Analysis Overview
SHA256
747bc5eb611f174f110900d2466ee7a061f934ffb64932db2fad4af386731088
Threat Level: Known bad
The file 8d0a42410cef8bb15fd372a3676ac3d4 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
Modiloader family
Modifies WinLogon for persistence
ModiLoader Second Stage
ModiLoader Second Stage
Loads dropped DLL
Deletes itself
Checks computer location settings
Executes dropped EXE
UPX packed file
Adds Run key to start application
Maps connected drives based on registry
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Enumerates processes with tasklist
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-03 18:27
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-03 18:27
Reported
2024-02-03 18:29
Platform
win7-20231215-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\9b7b7593\\X" | C:\Windows\Explorer.EXE | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\HM23Yh.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\soice.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\HM23Yh.exe | N/A |
| N/A | N/A | C:\Users\Admin\soice.exe | N/A |
| N/A | N/A | C:\Users\Admin\awhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\awhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bwhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bwhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cwhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\dwhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9b7b7593\X | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\ewhost.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /J" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /a" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /Z" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /n" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /W" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /V" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /k" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /j" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /H" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /y" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /v" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /w" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /f" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /G" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /u" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /D" | C:\Users\Admin\HM23Yh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /L" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /R" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /M" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /N" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /A" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /K" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /U" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /h" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /l" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /x" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /B" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /X" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /F" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /q" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /T" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /S" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /Q" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /D" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /o" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /I" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /E" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /e" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /c" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /z" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /p" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /C" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /s" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /P" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /m" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /Y" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /t" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /g" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /d" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /b" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /O" | C:\Users\Admin\soice.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\soice = "C:\\Users\\Admin\\soice.exe /r" | C:\Users\Admin\soice.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | \systemroot\assembly\GAC_64\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
| File created | \systemroot\assembly\GAC_32\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\awhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\awhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\bwhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\bwhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1792 set thread context of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe | C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe |
