Malware Analysis Report

2024-10-23 17:14

Sample ID 231231-nzpyxscdg6
Target 350d886a144175863ceed4fb8d7b0169
SHA256 776755ae4c35c3d48837ed063af2048359eb7a37abddb0157e766a66caf10395
Tags
cryptbot discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

776755ae4c35c3d48837ed063af2048359eb7a37abddb0157e766a66caf10395

Threat Level: Known bad

The file 350d886a144175863ceed4fb8d7b0169 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery persistence spyware stealer

CryptBot

CryptBot payload

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 11:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 11:50

Reported

2024-01-10 12:26

Platform

win7-20231215-en

Max time kernel

150s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\dllhost.exe
PID 860 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\dllhost.exe
PID 860 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\dllhost.exe
PID 860 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\dllhost.exe
PID 860 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 2828 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 2828 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 2828 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 2828 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2828 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2828 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2828 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2760 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 2760 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 2760 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 2760 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe

"C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe"

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Noi.csv

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^YamAocAZkiCmbGYvdmdlLsmuyeGxMPobeaMnKkwlzveVjWJfZZEFZlOGTaxyPuhcZybtUALynyQffDUpzdxNkDbREyFsQVchpHWimExmhmuTxnsfnk$" Partissero.csv

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

Accendeva.exe.com x

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com x

Network

Country Destination Domain Proto
US 8.8.8.8:53 HMJOWVmMbDbuNdSFpXAJbAA.HMJOWVmMbDbuNdSFpXAJbAA udp
US 8.8.8.8:53 haijwd23.top udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Immobilita.csv

MD5 df88d8ff01f9344acf2ad0cc8ace8c65
SHA1 f6797e623bba9d50e10e092006dad5b688276531
SHA256 82cf4be4afe69a1cc84c79a768cd9a8cdad5bad82ad2d74c22f21cfb284913e3
SHA512 8c56fa03d9c8a778064d1eae8b77af3eef27ff8d5275d5a6fd410df315eb2cdea7f684351a2e4c58b3487a0cc05af43b5665450d782752a0a6f19082fd20eb22

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Partissero.csv

MD5 d29e5058076cf0cb52e2039ec1f30523
SHA1 a507324dbc5bdaad927334c892f7bc7e505c150c
SHA256 0af8a283db9cceeeb8981535fa2f3e499975cb55df56bc00db650c1b62a2e3a8
SHA512 5abba4de3a55d849993534585c3f77e3a00ebd25f4c283f4f43d90e9ef66a476ef431839cf20d463c3dc093c9c6542f6fe8a067a8f36c35562aee4a0622d6a04

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Noi.csv

MD5 67f32c2840c3d4689692da04167dc66b
SHA1 249b8d50c0ec618463877b185ceed2520a4583d5
SHA256 5dc31062e2d78a5c11b252e52bf1c6bbc6c8a0f80c67f83dec6469718ce89fe6
SHA512 f5e9170032112a3a73610c74a80b8ae48aef76cfc42e8bfaa8fa14500b966bb8d8b9ceac024861aaa99dfe3eb126bc8e8139c053c194b30d33a0c60cfdea36ab

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

MD5 dfb9f86fc1aaeb0ce52b1011e097ea17
SHA1 9839683152bb06d4974e36eb46efb51b8779845a
SHA256 4911a0e41a11183f52c232edc88b86364a0308b38cf14c4a6bf74ac250c907db
SHA512 219c083cb8f356607a2fe87844ca8fe1ab022d135a73bdb280df9850ba7d820f8f503ebd5e45302ff68b66c1b52a9d9fd5812be4da76eeb94a101dd15a07853b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x

MD5 8c741474579c2958b04acf9444e622f6
SHA1 c62d6fbf62e572d95e8e3fdae84366d720fb94cc
SHA256 31992a539c0e1cb81b7b891b71fa9031918413de1c0a06957e6458a3cea6b52d
SHA512 8a1004f801ca32454e5aa4fce44cd6339dee71512ba098dedd9badc9dadaf17317f6765dd3492b6404377e305a9e0c21ef89db9d6eab68c71403512d087d10f5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

MD5 4334c0d0929ebb52cbc6b875728193d1
SHA1 2aaf6a084160f4743ea0d05bf0dc7be7750ccc16
SHA256 b1a04a9434185091ceb1f7cb732368fc44848089d54bec081250f91d60ac4805
SHA512 bd90530f8da3a2a3292bd82daa2583ef1f6422f591d274b8ac7dd66f1503e52e5a8389e7f325e8ef4862e5f5dc986923761c6ad40e7d188a83a8fb2ff73344fc

