Malware Analysis Report

2025-01-22 12:49

Sample ID 240522-nqy58sdb7s
Target 27x.rar
SHA256 33184189a2147d668d0ce93a88684e87144e54f32c50ff38018e840fe00298a8
Tags
persistence upx vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

33184189a2147d668d0ce93a88684e87144e54f32c50ff38018e840fe00298a8

Threat Level: Likely malicious

The file 27x.rar was found to be: Likely malicious.

Malicious Activity Summary

persistence upx vmprotect

Blocklisted process makes network request

VMProtect packed file

UPX packed file

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Program crash

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 11:36

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win7-20240221-en

Max time kernel

140s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\miansha.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\miansha.exe

Processes

C:\Users\Admin\AppData\Local\Temp\miansha.exe

"C:\Users\Admin\AppData\Local\Temp\miansha.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 80

Network

N/A

Files

memory/2128-0-0x0000000000C00000-0x0000000000C0F000-memory.dmp

memory/2128-3-0x0000000000C00000-0x0000000000C0F000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win7-20240419-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\perl530.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2416 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2416 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\perl530.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2416 -s 92

Network

N/A

Files

memory/2416-5-0x000007FEF4E90000-0x000007FEF5759000-memory.dmp

memory/2416-6-0x000007FEF4F22000-0x000007FEF5219000-memory.dmp

memory/2416-4-0x00000000773C0000-0x00000000773C2000-memory.dmp

memory/2416-9-0x000007FEF4E90000-0x000007FEF5759000-memory.dmp

memory/2416-2-0x00000000773C0000-0x00000000773C2000-memory.dmp

memory/2416-0-0x00000000773C0000-0x00000000773C2000-memory.dmp

memory/2416-10-0x000007FEF4F22000-0x000007FEF5219000-memory.dmp

memory/2416-11-0x000007FEF4E90000-0x000007FEF5759000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\perl530.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 1444 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\notepad.exe
PID 2116 wrote to memory of 1444 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\notepad.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\perl530.dll,#1

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 so.jstz.gov.cn udp
CN 58.218.215.165:443 so.jstz.gov.cn tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
CN 58.218.215.165:443 so.jstz.gov.cn tcp
CN 58.218.215.165:443 so.jstz.gov.cn tcp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 so.jstz.gov.cn udp
CN 58.218.215.165:443 so.jstz.gov.cn tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CN 58.218.215.165:443 so.jstz.gov.cn tcp
CN 58.218.215.165:443 so.jstz.gov.cn tcp

Files

memory/2116-0-0x00007FFEFB202000-0x00007FFEFB4F9000-memory.dmp

memory/2116-1-0x00007FFF194F0000-0x00007FFF194F2000-memory.dmp

memory/2116-2-0x00007FFEFB170000-0x00007FFEFBA39000-memory.dmp

memory/2116-5-0x00007FFF192F0000-0x00007FFF194E5000-memory.dmp

memory/2116-6-0x00000227B0590000-0x00000227B05E8000-memory.dmp

memory/2116-7-0x00007FFEFB170000-0x00007FFEFBA39000-memory.dmp

memory/2116-8-0x00007FFEFB202000-0x00007FFEFB4F9000-memory.dmp

memory/2116-9-0x00000227AECC0000-0x00000227AECC2000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\windows.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowsProgram = "C:\\Users\\Admin\\WindowsData\\windows.exe" C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\windows.exe

"C:\Users\Admin\AppData\Local\Temp\windows.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
CN 8.137.117.105:9999 tcp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp
CN 8.137.117.105:9999 tcp

Files

memory/1188-0-0x0000000000260000-0x0000000000632000-memory.dmp

memory/1188-1-0x0000000000260000-0x0000000000632000-memory.dmp

memory/1188-7-0x0000021E63EF0000-0x0000021E63F3B000-memory.dmp

memory/1188-9-0x0000021E64080000-0x0000021E640D8000-memory.dmp

memory/1188-8-0x0000000000260000-0x0000000000632000-memory.dmp

memory/1188-10-0x0000000000260000-0x0000000000632000-memory.dmp

memory/1188-12-0x0000021E64080000-0x0000021E640D8000-memory.dmp

memory/1188-18-0x0000000000260000-0x0000000000632000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win7-20231129-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\关于本校暑期放假规划和安排 .exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\关于本校暑期放假规划和安排 .exe

"C:\Users\Admin\AppData\Local\Temp\关于本校暑期放假规划和安排 .exe"

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\财会人员薪资补贴调所需材料z.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\财会人员薪资补贴调所需材料z.exe