| PID 2808 set thread context of 1532 | N/A | C:\Users\Admin\awhost.exe | C:\Users\Admin\awhost.exe |
| PID 1840 set thread context of 1896 | N/A | C:\Users\Admin\bwhost.exe | C:\Users\Admin\bwhost.exe |
| PID 2184 set thread context of 2320 | N/A | C:\Users\Admin\dwhost.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \registry\machine\Software\Classes\Interface\{1a74ef5b-e0c8-3427-8f23-6f47e43457d2} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1a74ef5b-e0c8-3427-8f23-6f47e43457d2}\u = "860049491" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1a74ef5b-e0c8-3427-8f23-6f47e43457d2}\cid = "3089948495662539957" | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe | N/A |
| N/A | N/A | C:\Users\Admin\HM23Yh.exe | N/A |
| N/A | N/A | C:\Users\Admin\soice.exe | N/A |
| N/A | N/A | C:\Users\Admin\ewhost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe
"C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe
8d0a42410cef8bb15fd372a3676ac3d4.exe
C:\Users\Admin\HM23Yh.exe
C:\Users\Admin\HM23Yh.exe
C:\Users\Admin\soice.exe
"C:\Users\Admin\soice.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del HM23Yh.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\awhost.exe
C:\Users\Admin\awhost.exe
C:\Users\Admin\awhost.exe
awhost.exe
C:\Users\Admin\bwhost.exe
C:\Users\Admin\bwhost.exe
C:\Users\Admin\bwhost.exe
bwhost.exe
C:\Users\Admin\cwhost.exe
C:\Users\Admin\cwhost.exe
C:\Windows\explorer.exe
00000088*
C:\Users\Admin\dwhost.exe
C:\Users\Admin\dwhost.exe
C:\Users\Admin\AppData\Local\9b7b7593\X
193.105.154.210:80
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\ewhost.exe
C:\Users\Admin\ewhost.exe
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 8d0a42410cef8bb15fd372a3676ac3d4.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| FR | 193.105.154.210:80 | tcp | |
| FR | 193.105.154.210:80 | tcp | |
| FR | 193.105.154.210:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| KZ | 84.240.216.182:21860 | tcp | |
| SE | 90.231.219.36:21860 | tcp | |
| TN | 197.0.45.149:21860 | tcp | |
| RU | 95.30.62.245:21860 | tcp | |
| US | 89.208.180.159:21860 | tcp | |
| US | 69.180.122.195:21860 | tcp | |
| DE | 85.181.27.81:21860 | tcp | |
| GB | 188.29.147.160:21860 | tcp | |
| IN | 124.125.189.147:21860 | tcp | |
| TR | 94.54.229.143:21860 | tcp | |
| IR | 89.47.199.16:21860 | tcp | |
| DK | 62.107.154.74:21860 | tcp | |
| RO | 95.76.18.178:21860 | tcp | |
| IT | 217.203.139.77:21860 | tcp | |
| SK | 158.195.206.218:21860 | tcp | |
| IN | 121.245.131.180:21860 | tcp | |
| UA | 46.119.64.243:21860 | tcp | |
| ES | 188.26.195.243:21860 | tcp | |
| LT | 84.55.3.24:21860 | tcp | |
| NL | 83.84.247.234:21860 | tcp | |
| HU | 86.101.153.188:21860 | tcp | |
| IN | 14.99.141.68:21860 | tcp | |
| RU | 95.79.119.116:21860 | tcp | |
| SE | 95.209.136.181:21860 | tcp | |
| ES | 79.149.195.163:21860 | tcp | |
| US | 76.114.224.119:21860 | tcp | |
| MK | 95.86.44.33:21860 | tcp | |
| CA | 96.30.141.163:21860 | tcp | |
| UA | 77.121.203.121:21860 | tcp | |
| IT | 2.193.125.205:21860 | tcp | |
| IN | 14.99.171.51:21860 | tcp | |
| IN | 92.50.4.18:21860 | tcp | |
| US | 74.88.56.115:21860 | tcp | |
| RU | 2.93.119.124:21860 | tcp | |
| MD | 188.131.108.71:21860 | tcp | |
| IR | 91.98.209.239:21860 | tcp | |
| SE | 79.138.197.235:21860 | tcp | |
| US | 65.175.148.200:21860 | tcp | |
| US | 24.209.97.115:21860 | tcp | |
| SE | 81.233.129.120:21860 | tcp | |
| DE | 94.134.67.99:21860 | tcp | |
| AU | 124.187.136.2:21860 | tcp | |
| IR | 2.180.50.191:21860 | tcp | |
| VE | 201.248.138.52:21860 | tcp | |
| IN | 49.249.161.83:21860 | tcp | |
| PL | 93.105.13.159:21860 | tcp | |
| MN | 202.179.30.163:21860 | tcp | |
| BG | 92.247.215.79:21860 | tcp | |
| BR | 187.94.162.48:21860 | tcp | |
| US | 24.22.238.85:21860 | tcp | |
| UA | 62.205.141.141:21860 | tcp | |
| TW | 118.160.68.78:21860 | tcp | |
| LT | 86.100.152.251:21860 | tcp | |
| FR | 82.238.30.249:21860 | tcp | |
| US | 98.166.204.96:21860 | tcp | |
| SE | 90.225.5.188:21860 | tcp | |
| PT | 93.102.89.10:21860 | tcp | |
| SE | 90.237.132.44:21860 | tcp | |
| BR | 187.126.103.45:21860 | tcp | |
| IN | 14.96.161.253:21860 | tcp | |
| JP | 180.0.93.181:21860 | tcp | |
| CL | 190.160.85.57:21860 | tcp | |
| TR | 176.54.156.145:21860 | tcp | |
| US | 70.189.248.99:21860 | tcp | |
| UA | 193.105.135.93:21860 | tcp | |
| PH | 49.145.123.223:21860 | tcp | |
| IN | 115.184.116.2:21860 | tcp | |
| BR | 189.69.66.170:21860 | tcp | |
| AR | 177.37.43.27:21860 | tcp | |
| US | 72.100.137.3:21860 | tcp | |
| US | 1.186.2.110:21860 | tcp | |
| ES | 77.224.219.34:21860 | tcp | |
| DE | 116.202.91.18:21860 | tcp | |
| CN | 112.65.251.2:21860 | tcp | |
| ZA | 41.151.69.200:21860 | tcp | |
| US | 75.118.205.148:21860 | tcp | |
| US | 98.154.167.191:21860 | tcp | |
| MK | 95.180.192.61:21860 | tcp | |
| JP | 61.86.13.220:21860 | tcp | |
| KR | 175.197.9.187:21860 | tcp | |
| HK | 219.79.72.238:21860 | tcp | |
| IN | 115.115.71.211:21860 | tcp | |
| KZ | 89.40.52.114:21860 | tcp | |
| CA | 174.142.53.58:21860 | tcp | |
| US | 99.109.125.151:21860 | tcp | |
