479a38d36694b48372c4994002ae90cd991c217bf91fc98bb0eadd4399a8318d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41ab5171ab01c33b6ab3c99c0bbc238b.exe
Size

13.6MB
MD5

41ab5171ab01c33b6ab3c99c0bbc238b
SHA1

ee64a916167c4e3790e238bc2c91ee2fd46a3652
SHA256

479a38d36694b48372c4994002ae90cd991c217bf91fc98bb0eadd4399a8318d
SHA512

5173bbaab41c0f82413d3e571948b1779bb012d9b13357a551b75ffb259f6e8b35f2c9bbd46c4b8a340d9c7b3f27a446e7da74d26b99d4a349d3f2704cb78a0d
SSDEEP

98304:jjBxcO4EYTjmOxTPKvXhH1yjmOxTPKvXK1yjmOxTPKvXhPsY+dy0ZScIBqBT11o:jjBxcO4jjmUjNUjqsC

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Drivers\ETC\HOSTS	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Windows\system32\Drivers\ETC\HOSTS\HOSTS	41ab5171ab01c33b6ab3c99c0bbc238b.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4896-0-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/files/0x0007000000023222-5.dat	upx
behavioral2/memory/4896-410-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\System Database Administration Service = "C:\\Windows\\system32\\DbTasker.exe"	41ab5171ab01c33b6ab3c99c0bbc238b.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DbTasker.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File opened for modification	C:\Windows\SysWOW64\DbTasker.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Windows\SysWOW64\hal.dll	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Windows\SysWOW64\DBTASK.EXE	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Windows\SysWOW64\dbzip2.dll	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Windows\SysWOW64\dbexe2.dll	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Windows\SysWOW64\LockFile.dat	41ab5171ab01c33b6ab3c99c0bbc238b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\microsoft shared\clicktorun\HalfLife 2 WORKING Steam Activation crack.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\textconv\en-us\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\Pamela Anderson FULL VIDEO.mpg .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\hr-hr\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\sk-sk\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ar-sa\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\el-gr\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ja-jp\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\de\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\es-es\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fr-fr\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\de-de\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\ja-jp\Pamela Anderson FULL VIDEO.mpg .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\1033\Pamela Anderson FULL VIDEO.mpg .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ar-sa\NORTON Inte c:\program files\common files\microsoft shared\ink\bg-bg\NORTON Internet security 2006.rar .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\da-dk\Pamela Anderson FULL VIDEO.mpg .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\de-de\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\main\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ar-sa\NORTON Internet security 2006.rar .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\it-it\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\it\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\ko\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\sv-se\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ro-ro\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\dotnet\shared\microsoft.netcore.app\6.0.25\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\cs\Playboy centerfold HOT.gif .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fi-fi\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\pl-pl\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\vgx\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\Pamela Anderson FULL VIDEO.mpg .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ar-sa\Pamela Anderson FULL VIDEO.mpg .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\ja-jp\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\office16\office setup controller\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\vgx\Internet Explorer 7 FULL BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\1033\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\tr\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\hwrcustomization\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\de\Pamela Anderson FULL VIDEO.mpg .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ar-sa\DVD Xcopy PRO Illegal Warez.iso .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ru-ru\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\stationery\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\dotnet\shared\microsoft.netcore.app\6.0.25\Playboy centerfold HOT.gif .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\tr-tr\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\textconv\en-us\Playboy centerfold HOT.gif .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\zh-hans\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ar-sa\Internet Explorer 7 FULL BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\cs-cz\Internet Explorer 7 FULL BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\de-de\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\Windows XP SP3 REAL VERSION.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\zh-cn\How to stop NetSky.doc .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\NORTON Internet security 2006.rar .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ar-sa\Matrix Reloaded.avi .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\el-gr\Internet Explorer 7 FULL BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WinTask.zip	41ab5171ab01c33b6ab3c99c0bbc238b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4320	4896	WerFault.exe	87