"C:\Users\Admin\AppData\Local\Temp\财会人员薪资补贴调所需材料z.exe"

Network

N/A

Files

memory/2868-0-0x0000000001D10000-0x0000000001D96000-memory.dmp

memory/2868-1-0x0000000001D10000-0x0000000001D96000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\财会人员薪资补贴调所需材料z.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\财会人员薪资补贴调所需材料z.exe

"C:\Users\Admin\AppData\Local\Temp\财会人员薪资补贴调所需材料z.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/2572-0-0x0000000002350000-0x00000000023D6000-memory.dmp

memory/2572-1-0x0000000002350000-0x00000000023D6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\calc64.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\calc64.exe

"C:\Users\Admin\AppData\Local\Temp\calc64.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\miansha.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\miansha.exe

Processes

C:\Users\Admin\AppData\Local\Temp\miansha.exe

"C:\Users\Admin\AppData\Local\Temp\miansha.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 884 -ip 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 248

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/884-0-0x0000000000B60000-0x0000000000B6F000-memory.dmp

memory/884-3-0x0000000000B60000-0x0000000000B6F000-memory.dmp

memory/884-4-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/884-6-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win7-20240220-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_6007.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\微软OneDrive = "C:\\Users\\Public\\Documents\\nhwgjgpc\\1716377970.lnk" C:\Windows\System32\colorcpl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\colorcpl.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_6007.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\colorcpl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Windows\System32\colorcpl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_6007.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_6007.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\colorcpl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup_6007.exe

"C:\Users\Admin\AppData\Local\Temp\setup_6007.exe"

C:\Windows\System32\colorcpl.exe

"C:\Windows\System32\colorcpl.exe"

Network

Country Destination Domain Proto
HK 43.155.11.52:7777 tcp
HK 43.155.11.52:7777 tcp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp

Files

memory/2916-0-0x000000013FDB0000-0x0000000141537000-memory.dmp

memory/2916-2-0x000000013FDB0000-0x0000000141537000-memory.dmp

memory/2916-1-0x000000013FDB0000-0x0000000141537000-memory.dmp

memory/2916-3-0x000000013FDBC000-0x0000000140D43000-memory.dmp

memory/2568-4-0x000007FEFA660000-0x000007FEFA6AC000-memory.dmp

memory/2568-6-0x0000000001C30000-0x0000000001C31000-memory.dmp

memory/2568-5-0x0000000001C30000-0x0000000001C31000-memory.dmp

memory/2916-7-0x000000013FDB0000-0x0000000141537000-memory.dmp

memory/2916-8-0x000000013FDBC000-0x0000000140D43000-memory.dmp

memory/2568-9-0x0000000002FF0000-0x000000000304E000-memory.dmp

memory/2568-13-0x0000000003310000-0x000000000338E000-memory.dmp

memory/2568-14-0x0000000002FF0000-0x000000000304E000-memory.dmp

memory/2568-12-0x0000000002FF0000-0x000000000304E000-memory.dmp

memory/2568-11-0x0000000002FF0000-0x000000000304E000-memory.dmp

memory/2568-10-0x0000000002FF0000-0x000000000304E000-memory.dmp

memory/2568-16-0x0000000002FF0000-0x000000000304E000-memory.dmp

memory/2568-15-0x0000000002FF0000-0x000000000304E000-memory.dmp

memory/2568-18-0x0000000180000000-0x000000018008D000-memory.dmp

memory/2568-17-0x0000000002FF0000-0x000000000304E000-memory.dmp

memory/2568-26-0x0000000002FF0000-0x000000000304E000-memory.dmp

memory/2568-28-0x0000000180000000-0x00000001800BD000-memory.dmp

memory/2568-35-0x0000000003A30000-0x0000000003AB9000-memory.dmp

memory/2568-34-0x0000000002FF0000-0x000000000304E000-memory.dmp

memory/2568-41-0x0000000004610000-0x0000000004684000-memory.dmp

memory/2568-50-0x0000000002FF0000-0x000000000304E000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_6007.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_6007.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\微软OneDrive = "C:\\Users\\Public\\Documents\\nhwgjgpc\\1716377909.lnk" C:\Windows\System32\colorcpl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\colorcpl.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_6007.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Windows\System32\colorcpl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\colorcpl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_6007.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_6007.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_6007.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_6007.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A
N/A N/A C:\Windows\System32\colorcpl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\colorcpl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4232 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\setup_6007.exe C:\Windows\System32\colorcpl.exe
PID 4232 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\setup_6007.exe C:\Windows\System32\colorcpl.exe
PID 4232 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\setup_6007.exe C:\Windows\System32\colorcpl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_6007.exe

