dmp
memory/728-6-0x0000000005550000-0x0000000005AF4000-memory.dmp
memory/1196-7-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1196-10-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1196-11-0x0000000000400000-0x0000000000473000-memory.dmp
memory/728-12-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1196-13-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1196-14-0x0000000000B20000-0x0000000000B27000-memory.dmp
memory/1196-15-0x00000000028C0000-0x0000000002CC0000-memory.dmp
memory/1196-16-0x00000000028C0000-0x0000000002CC0000-memory.dmp
memory/1196-17-0x00000000028C0000-0x0000000002CC0000-memory.dmp
memory/1196-18-0x00000000028C0000-0x0000000002CC0000-memory.dmp
memory/2920-19-0x000001F7C18B0000-0x000001F7C18B3000-memory.dmp
memory/1196-20-0x0000000003600000-0x0000000003636000-memory.dmp
memory/1196-26-0x0000000003600000-0x0000000003636000-memory.dmp
memory/1196-27-0x00000000028C0000-0x0000000002CC0000-memory.dmp
memory/1196-28-0x00000000028C0000-0x0000000002CC0000-memory.dmp
memory/1196-29-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1196-30-0x00000000028C0000-0x0000000002CC0000-memory.dmp
memory/2920-31-0x000001F7C18B0000-0x000001F7C18B3000-memory.dmp
memory/2920-32-0x000001F7C1B10000-0x000001F7C1B17000-memory.dmp
memory/2920-34-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-33-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-35-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-36-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-37-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-41-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-39-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-42-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-43-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-44-0x00007FFFC9B30000-0x00007FFFC9D25000-memory.dmp
memory/2920-45-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-46-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-47-0x00007FFFC9B30000-0x00007FFFC9D25000-memory.dmp
memory/2920-48-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-49-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
memory/2920-50-0x00007FF44A350000-0x00007FF44A47F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\ZvM0)I3O.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\ZvM0)I3O.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/2176-54-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2176-55-0x0000000074840000-0x0000000074FF0000-memory.dmp