NTFS ADS 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\øvôó`çdc:\program files\common files\microsoft shared\ink\hwrcustomization\WinRAR 4.01 Cracked BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\ink\hwrcustomization\Windows XP SP3 REAL VERSION.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv¼çdc:\program files\common files\microsoft shared\textconv\en-us\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\clicktorun\Internet Explorer 7 FULL BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv,ådc:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\89‡c:\program files\common files\microsoft shared\msinfo\en-us\Windows 2000.iso .com	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ôãdc:\program files\common files\microsoft shared\office16\office setup controller\Windows XP SP3 REAL VERSION.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv,ådc:\program files\common files\microsoft shared\ink\fsdefinitions\insert\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program fÿc:\program files\common files\microsoft shared\ink\th-th\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\83‡c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\ru\Windows 2000.iso .com	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\øvôó`çdc:\program files\common files\microsoft shared\ink\pl-pl\WinRAR 4.01 Cracked BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ c:\program files\common files\microsoft shared\vsto\10.0\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\øƒƒc:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv¼çdc:\program files\common files\microsoft shared\ink\ro-ro\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\Windows XP SP3 REAL VERSION.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\textconv\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\0ÿ{c:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\de\NORTON Internet security 2006.rar .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .scrc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\es\Matrix Reloaded.avi .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv¼çdc:\program files\common files\microsoft shared\ink\et-ee\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\pc:\progrÿc:\program files\common files\microsoft shared\ink\et-ee\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\8<‡c:\program files\common files\microsoft shared\ink\sk-sk\Windows 2000.iso .com	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv¼çdc:\program files\common files\microsoft shared\ink\sv-se\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\huôóðédc:\program files\common files\microsoft shared\clicktorun\WinRAR 4.01 Cracked BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program fÿc:\program files\common files\microsoft shared\ink\pt-pt\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .pifc:\program files\common files\microsoft shared\Internet Explorer 7 FULL BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\87‡c:\program files\common files\microsoft shared\ink\et-ee\Windows 2000.iso .com	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ôãdc:\program files\common files\microsoft shared\msinfo\de-de\Windows XP SP3 REAL VERSION.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .scrc:\program files\common files\microsoft shared\vsto\10.0\Hacking for Dummies.pdf .cpl	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ðÜdc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\de\Hacking for Dummies.pdf .cpl	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\dádc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\ru\Windows XP SP3 REAL VERSION.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv¼çdc:\program files\common files\microsoft shared\ink\bg-bg\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv¼çdc:\program files\common files\microsoft shared\ink\sk-sk\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv¼çdc:\program files\common files\microsoft shared\office16\office setup controller\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ forc:\program files\common files\microsoft shared\officesoftwareprotectionplatform\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\8<‡c:\program files\common files\microsoft shared\ink\ja-jp\Windows 2000.iso .com	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\8<‡c:\program files\common files\microsoft shared\ink\lt-lt\Windows 2000.iso .com	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\x=‡c:\program files\common files\microsoft shared\ink\sr-latn-rs\Windows 2000.iso .com	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lvLêdc:\program files\common files\microsoft shared\clicktorun\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\pc:\program files\common files\microsoft shared\ink\el-gr\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\øvôó`çdc:\program files\common files\microsoft shared\ink\nl-nl\WinRAR 4.01 Cracked BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\textconv\en-us\Visual Studio .NET FULL.zip .cpl	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\øvôó`çdc:\program files\common files\microsoft shared\ink\el-gr\WinRAR 4.01 Cracked BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\øvôó`çdc:\program files\common files\microsoft shared\ink\lv-lv\WinRAR 4.01 Cracked BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ø7‡c:\program files\common files\microsoft shared\ink\fr-fr\Windows 2000.iso .com	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\x8‡c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\Windows 2000.iso .com	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv¼çdc:\program files\common files\microsoft shared\ink\nb-no\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program fÿc:\program files\common files\microsoft shared\ink\sl-si\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\clicktorun\Full warez download sites.html .pif	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv¼çdc:\program files\common files\microsoft shared\ink\fr-ca\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\89‡c:\program files\common files\microsoft shared\ink\nl-nl\Windows 2000.iso .com	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\c:\program files\common files\microsoft shared\office16\office setup controller\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\x9‡c:\program files\common files\microsoft shared\ink\da-dk\Windows 2000.iso .com	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv,ådc:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program fÿc:\program files\common files\microsoft shared\ink\ja-jp\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\øvôó`çdc:\program files\common files\microsoft shared\ink\pt-pt\WinRAR 4.01 Cracked BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\„ædc:\program files\common files\microsoft shared\vsto\Windows XP SP3 REAL VERSION.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv,ådc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\cs\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .cplc:\progÿc:\program files\common files\microsoft shared\ink\hr-hr\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .cplc:\progÿc:\program files\common files\microsoft shared\ink\hwrcustomization\WinAmp 5.08 FULL.zip .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv,ådc:\program files\dotnet\shared\microsoft.windowsdesktop.app\6.0.25\ru\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	\??\c:\program files\common files\microsoft shared\ink\ar-sa\NORTON Inte c:\program files\common files\microsoft shared\ink\bg-bg\NORTON Internet security 2006.rar .scr	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .scrc:\program files\common files\microsoft shared\triedit\Visual Studio .NET FULL.zip .cpl	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\,]lv¼çdc:\program files\common files\microsoft shared\ink\sr-latn-rs\Hacking and Virus Writing for Dummies.pdf .exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe
File created	C:\Users\Admin\AppData\Local\Temp\ .pifc:\program files\common files\microsoft shared\textconv\Internet Explorer 7 FULL BETA.exe	41ab5171ab01c33b6ab3c99c0bbc238b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe
4896	41ab5171ab01c33b6ab3c99c0bbc238b.exe

C:\Users\Admin\AppData\Local\Temp\41ab5171ab01c33b6ab3c99c0bbc238b.exe
"C:\Users\Admin\AppData\Local\Temp\41ab5171ab01c33b6ab3c99c0bbc238b.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 2168
  2⤵
  - Program crash
  PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4896 -ip 4896
1⤵
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wkw4D2.tmp

Filesize
2.9MB

MD5
9062b2393a10482a43a1de1741cfb2ba

SHA1
ab3a2051932d3cb96d63672fbdcd731f6b13f4fa

SHA256
0959500087ce2ff023accdbe17155a389aafc9961f9ac7049d3bb75031961553

SHA512
3372c57b707a82684fe0fec685c9f08791b5784566eca41e43b1baac669619019973a3ba974771e7bcb7816b06fac094879bb1689cb3b6db49f6b6a943e5c42c

Download Submit
memory/4896-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4896-410-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download