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

MD5 2d337e35c5fdbaf0aa77cc05e0acadee
SHA1 b2c3850ccfe3a9825a2caf0b05a02b9d02899c01
SHA256 584a685e76da80f330e97116eea7c85d168f3d4160624f6e37331e1857b8fe4f
SHA512 199fedd0266761f48281d8175d86296b4d30ba9087f9920c53c08a46a28341fc2a341a4a9858c7b0668c79ee1e886adccc4f4a37d76165400a2da9329814aa42

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

MD5 84ef5c32a31371a65046f932e7f6a6bc
SHA1 dbe4f4e2a852b50659eace92e816ed809ede5af2
SHA256 b6cf98e2e77ae5e63f42c9f9c2044aa6d7f6355972d3a0ba9d1d3b824c495433
SHA512 43bd9f46f21ec6e20bb881ca92ed86550930525bb66e05980d6bee69dad861886658234caa69ce8d6a61946685f3bfdcbbcba48beddae98b2690a355ad2d1b6a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

MD5 38266beef9f45c06725c62a034fff972
SHA1 34d9ba5b8d7194fbcfc8d13efc405e2602d41982
SHA256 99ca03960db2a62d4efc31c0cd33cc76fb19f012d9057cd06887db47235657a9
SHA512 31c73bd82a4b1e4fdb3eacb1b3a806d4088b1194962266fe2831d91cf8b90623b734a72b6490c94d7fd74ca295eeecff9cb0e67f99b9a2773c0d15a912a0ec29

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Essa.csv

MD5 4602b6c89355b31705ec1a4b0afb11d3
SHA1 1b8cfc9af2b546ea174580b2be49b4c22ef23e03
SHA256 07ffb6f787a34f3381afcd3bc6440d903c984a9371fa92bdcce465adc72b2821
SHA512 a7ee981cc40171da691dca3b893820174f68114b9fb414fdc8fe3e93025fc0fe7599cc58809956496287b3cf7cbf4c6c4c9e9cc70dc80bbf3115172f7967431f

memory/2608-24-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2608-25-0x0000000003B20000-0x0000000003BC3000-memory.dmp

memory/2608-26-0x0000000003B20000-0x0000000003BC3000-memory.dmp

memory/2608-27-0x0000000003B20000-0x0000000003BC3000-memory.dmp

memory/2608-28-0x0000000003B20000-0x0000000003BC3000-memory.dmp

memory/2608-30-0x0000000003B20000-0x0000000003BC3000-memory.dmp

memory/2608-29-0x0000000003B20000-0x0000000003BC3000-memory.dmp

memory/2608-31-0x0000000003B20000-0x0000000003BC3000-memory.dmp

memory/2608-32-0x0000000000360000-0x0000000000361000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XNCyaaPoN\_Files\_Information.txt

MD5 26f7a0b1e279b59e7e407f642836b7a4
SHA1 169845b90448be8d94f09e6a0075e41497662f13
SHA256 0ab6d9020601d320813896f60e086bc777b85e304072fb426a1b0bcb956f5146
SHA512 d5a2f1962d275870b400b1bdfe2161f88ef37553b7e614883f150fab0a6d4a1365599fd822f1a38d7d554b485487518208941f60941f8515b72673eaba4b82da

C:\Users\Admin\AppData\Local\Temp\XNCyaaPoN\_Files\_Information.txt

MD5 15b703080ca044aeb4e6cc407e6138df
SHA1 780e1f711030077e024f65c90443e236e4414e66
SHA256 cc2ce5ad62c23b718647cd0bbf9a7f22b314e993ed4e3f516551edabc53f008d
SHA512 051223a108808bc3bc9f9a6cef0f49d214c8d1aa4285376a3aa37fbe310964262a4c9a50eb2693113240f1aa1c88a2e26caa594bc79be07f14e04474ce2533b3

C:\Users\Admin\AppData\Local\Temp\XNCyaaPoN\files_\system_info.txt

MD5 23d847aee7366445ce04042e3f4021a4
SHA1 d9b34c536102067b3798a9e8b1c4a43ba20f78a2
SHA256 665408837d53c4032190f79dabd7138020aeaa778d76b87fa0055e5d4a75fa08
SHA512 4e5daafcb25b6cac75a29ac7de4c1fb4235e809e45dc3d6129f732b28be7ffb8bbdc04a918e3f1319244e246c47dbcccd79347e2778218a660f59823d5084fe7

