Malware Analysis Report

2024-10-23 17:14

Sample ID 231228-x38pwagch9
Target f23000a51a7ac80b39bab71e83c3983a
SHA256 bd7020c913d0170d15354c8e693a4b2469d2332768ef477c702bd1c51e41887c
Tags
cryptbot discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd7020c913d0170d15354c8e693a4b2469d2332768ef477c702bd1c51e41887c

Threat Level: Known bad

The file f23000a51a7ac80b39bab71e83c3983a was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery persistence spyware stealer

CryptBot

CryptBot payload

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 19:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 19:23

Reported

2024-01-09 17:20

Platform

win7-20231215-en

Max time kernel

208s

Max time network

248s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2540 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2540 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2540 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2540 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 2540 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 2540 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 2540 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 2540 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2540 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2540 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2540 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1676 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 1676 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 1676 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 1676 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe

"C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c rgmLAtaO

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Pel.pptx

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^zhstQWiUaSsAnmkEODbzVxaWPpDrIiPtovZYFBuQSwQDdEWokoffoLwZVcgHzrklejseAhZhbHAUDOGlhxSmSAWbcqephnvOQFArhTIXpeSAlucuPrzYkLaCdUGAkPqYlMtYhCXzLUdQHchgE$" Aggiogati.pptx

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com

Vorra.exe.com o

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com o

Network

Country Destination Domain Proto
US 8.8.8.8:53 ebSjyqjdxCUUHsVfxQT.ebSjyqjdxCUUHsVfxQT udp
US 8.8.8.8:53 ewaqfe45.top udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pel.pptx

MD5 b508376c348b13291d124eab9cce3534
SHA1 26e23e157da1b214a98d84c581c103a97d2f4121
SHA256 a0a6240b767c17f2bbe16985044599f369fdee62ee626a4326e975edbb01a9b4
SHA512 018c7dcf04180da81065647d957e4d08e40ee7e6ca93fe70ab6bfa49ab8532fcd40fe9add8ddc09816e343f04174b1d3e3dc16ba4cd7c93545814fc1992256b8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aggiogati.pptx

MD5 f435197ac66954c9aaa768c402bb2f6e
SHA1 81cb16becf08ab1cb2d88c1a0d51872aac7af78f
SHA256 682c0c70fdc6522a9ee445de9439348405b945ef9707b983ddf3e88c869ea576
SHA512 ca39a95f003340290b4ae5037313432061c1213f976253bbda8b5149f0f1e295cacbc43dbe63fa1cc54e5336a3161eac7962f73afad775a4122ad23f0330117b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fresco.pptx

MD5 6ef148867d1e6e66271e86d6bfab3869
SHA1 589cfd4129777c088f4b53f5dc723ada5f51b302
SHA256 0768633b95a60df47da99c4f6c92cb703c61e547652e6831ff918a9c48ae7720
SHA512 8ba444184340843551dbe1dbec38f15a8a30aa3e97811e300b4fcae2c791254c84576d3b8d7299cca48ae0a3a8e443bbc71d0325283df7a46773747ef72b41e3

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com

MD5 e52d61a48f6c2d88d56e32f7f179af22
SHA1 40528a208c8c7aa08ec77f7ef01b5c974aaef81e
SHA256 9e4f89678b542437ab9cc34f03259cf919d527080127d329f2adea791a941c77
SHA512 b6dc043becaebdc8522599e30013fe965c77fd0282f14f4e8fb2e7d8ce566246b8abfa64eb7b91d1e1ee20f3d9e41884f831412c2c87946a101764ef5d05d77f

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com

MD5 50fd168f651c65df15ad848a893a996a
SHA1 d32e115599c92937cd71da551dbf9575838abdca
SHA256 f13b6bd774ddaa3a3ce2d51eaeb9a325785bd7f335ed09897b8d85cfc98cc797
SHA512 80ef663885602a2cfd7e1d77a648a902bd695a3b1b5f65dc23a83105544f2becbd26e40045e7f03acec0f7631def205095650ec94b925ced00f2ad4db78a288f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com