| US | 71.63.30.124:21860 | tcp | |
| ES | 213.60.67.99:21860 | tcp | |
| IN | 115.118.244.107:21860 | tcp | |
| CA | 132.206.216.115:21860 | tcp | |
| US | 98.244.17.89:21860 | tcp | |
| AT | 212.186.29.32:21860 | tcp | |
| RU | 2.93.247.239:21860 | tcp | |
| KR | 203.236.187.81:21860 | tcp | |
| TR | 89.19.31.222:21860 | tcp | |
| ES | 81.202.97.206:21860 | tcp | |
| IN | 59.161.118.250:21860 | tcp | |
| IE | 178.167.196.110:21860 | tcp | |
| GM | 212.60.64.114:21860 | tcp | |
| IN | 117.197.121.134:21860 | tcp | |
| HK | 180.215.201.115:21860 | tcp | |
| IN | 113.193.138.238:21860 | tcp | |
| AU | 123.3.77.139:21860 | tcp | |
| ID | 180.246.44.195:21860 | tcp | |
| IT | 151.37.162.90:21860 | tcp | |
| CA | 99.233.191.12:21860 | tcp | |
| TW | 114.46.122.76:21860 | tcp | |
| RO | 188.24.9.180:21860 | tcp | |
| DE | 116.202.156.243:21860 | tcp | |
| GB | 82.43.43.63:21860 | tcp | |
| TW | 140.115.113.169:21860 | tcp | |
| MN | 202.9.44.169:21860 | tcp | |
| RO | 82.210.143.134:21860 | tcp | |
| HK | 121.203.203.240:21860 | tcp | |
| DE | 77.47.54.106:21860 | tcp | |
| HU | 93.190.1.213:21860 | tcp | |
| ES | 95.125.207.71:21860 | tcp | |
| US | 68.62.131.96:21860 | tcp | |
| MA | 105.139.200.66:21860 | tcp | |
| DE | 88.134.5.69:21860 | tcp | |
| NO | 84.202.17.231:21860 | tcp | |
| TW | 118.232.88.104:21860 | tcp | |
| RO | 188.27.87.65:21860 | tcp | |
| IN | 115.242.253.41:21860 | tcp | |
| PL | 31.63.154.255:21860 | tcp | |
| IN | 113.193.164.178:21860 | tcp | |
| IN | 116.74.8.124:21860 | tcp | |
| EE | 93.185.253.36:21860 | tcp | |
| US | 75.217.81.171:21860 | tcp | |
| US | 76.170.32.83:21860 | tcp | |
| SE | 213.100.142.182:21860 | tcp | |
| IN | 117.197.74.72:21860 | tcp | |
| TR | 213.43.168.225:21860 | tcp | |
| US | 98.235.9.77:21860 | tcp | |
| IN | 115.240.31.89:21860 | tcp | |
| US | 69.207.39.188:21860 | tcp | |
| IN | 115.240.127.50:21860 | tcp | |
| IN | 116.193.140.175:21860 | tcp | |
| CA | 174.1.51.115:21860 | tcp | |
| BD | 203.194.117.139:21860 | tcp | |
| NG | 41.138.172.174:21860 | tcp | |
| UA | 46.203.62.115:21860 | tcp | |
| HR | 31.147.43.17:21860 | tcp | |
| US | 75.219.233.188:21860 | tcp | |
| RU | 212.107.241.30:21860 | tcp | |
| DK | 86.52.54.120:21860 | tcp | |
| IN | 115.118.244.97:21860 | tcp | |
| RU | 95.84.3.30:21860 | tcp | |
| US | 69.137.82.164:21860 | tcp | |
| TW | 125.230.201.242:21860 | tcp | |
| UA | 176.8.53.91:21860 | tcp | |
| TW | 140.124.73.45:21860 | tcp | |
| AE | 92.96.164.203:21860 | tcp | |
| US | 71.79.133.70:21860 | tcp | |
| GB | 31.220.201.129:21860 | tcp | |
| PK | 119.154.181.113:21860 | tcp | |
| ES | 95.127.36.196:21860 | tcp | |
| IN | 27.5.98.189:21860 | tcp | |
| IN | 1.22.233.82:21860 | tcp | |
| GB | 188.28.217.78:21860 | tcp | |
| CA | 68.146.168.42:21860 | tcp | |
| IN | 27.107.199.203:21860 | tcp | |
| BG | 84.54.140.248:21860 | tcp | |
| US | 67.246.122.187:21860 | tcp | |
| AR | 190.221.112.145:21860 | tcp | |
| AU | 122.110.183.249:21860 | tcp | |
| IT | 109.54.124.143:21860 | tcp | |
| FR | 151.80.140.82:21860 | tcp | |
| TH | 115.87.117.191:21860 | tcp | |
| GB | 81.98.11.104:21860 | tcp | |
| US | 76.97.18.93:21860 | tcp | |
| AT | 85.127.179.65:21860 | tcp | |
| RU | 79.135.64.178:21860 | tcp | |
| CH | 85.218.48.232:21860 | tcp | |
| IN | 14.96.172.217:21860 | tcp | |
| US | 208.102.209.21:21860 | tcp | |
| ES | 79.116.221.144:21860 | tcp | |
| US | 98.155.220.82:21860 | tcp | |
| US | 98.249.148.222:21860 | tcp | |
| MK | 88.85.127.82:21860 | tcp | |
| IT | 82.84.69.161:21860 | tcp | |
| IR | 2.185.32.250:21860 | tcp | |
| KZ | 95.58.197.90:21860 | tcp | |
| FR | 78.193.52.209:21860 | tcp | |
| US | 76.181.204.224:21860 | tcp | |
| PL | 78.8.140.245:21860 | tcp | |
| ES | 88.29.115.45:21860 | tcp | |
| SE | 213.114.153.6:21860 | tcp | |
| FI | 193.199.101.129:21860 | tcp | |
| UA | 46.118.208.168:21860 | tcp | |
| US | 24.3.9.7:21860 | tcp | |
| ES | 79.116.143.100:21860 | tcp | |
| NL | 109.236.83.205:21860 | tcp | |
| FI | 88.193.31.151:21860 | tcp | |
| BG | 78.90.60.160:21860 | tcp | |
| IN | 121.245.15.145:21860 | tcp | |
| US | 24.231.200.214:21860 | tcp | |
| IN | 115.240.114.160:21860 | tcp | |
| US | 75.72.247.11:21860 | tcp | |
| AR | 190.178.203.176:21860 | tcp | |
| VE | 186.165.67.201:21860 | tcp | |
| KZ | 87.247.33.13:25700 | tcp | |
| BG | 46.237.65.192:25700 | tcp | |
| RU | 31.134.28.197:25700 | tcp | |
| KZ | 62.84.59.115:25700 | tcp | |
| US | 76.88.225.64:25700 | tcp | |
| MY | 115.132.53.247:25700 | tcp | |
| KZ | 84.240.227.52:25700 | tcp | |
| US | 24.145.233.38:25700 | tcp | |
| KZ | 85.29.183.44:25700 | tcp | |
| US | 173.98.96.11:25700 | tcp | |
| PL | 91.207.60.22:25700 | tcp | |
| BR | 201.3.190.62:25700 | tcp | |
| US | 24.91.136.219:25700 | tcp | |
| NO | 46.9.156.50:25700 | tcp | |
| US | 67.172.15.197:25700 | tcp | |
| US | 98.176.206.145:25700 | tcp | |
| US | 76.181.106.57:25700 | tcp | |
| US | 66.56.156.163:25700 | tcp | |
| US | 50.10.139.103:25700 | tcp | |
| US | 173.21.36.182:25700 | tcp | |
| US | 24.30.83.136:25700 | tcp | |
| US | 24.131.109.230:25700 | tcp | |