"C:\Users\Admin\AppData\Local\Temp\setup_6007.exe"

C:\Windows\System32\colorcpl.exe

"C:\Windows\System32\colorcpl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
HK 43.155.11.52:7777 tcp
HK 43.155.11.52:7777 tcp
US 8.8.8.8:53 52.11.155.43.in-addr.arpa udp
CN 8.134.187.253:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/4232-0-0x00007FF6ACA20000-0x00007FF6AE1A7000-memory.dmp

memory/4232-1-0x00007FF6ACA20000-0x00007FF6AE1A7000-memory.dmp

memory/4232-2-0x00007FF6ACA20000-0x00007FF6AE1A7000-memory.dmp

memory/4232-3-0x00007FF6ACA2C000-0x00007FF6AD9B3000-memory.dmp

memory/1900-4-0x00000296D47C0000-0x00000296D47C1000-memory.dmp

memory/4232-5-0x00007FF6ACA20000-0x00007FF6AE1A7000-memory.dmp

memory/4232-6-0x00007FF6ACA2C000-0x00007FF6AD9B3000-memory.dmp

memory/1900-7-0x00000296D4D50000-0x00000296D4DAE000-memory.dmp

memory/1900-10-0x00000296D4D50000-0x00000296D4DAE000-memory.dmp

memory/1900-9-0x00000296D4D50000-0x00000296D4DAE000-memory.dmp

memory/1900-8-0x00000296D4D50000-0x00000296D4DAE000-memory.dmp

memory/1900-12-0x00000296D4D50000-0x00000296D4DAE000-memory.dmp

memory/1900-11-0x00000296D4D50000-0x00000296D4DAE000-memory.dmp

memory/1900-14-0x0000000180000000-0x000000018008D000-memory.dmp

memory/1900-13-0x00000296D4D50000-0x00000296D4DAE000-memory.dmp

memory/1900-22-0x00000296D4D50000-0x00000296D4DAE000-memory.dmp

memory/1900-24-0x0000000180000000-0x00000001800BD000-memory.dmp

memory/1900-30-0x00000296D4D50000-0x00000296D4DAE000-memory.dmp

memory/1900-31-0x00000296D4E90000-0x00000296D4F19000-memory.dmp

memory/1900-37-0x00000296D6BF0000-0x00000296D6C64000-memory.dmp

memory/1900-46-0x00000296D4D50000-0x00000296D4DAE000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win7-20240221-en

Max time kernel

143s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\windows.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowsProgram = "C:\\Users\\Admin\\WindowsData\\windows.exe" C:\Users\Admin\AppData\Local\Temp\windows.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\windows.exe

"C:\Users\Admin\AppData\Local\Temp\windows.exe"

Network

Country Destination Domain Proto
CN 8.137.117.105:9999 tcp
CN 8.137.117.105:9999 tcp

Files

memory/2240-0-0x0000000000E90000-0x0000000001262000-memory.dmp

memory/2240-1-0x0000000000E90000-0x0000000001262000-memory.dmp

memory/2240-8-0x0000000000E90000-0x0000000001262000-memory.dmp

memory/2240-9-0x00000000479B0000-0x0000000047A08000-memory.dmp

memory/2240-7-0x0000000047960000-0x00000000479AB000-memory.dmp

memory/2240-10-0x0000000000E90000-0x0000000001262000-memory.dmp

memory/2240-12-0x00000000479B0000-0x0000000047A08000-memory.dmp

memory/2240-19-0x0000000000E90000-0x0000000001262000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win7-20240220-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\绝密⚝启用前.docx.exe"

Signatures

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\绝密⚝启用前.docx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\绝密⚝启用前.docx.exe

"C:\Users\Admin\AppData\Local\Temp\绝密⚝启用前.docx.exe"

Network

N/A

Files

memory/2252-0-0x000000013FB20000-0x000000013FB9F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\calc64.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\calc64.exe

"C:\Users\Admin\AppData\Local\Temp\calc64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
CN 42.192.39.12:60001 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
CN 42.192.39.12:60001 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 42.192.39.12:60001 tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
CN 42.192.39.12:60001 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
CN 42.192.39.12:60001 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
CN 42.192.39.12:60001 tcp
CN 42.192.39.12:60001 tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
CN 42.192.39.12:60001 tcp

Files

memory/3564-0-0x0000017521C20000-0x0000017521C30000-memory.dmp

memory/3564-1-0x0000017521C20000-0x0000017521C30000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win7-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cjkent_setup_表格6044.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\colorcpl.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cjkent_setup_表格6044.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Windows\System32\colorcpl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\colorcpl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\colorcpl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cjkent_setup_表格6044.exe