C:\Users\Admin\AppData\Local\Temp\XNCyaaPoN\_Files\_Screen_Desktop.jpeg

MD5 1481635784c1b44a629b2339619ea9b4
SHA1 9fb6f85faa17d9a7eafe30e9335a4027478922c8
SHA256 7ed5d7b9e372144ff8e31a4f4525864cfded9648aa20025c03061b65e1d93fb3
SHA512 6fe880f828df1a8781e4988837c2611df0530c3163c6edcc1b934b4155bdd1a0ba8d81745279a4143c64ddb6f066c3fd0ccc1df15f4d2a749e4918229767722e

memory/2608-251-0x0000000003B20000-0x0000000003BC3000-memory.dmp

memory/2608-252-0x0000000000360000-0x0000000000361000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XNCyaaPoN\hLr3I6oeXglGt.zip

MD5 ff11810de937792123c43dc1f9637910
SHA1 9d01dccd7543625e3c637cd37363997664d9cd8a
SHA256 d5b501760dc3bb379442f543dbe38de27afc5e765fc8a3f5a200f4c0ea03ff73
SHA512 cfc473bc65205b1662b3235e1e5951311350b1168785a38192c28d478c6ff40f2b49d61820aa518b2aa001a5d070592f54ad7e14401e78066539bf8e74ea0c1f

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 11:50

Reported

2024-01-10 12:26

Platform

win10v2004-20231215-en

Max time kernel

84s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\dllhost.exe
PID 1064 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\dllhost.exe
PID 1064 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\dllhost.exe
PID 1064 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2184 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2184 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2184 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 2184 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 2184 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 2184 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2184 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2184 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3428 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 3428 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com
PID 3428 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe

"C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe"

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Noi.csv

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^YamAocAZkiCmbGYvdmdlLsmuyeGxMPobeaMnKkwlzveVjWJfZZEFZlOGTaxyPuhcZybtUALynyQffDUpzdxNkDbREyFsQVchpHWimExmhmuTxnsfnk$" Partissero.csv

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

Accendeva.exe.com x

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com x

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 HMJOWVmMbDbuNdSFpXAJbAA.HMJOWVmMbDbuNdSFpXAJbAA udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 haijwd23.top udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 haijwd23.top udp
US 8.8.8.8:53 haijwd23.top udp
US 8.8.8.8:53 haijwd23.top udp
US 8.8.8.8:53 haijwd23.top udp
US 20.42.73.24:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Partissero.csv

MD5 30a89caf23552fc1c8c9c21be8605d5a
SHA1 ad75b07186e9cdbfd480a4f922e393c636481d3a
SHA256 2f5e579fd818183db983bc1b9d852b3d0266290926c9483676db27d906d6e167
SHA512 81816845ac57a269885095635a1602784f94b8e4b7a99e6b9b195123dcfedfdaa2554240e10c6e5ac7abc61bce0113ed94ba59558e0afbb77250c00a65b19c30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Noi.csv

MD5 67f32c2840c3d4689692da04167dc66b
SHA1 249b8d50c0ec618463877b185ceed2520a4583d5
SHA256 5dc31062e2d78a5c11b252e52bf1c6bbc6c8a0f80c67f83dec6469718ce89fe6
SHA512 f5e9170032112a3a73610c74a80b8ae48aef76cfc42e8bfaa8fa14500b966bb8d8b9ceac024861aaa99dfe3eb126bc8e8139c053c194b30d33a0c60cfdea36ab

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Essa.csv

MD5 ccd1b9091c1a87886d0debc1ed8eac55
SHA1 564b9bc8bf6dffa34ba284e4bde036dc3361f2fe
SHA256 84828903a45ef9bd1fdb0425369bac324a138ca04f65096f8ea11df00241eba0
SHA512 79064c6e8ba84dc0dcdc2cd9fe8fb30e58fb2ab5f441016101dc9c3f03efbe758ce90988d45fb7f430d4d80eacd72fb918c990a5e7cda5c6411866f950f76bc1

memory/4132-21-0x0000000000950000-0x0000000000951000-memory.dmp

memory/4132-22-0x0000000004410000-0x00000000044B3000-memory.dmp

memory/4132-23-0x0000000004410000-0x00000000044B3000-memory.dmp

memory/4132-24-0x0000000004410000-0x00000000044B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com

MD5 28465cd3f2cb238982c2210767938ba4
SHA1 7e91b5fb1893180acb1f2c26b6452a0be4076ade
SHA256 d26526e375d9a7aec9d13d0e7295a93b540d641c525a3baf9f4fc7e0b8d1b550
SHA512 ad44ed0e4bc47870bea066f94e26b807538742dd974f62872280f95d09178a197c1d70d498d35de760504feedccc574e6915cbc2f135b5ce1f531ebec0d34cb0

memory/4132-26-0x0000000004410000-0x00000000044B3000-memory.dmp

memory/4132-27-0x0000000004410000-0x00000000044B3000-memory.dmp

memory/4132-28-0x0000000004410000-0x00000000044B3000-memory.dmp

memory/4132-29-0x0000000004410000-0x00000000044B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3JD1neIk1AY\_Files\_Information.txt