| CA | 70.73.33.191:25700 | tcp | |
| BR | 177.27.225.155:25700 | tcp | |
| IR | 2.146.57.45:25700 | tcp | |
| DE | 77.23.141.20:25700 | tcp | |
| US | 72.199.23.59:25700 | tcp | |
| BR | 187.39.188.230:25700 | tcp | |
| US | 76.203.200.156:25700 | tcp | |
| US | 174.48.223.63:25700 | tcp | |
| US | 69.125.22.247:25700 | tcp | |
| RU | 91.215.143.172:25700 | tcp | |
| GB | 95.111.144.10:25700 | tcp | |
| FI | 85.76.0.203:25700 | tcp | |
| ZA | 41.151.38.1:25700 | tcp | |
| US | 174.48.203.169:25700 | tcp | |
| US | 76.178.88.122:25700 | tcp | |
| US | 98.231.251.222:25700 | tcp | |
| US | 68.53.148.33:25700 | tcp | |
| KG | 109.201.182.216:25700 | tcp | |
| IR | 94.74.167.64:25700 | tcp | |
| US | 76.108.62.93:25700 | tcp | |
| US | 69.29.111.208:25700 | tcp | |
| US | 173.26.197.202:25700 | tcp | |
| FR | 81.253.20.170:25700 | tcp | |
| KZ | 84.240.220.11:25700 | tcp | |
| AE | 91.73.127.133:25700 | tcp | |
| US | 71.80.92.49:25700 | tcp | |
| DE | 95.114.184.182:25700 | tcp | |
| US | 69.120.24.139:25700 | tcp | |
| US | 68.103.79.198:25700 | tcp | |
| US | 107.3.180.48:25700 | tcp | |
| KZ | 92.47.20.19:25700 | tcp | |
| US | 75.134.177.1:25700 | tcp | |
| US | 66.168.97.177:25700 | tcp | |
| PL | 46.186.45.177:25700 | tcp | |
| US | 99.58.166.29:25700 | tcp | |
| US | 68.57.143.110:25700 | tcp | |
| DE | 85.177.9.71:25700 | tcp | |
| US | 24.46.122.99:25700 | tcp | |
| KZ | 178.90.74.153:25700 | tcp | |
| GB | 89.37.94.22:25700 | tcp | |
| IT | 151.83.70.184:25700 | tcp | |
| US | 68.63.43.33:25700 | tcp | |
| AE | 92.96.147.40:25700 | tcp | |
| US | 68.112.101.216:25700 | tcp | |
| RU | 95.28.68.173:25700 | tcp | |
| FI | 85.76.172.74:25700 | tcp | |
| US | 216.96.203.186:25700 | tcp | |
| US | 76.182.147.51:25700 | tcp | |
| US | 69.137.168.41:25700 | tcp | |
| US | 184.100.182.161:25700 | tcp | |
| US | 50.83.56.179:25700 | tcp | |
| FI | 193.199.38.244:25700 | tcp | |
| US | 74.62.70.92:25700 | tcp | |
| US | 75.139.80.72:25700 | tcp | |
| US | 68.187.138.228:25700 | tcp | |
| KZ | 178.91.172.142:25700 | tcp | |
| US | 68.190.217.152:25700 | tcp | |
| HK | 124.244.184.185:25700 | tcp | |
| IR | 91.98.193.167:25700 | tcp | |
| RU | 95.25.77.89:25700 | tcp | |
| US | 174.69.218.68:25700 | tcp | |
| US | 68.11.134.106:25700 | tcp | |
| US | 72.159.141.230:25700 | tcp | |
| KZ | 95.58.208.118:25700 | tcp | |
| CA | 141.117.183.221:25700 | tcp | |
| US | 24.228.226.50:25700 | tcp | |
| US | 66.191.190.234:25700 | tcp | |
| CA | 24.202.109.119:25700 | tcp | |
| DE | 91.45.166.216:25700 | tcp | |
| MX | 189.197.69.12:25700 | tcp | |
| US | 66.214.3.66:25700 | tcp | |
| US | 98.216.109.35:25700 | tcp | |
| KZ | 31.169.17.80:25700 | tcp | |
| NO | 188.113.127.144:25700 | tcp | |
| US | 74.70.230.102:25700 | tcp | |
| IN | 115.241.2.163:25700 | tcp | |
| US | 129.21.72.206:25700 | tcp | |
| US | 76.27.115.62:25700 | tcp | |
| IR | 188.212.200.8:25700 | tcp | |
| US | 74.197.155.185:25700 | tcp | |
| US | 69.125.39.250:25700 | tcp | |
| US | 97.96.203.76:25700 | tcp | |
| DE | 94.125.72.100:25700 | tcp | |
| RO | 95.76.146.76:25700 | tcp | |
| IN | 117.196.241.57:25700 | tcp | |
| HU | 92.249.189.6:25700 | tcp | |
| US | 75.216.226.169:25700 | tcp | |
| CA | 207.81.195.83:25700 | tcp | |
| IT | 151.45.223.98:25700 | tcp | |
| US | 76.189.47.119:25700 | tcp | |
| US | 69.251.60.217:25700 | tcp | |
| US | 74.77.229.142:25700 | tcp | |
| RU | 93.100.42.255:25700 | tcp | |
| KZ | 95.56.79.182:25700 | tcp | |
| N/A | 10.5.50.92:25700 | tcp | |
| US | 174.60.118.225:25700 | tcp | |
| FR | 84.98.206.91:25700 | tcp | |
| US | 66.212.203.220:25700 | tcp | |
| US | 70.122.106.37:25700 | tcp | |
| DE | 91.67.28.205:25700 | tcp | |
| KZ | 212.76.24.252:25700 | tcp | |
| KZ | 2.133.85.24:25700 | tcp | |
| US | 69.14.181.106:25700 | tcp | |
| RO | 82.79.178.214:25700 | tcp | |
| DE | 77.23.16.85:25700 | tcp | |
| DE | 91.66.228.66:25700 | tcp | |
| KZ | 178.89.140.138:25700 | tcp | |
| US | 74.79.81.50:25700 | tcp | |
| US | 68.111.211.140:25700 | tcp | |
| KZ | 95.57.203.54:25700 | tcp | |
| US | 71.22.182.239:25700 | tcp | |
| KZ | 84.240.204.123:25700 | tcp | |
| MD | 93.116.234.15:25700 | tcp | |
| US | 72.227.149.232:25700 | tcp | |
| N/A | 10.5.7.24:25700 | tcp | |
| MD | 89.149.104.225:25700 | tcp | |
| US | 67.235.129.202:25700 | tcp | |
| KZ | 178.91.74.106:25700 | tcp | |
| KZ | 95.58.111.226:25700 | tcp | |
| DE | 88.152.78.254:25700 | tcp | |
| US | 107.10.205.144:25700 | tcp | |
| IR | 89.165.34.22:25700 | tcp | |
| US | 97.102.232.85:25700 | tcp | |
| KZ | 2.134.193.96:25700 | tcp | |
| BE | 84.198.27.11:25700 | tcp | |
| RU | 178.237.179.198:25700 | tcp | |
| PH | 112.204.125.129:25700 | tcp | |
| RU | 109.207.83.134:25700 | tcp | |
| DE | 77.21.201.43:25700 | tcp | |
| US | 98.196.141.77:25700 | tcp | |
| US | 67.10.112.153:25700 | tcp | |
| US | 76.21.246.175:25700 | tcp | |
| DE | 91.65.108.166:25700 | tcp | |
| US | 98.199.34.30:25700 | tcp | |
| KG | 109.201.177.156:25700 | tcp | |
| UA | 77.52.26.154:25700 | tcp | |
| US | 76.103.227.234:25700 | tcp | |
| US | 75.250.139.157:25700 | tcp | |
| KZ | 178.91.228.29:25700 | tcp | |