"C:\Users\Admin\AppData\Local\Temp\cjkent_setup_表格6044.exe"

C:\Windows\System32\colorcpl.exe

"C:\Windows\System32\colorcpl.exe"

Network

Country Destination Domain Proto
HK 206.238.114.187:6666 tcp
HK 206.238.114.187:6666 tcp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp

Files

memory/2860-0-0x000000013FD90000-0x0000000140D65000-memory.dmp

memory/2860-1-0x000000013FD90000-0x0000000140D65000-memory.dmp

memory/2860-2-0x000000013FD9C000-0x0000000140D23000-memory.dmp

memory/2860-3-0x000000013FD90000-0x0000000140D65000-memory.dmp

memory/2468-4-0x000007FEF7150000-0x000007FEF719C000-memory.dmp

memory/2468-6-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/2468-5-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/2860-8-0x000000013FD90000-0x0000000140D65000-memory.dmp

memory/2860-9-0x000000013FD9C000-0x0000000140D23000-memory.dmp

memory/2468-10-0x00000000031A0000-0x00000000031E9000-memory.dmp

memory/2468-11-0x0000000003030000-0x00000000030AE000-memory.dmp

memory/2468-14-0x00000000031A0000-0x00000000031E9000-memory.dmp

memory/2468-13-0x00000000031A0000-0x00000000031E9000-memory.dmp

memory/2468-12-0x00000000031A0000-0x00000000031E9000-memory.dmp

memory/2468-15-0x00000000031A0000-0x00000000031E9000-memory.dmp

memory/2468-16-0x00000000031A0000-0x00000000031E9000-memory.dmp

memory/2468-18-0x0000000180000000-0x000000018008D000-memory.dmp

memory/2468-17-0x00000000031A0000-0x00000000031E9000-memory.dmp

memory/2468-26-0x00000000031A0000-0x00000000031E9000-memory.dmp

memory/2468-29-0x0000000180000000-0x0000000180057000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\绝密⚝启用前.docx.exe"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\绝密⚝启用前.docx.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\绝密⚝启用前.docx.exe

"C:\Users\Admin\AppData\Local\Temp\绝密⚝启用前.docx.exe"

C:\Windows\explorer.exe

explorer 绝密⚝启用前.docx

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\绝密⚝启用前.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cloudflare.com udp
US 104.16.124.96:443 www.cloudflare.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 96.124.16.104.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\绝密⚝启用前.docx

MD5 0d2056e5c4eabbe971853aa5880234b1
SHA1 a6d9b0431682d08aba21b3bb53650c9d6528ec36
SHA256 7309b78f23cb171ffc553b7def07cfd63b9950f180ca017b3c5f8854e56d6711
SHA512 007723673eec5194d0fde4e3b7a6231c1ec5bc8cd8f41c457606fc397bfc45311ace6832d57c11686f93b89895a76ab157d50a0ff715b0700d8efaba8380b40a

memory/996-2-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/996-4-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/996-3-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/996-5-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/996-6-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/2636-7-0x0000029B4FB00000-0x0000029B4FC90000-memory.dmp

memory/2636-8-0x00007FF7CAC30000-0x00007FF7CACAF000-memory.dmp

memory/996-9-0x00007FF9C72D0000-0x00007FF9C72E0000-memory.dmp

memory/996-10-0x00007FF9C72D0000-0x00007FF9C72E0000-memory.dmp

memory/996-42-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/996-43-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/996-45-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

memory/996-44-0x00007FF9C9B30000-0x00007FF9C9B40000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cjkent_setup_表格6044.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cjkent_setup_表格6044.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\微软OneDrive = "C:\\Users\\Public\\Documents\\weneniti\\1716377911.lnk" C:\Windows\System32\colorcpl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\colorcpl.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\colorcpl.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cjkent_setup_表格6044.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Windows\System32\colorcpl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\colorcpl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\colorcpl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cjkent_setup_表格6044.exe

"C:\Users\Admin\AppData\Local\Temp\cjkent_setup_表格6044.exe"