MD5 31662157265f51845f857ad681c410af
SHA1 23e8ebfd96153bfda00feb0aec56486dea629301
SHA256 942626b1dc77ad7e4d41757a880e22c4dcbb081d66784467b92f2e5149242508
SHA512 0761fa13ef1d961608d56d43e860bae18554426e2b5a8922e893b90bd4fb564c3f753e05a048bf19301e2c1f1b9a123d918671e64fea764fa0328b829529dc49

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Seduce.pptx

MD5 c6e5a1d0da965a5ed6605f2eaca6e918
SHA1 2ebecfc4f3b2edc02bc25fa24a414c184c2c5760
SHA256 a42591d455e0b68a748c3a54a72e15472a6b06af4d365dab85930667c530ff37
SHA512 6231a9f4b2d5bbcee2700eea3918fa0b75098815fb7df00cd5969100ec87bb5d25e8c186452a809302592b3c90c622e8715872ca8ea719a31e150e4bfc34b79a

memory/740-24-0x0000000000160000-0x0000000000161000-memory.dmp

memory/740-25-0x00000000043B0000-0x0000000004453000-memory.dmp

memory/740-26-0x00000000043B0000-0x0000000004453000-memory.dmp

memory/740-27-0x00000000043B0000-0x0000000004453000-memory.dmp

memory/740-28-0x00000000043B0000-0x0000000004453000-memory.dmp

memory/740-29-0x00000000043B0000-0x0000000004453000-memory.dmp

memory/740-30-0x00000000043B0000-0x0000000004453000-memory.dmp

memory/740-31-0x00000000043B0000-0x0000000004453000-memory.dmp

memory/740-32-0x0000000000F80000-0x0000000000F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Yq3QmQf\_Files\_Information.txt

MD5 63b8c275ba1b16740bacdcb0116b608c
SHA1 d3789337ca56a0d4b28bbf1d17bebd11593a7e6a
SHA256 a981c50c80d55a657faa13c375cca86b4d47cc5e26b5c032ac3b03ceb21b7bf1
SHA512 569a186f38463fbb1cda8787c0090957e1d12ed2a3566a3cddc394c2761ebb5fd91f9fa59fa7b19b7932a2a2e02506a55b58f2f33979204b7eaa1d03f44e72c7

C:\Users\Admin\AppData\Local\Temp\Yq3QmQf\files_\system_info.txt

MD5 7d9c91bbf6ee5d1117e9d0e577253b18
SHA1 78bbab80bca6c77f66bd426a03490ae142cfe07b
SHA256 dc4b4295e16882d1a919c2fede2d5c7c26e859ae4251fb5e224999d569c89916
SHA512 a237ccbafeff51fd734dbd1b16967230685f99bca19ddada9382014af4764eea24e166d9a6ef4dd00897a5466d531355e03ba073b2b2ca178397a5ab214e227c

C:\Users\Admin\AppData\Local\Temp\Yq3QmQf\_Files\_Screen_Desktop.jpeg

MD5 5a3655df80d79ad2cfc5780b782549b6
SHA1 3fae3b923541f44db2364eb8ec0a8a4f7495d451
SHA256 154857838c9e008cccb9ed66bc39dabb330d05cecbb4da2f9a9ed341e92ba8bf
SHA512 d4f6613ef3bf0b69bad12a30342fc0f7c9465648502a865bba922095d7f325a5b55d7845b6d4b7201912e4e7016c89bb24e8b4117811c163fb909965e28b4bfb

memory/740-249-0x00000000043B0000-0x0000000004453000-memory.dmp

memory/740-251-0x0000000000F80000-0x0000000000F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Yq3QmQf\1cwSyx8Hksucp.zip