| BR | 189.37.68.135:25700 | tcp | |
| BO | 190.186.118.235:25700 | tcp | |
| US | 137.99.157.216:25700 | tcp | |
| US | 76.170.167.82:25700 | tcp | |
| GB | 92.41.196.172:25700 | tcp | |
| AE | 92.99.70.202:25700 | tcp | |
| KZ | 92.46.200.94:25700 | tcp | |
| KZ | 84.240.216.182:25700 | tcp | |
| IR | 91.184.93.227:25700 | tcp | |
| US | 75.250.189.80:25700 | tcp | |
| CA | 99.226.194.80:25700 | tcp | |
| SG | 119.234.19.73:25700 | tcp | |
| DK | 109.58.23.104:25700 | tcp | |
| TT | 186.44.147.230:25700 | tcp | |
| OM | 188.66.159.166:25700 | tcp | |
| JO | 178.77.184.215:25700 | tcp | |
| US | 68.199.117.239:25700 | tcp | |
| IR | 2.177.173.16:25700 | tcp | |
| RU | 188.187.100.192:25700 | tcp | |
| US | 208.180.70.19:25700 | tcp | |
| US | 68.59.223.227:25700 | tcp | |
| US | 75.65.125.20:25700 | tcp | |
| MD | 178.168.9.177:25700 | tcp | |
| KZ | 95.57.109.103:25700 | tcp | |
| KZ | 84.240.212.122:25700 | tcp | |
| US | 75.246.218.223:25700 | tcp | |
| US | 74.69.191.79:25700 | tcp | |
| US | 24.14.18.248:25700 | tcp | |
| N/A | 10.19.224.24:25700 | tcp | |
| DZ | 41.201.115.31:25700 | tcp | |
| OM | 46.40.239.54:25700 | tcp | |
| US | 50.135.120.174:25700 | tcp | |
| KZ | 85.29.183.242:25700 | tcp | |
| HK | 203.185.21.16:25700 | tcp |
Files
memory/2980-0-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2980-2-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2980-3-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2980-6-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2980-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1792-10-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2980-12-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2980-13-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2980-14-0x0000000000400000-0x000000000052D000-memory.dmp
\Users\Admin\HM23Yh.exe
| MD5 | b9204dce58a6e81de3b3306eb6cb03e5 |
| SHA1 | ceb777de961f82c42b9b71dca67b8e56a31908a3 |
| SHA256 | 438f71f74c972c3ed35a21bbc93cbc8dd1fb3cf17fd789ae730e60e53816b472 |
| SHA512 | f555f397416efd33bf9591dd08ad27a4dfed1d26cbfb9d73dc4c3ae130da8ce254d4bfc1e70406f3c92565d28e045469b3ba3b172bd5d19c5876708bb1aa37ed |
\Users\Admin\soice.exe
| MD5 | c8605857dbc3c225c771854d42e5eab2 |
| SHA1 | 09222141916e074b9a062d5940191297b57e1016 |
| SHA256 | 2f3d9f1e17b1afe3db1edb08f29f2869cff5296395edff2ea34cf5494857f60c |
| SHA512 | c01a9a3cb230202bbd3a3ab33d5214aa72a5562c5794395404d4af4003c4c7c217cd0b0d3ad0f40176aa142f6dfabb9f7f4cde0ed762a6e5c79e2aa27ee40da6 |
memory/2760-43-0x0000000003EE0000-0x000000000499A000-memory.dmp
\Users\Admin\awhost.exe
| MD5 | 5efdb148d618a6b6d2369fccd60f4212 |
| SHA1 | 7e2045b55c33af87848088738215af2bf7ad0b9b |
| SHA256 | db7e3eef1813f386579a2dd11587077c6888809ac9c9e33c7584eb301402203b |
| SHA512 | e63d8d4caf1cc98bc9beb168302c89885b12175a5802e2e7f507d30bce04eb67ce1f81519f544da297bbb581f59c5baab8ed3fd9b3f7f911a884095603587a21 |
memory/1532-52-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1532-54-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1532-56-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1532-59-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1532-62-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1532-65-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1532-68-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2808-74-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1532-75-0x0000000000400000-0x0000000000438000-memory.dmp
\Users\Admin\bwhost.exe
| MD5 | 2dd258fd2e5a7fccd81b8af93c08780b |
| SHA1 | a5373acdb7f4684b032954e9e754593ddcc827b2 |
| SHA256 | 00d8a5382bc4f61a6836bc2b22c05b57485bdf2550188c456f1a854d8a885ca9 |
| SHA512 | 20048701859ed645bc678a3a45a3ef45cee1d31edfba2ab6cc8edbb03bad6174b541694ac09f4dc58c58241a93d592deb049c33d22ef3cc9f0a6eaac925111df |
memory/1896-84-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1896-86-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1896-88-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1896-90-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2980-98-0x0000000000400000-0x000000000052D000-memory.dmp
memory/1840-95-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1896-100-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1896-102-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1896-101-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1896-103-0x0000000000400000-0x0000000000428000-memory.dmp
\Users\Admin\cwhost.exe
| MD5 | d91ada984db5e7adbf2b80c2284c12f6 |
| SHA1 | 31e9b27095ac041687b016006f41ea6e5222202d |
| SHA256 | 8cbabd93630154a79f8f0c52964f330b44b427631403c3eef4b6c6fc87649948 |
| SHA512 | 8a0eea5b8ffc4c8d4bdf1e551e6c11e8d188f2209666e2f4b6a74bed99105264510a612a7a1e72f7142584386891ab4aa95946110b8fe623d5b2035494da0748 |
memory/2980-111-0x00000000002B0000-0x00000000002F4000-memory.dmp
memory/2980-112-0x00000000002B0000-0x00000000002F4000-memory.dmp
memory/500-113-0x0000000000400000-0x0000000000444000-memory.dmp
memory/500-114-0x0000000000400000-0x0000000000444000-memory.dmp
memory/500-115-0x0000000000400000-0x0000000000444000-memory.dmp