MD5 b524cc750303445492692ac7fd798780
SHA1 e51bde4e75e0f0bf8b29a8a28a62ec7d51cfb923
SHA256 29cec2ae48cbc85a343dc8ad4664810eda5acab045d7760f567e1572aaddb54d
SHA512 5017907f182c603020e24205332e265676908d638c8007ba69b143ff24112a3ecace134a9a43f4570e674b0674910b90508968952be1695ce6bed9cd12228129

C:\Users\Admin\AppData\Local\Temp\u3JD1neIk1AY\_Files\_Information.txt

MD5 52e9f980420712ec953e0a8169bd961e
SHA1 6792fe3441f4881d7fd7938cc59edf8b18053770
SHA256 2abc235cb0ad501ead5fe2f383eb2472758d4bc1040ca1759d662701f83e8b67
SHA512 9ec6dc2301407718eb22203c64512f7622255a96910c1c67f100ea2cd9e267df105f0f5b446af613a1282e5be7262c39b38ea635590fc102784eb465973ddea3

C:\Users\Admin\AppData\Local\Temp\u3JD1neIk1AY\_Files\_Information.txt

MD5 a10ff7b11f7b59755c73fc985bcdaeda
SHA1 69a2e5778a69404b4350429ec9f0243cd5277c3f
SHA256 e11829144ba63112f9a8bc6aff5617b7833220ba96a17f60f7ff6a3d4b797154
SHA512 cc3be2ec8f67727e2e3b76ea51b59052385ea3d10c31dcc28761f6861933f46d593dac0ea46cc2e30370472484c3e24525754ae01c1b37f9403ad0840b9c07e6

C:\Users\Admin\AppData\Local\Temp\u3JD1neIk1AY\_Files\_Information.txt

MD5 a2d7917fc8ce31cf2ecd3e22be4f5a44
SHA1 87d3ecc821b7917d2734366c0fc17e78c26b098f
SHA256 3b9e901fe5571c4296262a140c4c36cb5a9e6c2c01608429607eafdf149db443
SHA512 97b97197799ab5cf49c33d31482432f68b96df34db2d07ff2f48ef106449d60263d56a0015f1c7a8b9b172a2d68e4c76817634bc04aaed63ff1d0ccac8425aec

C:\Users\Admin\AppData\Local\Temp\u3JD1neIk1AY\_Files\_Screen_Desktop.jpeg

MD5 38b6fc0a82fdd1971ea99a9a5855ff30
SHA1 dfe798a0605f3d5c31c315d0f82269b6a3773d60
SHA256 658a2883dbc2beae8b4e7b9cfc8ff4cd6cfbd57a0a9a576fd6cdc2b26e936eb8
SHA512 9cbdab11aa831c96a9a45f04be6f1440f11d9f0604a874df5a3b560288e0ddd64cc33474909b745b3bee00931f2e103524b80282752dcd52a30ccc8003391de5

C:\Users\Admin\AppData\Local\Temp\u3JD1neIk1AY\files_\system_info.txt

MD5 d5593ca33e5d72c2d6fc65afa4651608
SHA1 499f8806e074cc3591356da348bc68d667d488d7
SHA256 9dc320c5224b1dd1931f166355157ba32dff5a7937bcddc9d2299f743d90ae43
SHA512 0e5ec235e9bc8b2a3d6b1eaadca358c0b407a91b6d44cf7eb2dbdfee2df4386b9fa7f4d58e4fbd2c92cfd0bd588421f8d46aea985d1c8ac6b3844540911edd58

C:\Users\Admin\AppData\Local\Temp\u3JD1neIk1AY\files_\system_info.txt

MD5 495e2bf307c35938acb48c92864556e3
SHA1 9ef9c25bc17f962b0b6b5ca4103134dfad281db9
SHA256 6dab3940f078397fc077e7684ac4ff0011aee7e5ebe1e58bcbc03b007ef49a1c
SHA512 dff8025a66aebe970e4b0e6de6e7dbba1c4453fe3dd3411a4cd1e3bb2afdec7e4477d2d9bf2e394dba88f7ca1d77fc0cda32de94e97df8dbe60a9bf1c2d0191f

memory/4132-233-0x0000000004410000-0x00000000044B3000-memory.dmp