MD5 7f95421e322c952ebc00ea00a8576680
SHA1 59c6d1a62531a67cfc155373e18f3cac44154d63
SHA256 068b9e5f7a69c754862ddc3bdbbfdf26e8318adf43a35fec229498aceca66d77
SHA512 230270b844fdbf9f496636757c03e84a695150f9b0477f394d81a59b22f44aa6e33c701ebfd035bc1beb21e1ffc2d39204864b518f8392124c6a87e5d8ba65aa

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 19:23

Reported

2024-01-09 17:19

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1252 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1252 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1252 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 1252 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 1252 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 1252 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1252 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1252 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3628 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 3628 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
PID 3628 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe

"C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com o

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com

Vorra.exe.com o

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^zhstQWiUaSsAnmkEODbzVxaWPpDrIiPtovZYFBuQSwQDdEWokoffoLwZVcgHzrklejseAhZhbHAUDOGlhxSmSAWbcqephnvOQFArhTIXpeSAlucuPrzYkLaCdUGAkPqYlMtYhCXzLUdQHchgE$" Aggiogati.pptx

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Pel.pptx

C:\Windows\SysWOW64\cmd.exe

cmd /c rgmLAtaO

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 ebSjyqjdxCUUHsVfxQT.ebSjyqjdxCUUHsVfxQT udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 morjau04.top udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aggiogati.pptx

MD5 f435197ac66954c9aaa768c402bb2f6e
SHA1 81cb16becf08ab1cb2d88c1a0d51872aac7af78f
SHA256 682c0c70fdc6522a9ee445de9439348405b945ef9707b983ddf3e88c869ea576
SHA512 ca39a95f003340290b4ae5037313432061c1213f976253bbda8b5149f0f1e295cacbc43dbe63fa1cc54e5336a3161eac7962f73afad775a4122ad23f0330117b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pel.pptx

MD5 b508376c348b13291d124eab9cce3534
SHA1 26e23e157da1b214a98d84c581c103a97d2f4121
SHA256 a0a6240b767c17f2bbe16985044599f369fdee62ee626a4326e975edbb01a9b4
SHA512 018c7dcf04180da81065647d957e4d08e40ee7e6ca93fe70ab6bfa49ab8532fcd40fe9add8ddc09816e343f04174b1d3e3dc16ba4cd7c93545814fc1992256b8

memory/2868-21-0x0000000000F50000-0x0000000000F51000-memory.dmp

memory/2868-22-0x00000000042C0000-0x0000000004363000-memory.dmp

memory/2868-23-0x00000000042C0000-0x0000000004363000-memory.dmp

memory/2868-24-0x00000000042C0000-0x0000000004363000-memory.dmp

memory/2868-25-0x00000000042C0000-0x0000000004363000-memory.dmp

memory/2868-26-0x00000000042C0000-0x0000000004363000-memory.dmp

memory/2868-27-0x00000000042C0000-0x0000000004363000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2868-29-0x00000000042C0000-0x0000000004363000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iSncpIO8pC\_Files\_Information.txt

MD5 d9a21089e1b3b0016a0b68acab575ca8
SHA1 1cd7a023cc4e44a731bdf8c8a387a9065b7c305b
SHA256 590eb8e782638f8a44108ec4a41ea5429955571b44b11ad0cafa4e35da099568
SHA512 3ecf349823c4a36bff8536ecb93ac58cef537d55cc45b0b974c50d5e3df1fa29344e7664f5f13d91351670f99edeea178869ed612746fb226bacefbd409bd0ab

C:\Users\Admin\AppData\Local\Temp\iSncpIO8pC\_Files\_Information.txt

MD5 88a9e70aeff1eee9acc0375eabdd48e5
SHA1 4bfc396229e910341b62ad38119e935ca49dd98c
SHA256 a111a5c380334907042e1e1be9c0571f5e4d7e67cf97523af0af53916af3e286
SHA512 9677d22e15f8766c7ed6d2ccba53582f91cda1b52ce86d7d690cd81334a060be1daf7cf8dd9bed03503fc81a7a6687d1316036e8ecb55181f3e8895f0e6f840c