memory/500-117-0x0000000000220000-0x0000000000264000-memory.dmp
memory/500-118-0x0000000000223000-0x0000000000224000-memory.dmp
memory/500-116-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1332-123-0x00000000000E0000-0x00000000000F5000-memory.dmp
memory/1332-121-0x00000000001F0000-0x0000000000209000-memory.dmp
memory/500-120-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1332-128-0x00000000001F0000-0x0000000000209000-memory.dmp
\Users\Admin\dwhost.exe
| MD5 | 1aceb282a6d05fcc08f3f74f5483bf0a |
| SHA1 | 778e34df0c35fee3ab8b7f1af14b2b4ce948ea7b |
| SHA256 | d62b7050a4ada5513bb9f24c79cf782a8675122ef7833bc8c91cb107fe71fc6d |
| SHA512 | 5f2c02faa69f1f3f32affc898773d92738a9944a59ad2a28cebe192b0ad1089363c8e3bbc1d202097b160c1b2dada71fc0f03a1a0744dbc2c72cc3273a4629f8 |
C:\Windows\system32\consrv.DLL
| MD5 | c7570a7e24b29ee04a48c2c99da2587b |
| SHA1 | b6e3635a8de44b1635e8d362ac131e14281feb24 |
| SHA256 | 717cd7661c09701ee39c505d8b604ea3dd6c1151ef18e7ed1cab3832552ac34b |
| SHA512 | 57479d2f5386ace8cc5e5ed543e6ad2c2b7b58accc849807d804a8cf0d03080f328f7b42442422fa1483a01ad473ca302f9eca97b9eb24e699e22db56641c572 |
memory/336-147-0x0000000000E50000-0x0000000000E62000-memory.dmp
\Windows\assembly\GAC_32\Desktop.ini
| MD5 | 80dbc7d15fdf94f16bb4a739cd9c3f98 |
| SHA1 | c0f3f20b360ce78cc153fa514e5f62c06f68feb7 |
| SHA256 | 20b2d1e1b5348ed92f7e2eaedba4348e446970c13c6226f34a816503aa956c91 |
| SHA512 | cf8d820104ee3db4a103fb19d38267fe2f5095a29777bf3bcde95d4299360681cedd421251af92038da3f8709e68f101f7326ad9abdd087a59ca83adec87bc48 |
memory/2184-155-0x0000000000510000-0x0000000000610000-memory.dmp
C:\Users\Admin\AppData\Local\9b7b7593\X
| MD5 | 686b479b0ee164cf1744a8be359ebb7d |
| SHA1 | 8615e8f967276a85110b198d575982a958581a07 |
| SHA256 | fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b |
| SHA512 | 7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64 |
memory/2184-154-0x0000000000400000-0x0000000000462FF0-memory.dmp
\Windows\assembly\GAC_64\Desktop.ini
| MD5 | 78ab98fd9228277f2638fd93cd703016 |
| SHA1 | 1640ee7f500074c155a5af431e9d125a4ec2cea5 |
| SHA256 | e0517a9584af6cfd4f1e6d280e086b20fd576b90b32f9ddac916de03a53b766c |
| SHA512 | d98ed49a83d5b50737a674e4421cea4cbe353f80234d2d5a8df82995a0d81e9524f23919ca600afb98bc676a8f93e7c0df73c22cae9b3fc624027800ba9dcc76 |
memory/1896-171-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1100-174-0x00000000024B0000-0x00000000024B8000-memory.dmp
memory/1100-176-0x00000000024D0000-0x00000000024DB000-memory.dmp
C:\Users\Admin\AppData\Local\9b7b7593\@
| MD5 | 9f07c4a67dbf752b6e32e815c0ac7728 |
| SHA1 | faef5b8f91e00af204351136aa884ce790c70c55 |
| SHA256 | 7ead63d0c9b4261f952aeaacd5a61a99998df9a07f3b5d770e8e7c8910b76651 |
| SHA512 | 280cc13e0af907b5779cfda9902dea5618eae5e844e09912f2685c7df52ce9fa15b93eb05f71e52fae30d425a6fa540b29a78210414004f4ba4fc8c87408ce4e |
memory/336-184-0x0000000000E50000-0x0000000000E62000-memory.dmp
memory/2184-187-0x0000000000510000-0x0000000000610000-memory.dmp
memory/2184-186-0x0000000000400000-0x0000000000462FF0-memory.dmp
memory/2184-190-0x0000000000400000-0x0000000000462FF0-memory.dmp
memory/2184-191-0x0000000000510000-0x0000000000610000-memory.dmp
C:\Users\Admin\ewhost.exe
| MD5 | 4bcd12fdaa17197a658a5113af9120ec |
| SHA1 | 3ac79b0b793e390cf1dea82c1754ec34aab1ea46 |
| SHA256 | e781bf0233fb732b4b6935255af5cf33b7f0a58bad54b70408c347d2e83dbf96 |
| SHA512 | dab61b32fc43b2f55a197ebdf1b8c5709ed97e99530fb31a33ec077c25812f075733ff5e97cc5eebe01d8b83cd29ba104caba02b7a8cdf7e13f43e18432ccbdd |
memory/1100-201-0x00000000024D0000-0x00000000024DB000-memory.dmp
memory/2980-213-0x0000000000400000-0x000000000052D000-memory.dmp
memory/876-223-0x0000000000BA0000-0x0000000000BA8000-memory.dmp
\??\globalroot\systemroot\assembly\temp\@
| MD5 | a47ef07c79e7afc3fa7f2d111b89d04e |
| SHA1 | 29afc89ed82340e258f9e963554095ce98642291 |
| SHA256 | ff7320b34a0247a4bb3cf5e9298ecdabe4d8f9b407793aab0f0cc0279b7b9815 |
| SHA512 | 9f0f3f5cc512c95f975f85d163ac621613990ffc3a71ede9907791bfad414745e1f9c0f6819b18a306e42f78802d8501383cf8fbde24535bdaaf9eaa363b1889 |
memory/876-232-0x0000000000BC0000-0x0000000000BCB000-memory.dmp
memory/876-238-0x0000000000BC0000-0x0000000000BCB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-03 18:27
Reported
2024-02-03 18:29
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\HM23Yh.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\HM23Yh.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\HM23Yh.exe | N/A |
| N/A | N/A | C:\Users\Admin\zaoero.exe | N/A |
| N/A | N/A | C:\Users\Admin\awhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\awhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bwhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bwhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cwhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\dwhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\f8310c6e\X | N/A |