C:\Windows\System32\colorcpl.exe

"C:\Windows\System32\colorcpl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
HK 206.238.114.187:6666 tcp
US 8.8.8.8:53 187.114.238.206.in-addr.arpa udp
HK 206.238.114.187:6666 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
CN 8.134.187.253:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 8.134.187.253:80 tcp
CN 8.134.187.253:80 tcp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/3328-1-0x00007FF76A590000-0x00007FF76B565000-memory.dmp

memory/3328-0-0x00007FF76A590000-0x00007FF76B565000-memory.dmp

memory/3328-2-0x00007FF76A59C000-0x00007FF76B523000-memory.dmp

memory/3328-3-0x00007FF76A590000-0x00007FF76B565000-memory.dmp

memory/2012-4-0x000001DA7C560000-0x000001DA7C561000-memory.dmp

memory/3328-6-0x00007FF76A590000-0x00007FF76B565000-memory.dmp

memory/3328-7-0x00007FF76A59C000-0x00007FF76B523000-memory.dmp

memory/2012-8-0x000001DA7A6C0000-0x000001DA7A709000-memory.dmp

memory/2012-11-0x000001DA7A6C0000-0x000001DA7A709000-memory.dmp

memory/2012-10-0x000001DA7A6C0000-0x000001DA7A709000-memory.dmp

memory/2012-9-0x000001DA7A6C0000-0x000001DA7A709000-memory.dmp

memory/2012-12-0x000001DA7A6C0000-0x000001DA7A709000-memory.dmp

memory/2012-13-0x000001DA7A6C0000-0x000001DA7A709000-memory.dmp

memory/2012-14-0x000001DA7A6C0000-0x000001DA7A709000-memory.dmp

memory/2012-15-0x0000000180000000-0x000000018008D000-memory.dmp

memory/2012-23-0x000001DA7A6C0000-0x000001DA7A709000-memory.dmp

memory/2012-25-0x0000000180000000-0x0000000180057000-memory.dmp

memory/2012-34-0x000001DA7A6C0000-0x000001DA7A709000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\关于本校暑期放假规划和安排 .exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\关于本校暑期放假规划和安排 .exe

"C:\Users\Admin\AppData\Local\Temp\关于本校暑期放假规划和安排 .exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win7-20240221-en

Max time kernel

149s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\團隊最新月績財務報表詳細 &a.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\團隊最新月績財務報表詳細 &a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\團隊最新月績財務報表詳細 &a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\團隊最新月績財務報表詳細 &a.exe

"C:\Users\Admin\AppData\Local\Temp\團隊最新月績財務報表詳細 &a.exe"

Network

Country Destination Domain Proto
HK 114.134.188.2:2123 114.134.188.2 tcp
HK 216.83.59.248:9000 tcp
HK 216.83.59.248:9000 tcp

Files

memory/1936-1-0x0000000000670000-0x0000000000770000-memory.dmp

memory/1936-3-0x0000000000350000-0x000000000038A000-memory.dmp

memory/1936-2-0x0000000000350000-0x000000000038A000-memory.dmp

memory/1936-5-0x0000000077291000-0x0000000077292000-memory.dmp

memory/1936-4-0x0000000000310000-0x0000000000345000-memory.dmp

memory/1936-7-0x0000000000350000-0x000000000038A000-memory.dmp

memory/1936-8-0x0000000000350000-0x000000000038A000-memory.dmp

memory/1936-6-0x0000000000350000-0x000000000038A000-memory.dmp

memory/1936-9-0x0000000000670000-0x0000000000770000-memory.dmp

memory/1936-10-0x0000000000350000-0x000000000038A000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-22 11:36

Reported

2024-05-22 11:39

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\團隊最新月績財務報表詳細 &a.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\團隊最新月績財務報表詳細 &a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\團隊最新月績財務報表詳細 &a.exe

"C:\Users\Admin\AppData\Local\Temp\團隊最新月績財務報表詳細 &a.exe"

Network

Country Destination Domain Proto
HK 114.134.188.2:2123 114.134.188.2 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 2.188.134.114.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
HK 216.83.59.248:9000 tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 248.59.83.216.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
HK 216.83.59.248:9000 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4056-1-0x0000000000980000-0x0000000000990000-memory.dmp

memory/4056-2-0x0000000000930000-0x0000000000965000-memory.dmp

memory/4056-3-0x00000000010D0000-0x000000000110A000-memory.dmp

memory/4056-4-0x00000000010D0000-0x000000000110A000-memory.dmp

memory/4056-5-0x00007FFEFAFCD000-0x00007FFEFAFCE000-memory.dmp

memory/4056-7-0x00000000010D0000-0x000000000110A000-memory.dmp

memory/4056-6-0x00000000010D0000-0x000000000110A000-memory.dmp

memory/4056-8-0x00000000010D0000-0x000000000110A000-memory.dmp

memory/4056-9-0x0000000000980000-0x0000000000990000-memory.dmp

memory/4056-10-0x0000000000930000-0x0000000000965000-memory.dmp

memory/4056-11-0x00000000010D0000-0x000000000110A000-memory.dmp