C:\Users\Admin\AppData\Local\Temp\iSncpIO8pC\_Files\_Information.txt

MD5 7e4cabf86ad2deb9632764ab2101eba7
SHA1 9629c0880c9ab664df56f4d72442ff1759099a72
SHA256 a830b8d7201733d5fdd12479d605e49459496f69ce2066bbc49174311451abe8
SHA512 c7e4770e48d8ddaed31dcb59429f0fa09d376fbceae0c4018534d021db65bb6838f1ea788b0cd9e7a553c991cb2a97058b74f55a1a712efa378e43145ae24218

C:\Users\Admin\AppData\Local\Temp\iSncpIO8pC\files_\system_info.txt

MD5 4b41c02d15b1d0e2cc5b06ace64fd013
SHA1 680a85f72fd6aaff4af8e523af60b33f09b95e3f
SHA256 2fe7f5e60c67db0dcdb4c810c7a464c1e34c4c575e792eb70824ba7bc69db1d1
SHA512 623ba98b3a90844ffe33306d5055cd728c8d0938b79e3c960e2357567c1a15f69156df59b8fddf31dc083ccf7d92ca8a5248e352ce179aef13b0ad91f91e549b

C:\Users\Admin\AppData\Local\Temp\iSncpIO8pC\files_\system_info.txt

MD5 8833c7116e88c4b7e4c57773e8d1d796
SHA1 00c311ea509f1d913b5a374884062c9349cfa76f
SHA256 ad06f5e2d084a0b919b9a1b7af1584c7156b5297924f46e9b98d128c20e29953
SHA512 66dfd2de1c447d458b2edbbba5afa225b0789e5a969f77dae513873142237135a51785f82d2f259dd5f64d4ea6d4e9bb9069708aab9eb84eeebf8b5940c1eeaf

C:\Users\Admin\AppData\Local\Temp\iSncpIO8pC\_Files\_Files\ConfirmWait.txt

MD5 6b4364950e66f6bc2e3c0e626344420b
SHA1 367460cda5692d82802999b0ee358d401acff294
SHA256 2a94b8c796d9dc175199377b3d5e4053820c56e1d02ced3c72b9f16728d8f778
SHA512 6a386f4131124d06c40f370b5cb8b401c04542062f3f90f9830d0dd05a114e8f0493fe95d1b57ad503357dc2d9b770f9eb3687693d0a3d4cb9170a27c1971e7a

C:\Users\Admin\AppData\Local\Temp\iSncpIO8pC\_Files\_Screen_Desktop.jpeg

MD5 d99ccc7c33d77c38248d324171200f9f
SHA1 65cf21860a5df51d7f18c25c6c2495ab4d7a3334
SHA256 b5664e06bb8453201a8b8cdf149cf77b3b72a395f1da91061abdfad9c887e1de
SHA512 87341e040ffe92ed7a8a1bba3c96a3081fcd6f60bcf21514a3808d9a019d7c0b37f93662b2821bbf42729621b5ef8c23d4c5c5296ed363606b02c18f926703e8

C:\Users\Admin\AppData\Local\Temp\iSncpIO8pC\LubAlwY6wtYM3.zip

MD5 f8c1704e198600846e523ded289572aa
SHA1 070a19acd704141b393dd7ae10683173a0d7006f
SHA256 755d602d3d1d77fe98f6287a17dc7c4ad70486ef2264ed4c84bb5c5f951ba9d9
SHA512 e2e2e5a62b05590c37315268361a737f5f6edd8d43d786a7be460d90dbab4e7ea09bcde0709523219d4e94d2bb27651abcd1f5a821098479dbd9842ca0a5707d

memory/2868-242-0x00000000042C0000-0x0000000004363000-memory.dmp