| N/A | N/A | C:\Users\Admin\ewhost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /k" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /c" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /O" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /N" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /q" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /r" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /X" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /a" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /W" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /G" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /u" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /B" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /R" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /b" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /i" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /C" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /f" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /H" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /E" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /d" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /P" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /Y" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /Z" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /A" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /z" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /g" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /J" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /n" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /K" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /x" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /y" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /F" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /Q" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /T" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /m" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /j" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /w" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /I" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /v" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /t" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /p" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /s" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /L" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /D" | C:\Users\Admin\HM23Yh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /U" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /l" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /o" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /M" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /V" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /e" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /h" | C:\Users\Admin\zaoero.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaoero = "C:\\Users\\Admin\\zaoero.exe /D" | C:\Users\Admin\zaoero.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\awhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\awhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\bwhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\bwhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2712 set thread context of 1344 | N/A | C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe | C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe |
| PID 1424 set thread context of 3500 | N/A | C:\Users\Admin\awhost.exe | C:\Users\Admin\awhost.exe |
| PID 1908 set thread context of 4852 | N/A | C:\Users\Admin\bwhost.exe | C:\Users\Admin\bwhost.exe |
| PID 2404 set thread context of 2088 | N/A | C:\Users\Admin\dwhost.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\dwhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe | N/A |
| N/A | N/A | C:\Users\Admin\HM23Yh.exe | N/A |
| N/A | N/A | C:\Users\Admin\zaoero.exe | N/A |
| N/A | N/A | C:\Users\Admin\ewhost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe
"C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe"
C:\Users\Admin\AppData\Local\Temp\8d0a42410cef8bb15fd372a3676ac3d4.exe
8d0a42410cef8bb15fd372a3676ac3d4.exe
C:\Users\Admin\HM23Yh.exe
C:\Users\Admin\HM23Yh.exe
C:\Users\Admin\zaoero.exe
"C:\Users\Admin\zaoero.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del HM23Yh.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\awhost.exe
C:\Users\Admin\awhost.exe
C:\Users\Admin\awhost.exe
awhost.exe
C:\Users\Admin\bwhost.exe
C:\Users\Admin\bwhost.exe
C:\Users\Admin\bwhost.exe
bwhost.exe
C:\Users\Admin\cwhost.exe
C:\Users\Admin\cwhost.exe
C:\Windows\explorer.exe
000001D8*
C:\Users\Admin\dwhost.exe
C:\Users\Admin\dwhost.exe
C:\Users\Admin\AppData\Local\f8310c6e\X
193.105.154.210:80
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\ewhost.exe
C:\Users\Admin\ewhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 8d0a42410cef8bb15fd372a3676ac3d4.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FR | 193.105.154.210:80 | tcp | |
| FR | 193.105.154.210:80 | tcp | |
| FR | 193.105.154.210:80 | tcp | |
| FR | 193.105.154.210:80 | tcp | |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/1344-0-0x0000000000400000-0x000000000052D000-memory.dmp
memory/1344-1-0x0000000000400000-0x000000000052D000-memory.dmp
memory/2712-4-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1344-5-0x0000000000400000-0x000000000052D000-memory.dmp
memory/1344-6-0x0000000000400000-0x000000000052D000-memory.dmp
memory/1344-7-0x0000000000400000-0x000000000052D000-memory.dmp
C:\Users\Admin\HM23Yh.exe
| MD5 | b9204dce58a6e81de3b3306eb6cb03e5 |
| SHA1 | ceb777de961f82c42b9b71dca67b8e56a31908a3 |
| SHA256 | 438f71f74c972c3ed35a21bbc93cbc8dd1fb3cf17fd789ae730e60e53816b472 |
| SHA512 | f555f397416efd33bf9591dd08ad27a4dfed1d26cbfb9d73dc4c3ae130da8ce254d4bfc1e70406f3c92565d28e045469b3ba3b172bd5d19c5876708bb1aa37ed |
C:\Users\Admin\zaoero.exe
| MD5 | 55ad3d3610ee9385d803247bc092fe9c |
| SHA1 | 2dd3f063e1508cf4527d4ace3276b21c0b5cd928 |
| SHA256 | b08408af2e71b242addf461df2b4fb0c707ad7778d3abc2d966af896088ac915 |
| SHA512 | f52228a6cdb0d1cf1f3994efe910b125d7f8100c46ef1bb094bd8a34808fc6d46be7352eadba1dd55b220fc2fde92fe2b76986ab0fc72a34e7eaf71db7ac426d |
C:\Users\Admin\awhost.exe
| MD5 | 5efdb148d618a6b6d2369fccd60f4212 |
| SHA1 | 7e2045b55c33af87848088738215af2bf7ad0b9b |
| SHA256 | db7e3eef1813f386579a2dd11587077c6888809ac9c9e33c7584eb301402203b |
| SHA512 | e63d8d4caf1cc98bc9beb168302c89885b12175a5802e2e7f507d30bce04eb67ce1f81519f544da297bbb581f59c5baab8ed3fd9b3f7f911a884095603587a21 |
memory/3500-53-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3500-54-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3500-55-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3500-56-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3500-57-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\awhost.exe
| MD5 | b07b737759893ad387d4f0a17eb77055 |
| SHA1 | aa7b72ae3d985848e056f1f9c118dac24148bb5d |
| SHA256 | 69f04e8360d20e5cd94859041ee5d76c5e01d09fd6b8ef5b71aaa7f83772d4b5 |
| SHA512 | 77ac990ab2605860c9ddb1d7210e3775141fd638413960ded1e7ed5a5d2061464eadfbf85cf3f2fe5d1e41a304219db453f2f46cd50229be47ea1c88156ad225 |
memory/3500-62-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1424-61-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\bwhost.exe
| MD5 | 2dd258fd2e5a7fccd81b8af93c08780b |
| SHA1 | a5373acdb7f4684b032954e9e754593ddcc827b2 |
| SHA256 | 00d8a5382bc4f61a6836bc2b22c05b57485bdf2550188c456f1a854d8a885ca9 |
| SHA512 | 20048701859ed645bc678a3a45a3ef45cee1d31edfba2ab6cc8edbb03bad6174b541694ac09f4dc58c58241a93d592deb049c33d22ef3cc9f0a6eaac925111df |
memory/4852-66-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4852-67-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1908-72-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1344-74-0x0000000000400000-0x000000000052D000-memory.dmp
memory/4852-76-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4852-73-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4852-77-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\cwhost.exe
| MD5 | d91ada984db5e7adbf2b80c2284c12f6 |
| SHA1 | 31e9b27095ac041687b016006f41ea6e5222202d |
| SHA256 | 8cbabd93630154a79f8f0c52964f330b44b427631403c3eef4b6c6fc87649948 |
| SHA512 | 8a0eea5b8ffc4c8d4bdf1e551e6c11e8d188f2209666e2f4b6a74bed99105264510a612a7a1e72f7142584386891ab4aa95946110b8fe623d5b2035494da0748 |
memory/4808-81-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4808-82-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4808-83-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4808-85-0x00000000020E0000-0x0000000002124000-memory.dmp
memory/4808-86-0x00000000020E3000-0x00000000020E4000-memory.dmp
memory/4808-87-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4808-84-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4508-89-0x0000000000100000-0x0000000000115000-memory.dmp
C:\Users\Admin\dwhost.exe
| MD5 | 1aceb282a6d05fcc08f3f74f5483bf0a |
| SHA1 | 778e34df0c35fee3ab8b7f1af14b2b4ce948ea7b |
| SHA256 | d62b7050a4ada5513bb9f24c79cf782a8675122ef7833bc8c91cb107fe71fc6d |
| SHA512 | 5f2c02faa69f1f3f32affc898773d92738a9944a59ad2a28cebe192b0ad1089363c8e3bbc1d202097b160c1b2dada71fc0f03a1a0744dbc2c72cc3273a4629f8 |
memory/2404-94-0x0000000000400000-0x0000000000462FF0-memory.dmp
memory/2404-95-0x0000000000740000-0x0000000000840000-memory.dmp
memory/3428-101-0x0000000000CB0000-0x0000000000CB8000-memory.dmp
C:\Users\Admin\AppData\Local\f8310c6e\X
| MD5 | 686b479b0ee164cf1744a8be359ebb7d |
| SHA1 | 8615e8f967276a85110b198d575982a958581a07 |
| SHA256 | fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b |
| SHA512 | 7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64 |
memory/3500-102-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4852-103-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2404-106-0x0000000000400000-0x0000000000462FF0-memory.dmp
memory/2404-112-0x0000000000400000-0x0000000000462FF0-memory.dmp
C:\Users\Admin\ewhost.exe
| MD5 | 4bcd12fdaa17197a658a5113af9120ec |
| SHA1 | 3ac79b0b793e390cf1dea82c1754ec34aab1ea46 |
| SHA256 | e781bf0233fb732b4b6935255af5cf33b7f0a58bad54b70408c347d2e83dbf96 |
| SHA512 | dab61b32fc43b2f55a197ebdf1b8c5709ed97e99530fb31a33ec077c25812f075733ff5e97cc5eebe01d8b83cd29ba104caba02b7a8cdf7e13f43e18432ccbdd |
memory/1344-127-0x0000000000400000-0x000000000052D000-memory.dmp