Malware Analysis Report

2025-08-05 16:07

Sample ID 240526-edp75aee96
Target 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia
SHA256 4d770a637191881ffccb789f004cd0402ac26c53da7d309a58c50926f873eda7
Tags
evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d770a637191881ffccb789f004cd0402ac26c53da7d309a58c50926f873eda7

Threat Level: Known bad

The file 2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia was found to be: Known bad.

Malicious Activity Summary

evasion execution persistence

Disables service(s)

Detects executables containing possible sandbox analysis VM usernames

Blocklisted process makes network request

Stops running service(s)

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Modifies registry class

Runs net.exe

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 03:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 03:49

Reported

2024-05-26 03:52

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe"

Signatures

Disables service(s)

evasion execution

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Rundll32.exe N/A

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" C:\Windows\SysWOW64\Rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\Rundll32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\Rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\system.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
File created C:\Windows\SysWOW64\uctetbtb.dll C:\Windows\SysWOW64\system.exe N/A
File created C:\Windows\SysWOW64\hwvetbtb.dll C:\Windows\SysWOW64\system.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\AAV\CDriver.sys C:\Windows\SysWOW64\Rundll32.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\ddeexec C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /dde" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /ddenoshow" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\ddeexec\ = "[open(\"%1\")]" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\ddeexec\ = "[print(\"%1\")]" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ShellNew C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\ = "WalkScriptor.Document" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE,1" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\ddeexec C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /ddenoshow" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ = "WalkScriptor.Document" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\ddeexec C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\command C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\command C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ShellNew\NullFile C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe C:\Windows\SysWOW64\system.exe
PID 1848 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe C:\Windows\SysWOW64\system.exe
PID 1848 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe C:\Windows\SysWOW64\system.exe
PID 1848 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe C:\Windows\SysWOW64\system.exe
PID 1992 wrote to memory of 2780 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 1992 wrote to memory of 2780 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 1992 wrote to memory of 2780 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 1992 wrote to memory of 2780 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 1992 wrote to memory of 2780 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 1992 wrote to memory of 2780 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 1992 wrote to memory of 2780 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 2780 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2092 wrote to memory of 2520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2092 wrote to memory of 2520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2092 wrote to memory of 2520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2092 wrote to memory of 2520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2780 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 1504 wrote to memory of 1536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1504 wrote to memory of 1536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1504 wrote to memory of 1536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1504 wrote to memory of 1536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2780 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
PID 2780 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
PID 2780 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\system.exe
PID 2780 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\system.exe
PID 2780 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 2780 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe"

C:\Windows\SysWOW64\system.exe

C:\Windows\system32\system.exe

C:\Windows\SysWOW64\Rundll32.exe

Rundll32 C:\Windows\system32\uctetbtb.dll Exbcute

C:\Windows\SysWOW64\net.exe

net stop WinDefend

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\sc.exe

sc config WinDefend start= disabled

C:\Windows\SysWOW64\sc.exe

sc config MpsSvc start= disabled

C:\Windows\SysWOW64\sc.exe

sc stop ZhuDongFangYu

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WinDefend

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Windows\SysWOW64\sc.exe

sc delete ZhuDongFangYu

C:\Windows\SysWOW64\sc.exe

sc stop 360rp

C:\Windows\SysWOW64\sc.exe

sc delete 360rp

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" stop PolicyAgent

C:\Windows\SysWOW64\Rundll32.exe

Rundll32 C:\Windows\system32\hwvetbtb.dll Exbcute

C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tsh16.w3g7j.com udp
FI 193.166.255.171:8080 tsh16.w3g7j.com tcp

Files

memory/1848-0-0x0000000000910000-0x0000000000D2D000-memory.dmp

\Windows\SysWOW64\system.exe

MD5 2de43a2571b821f9cdcd84c3c23b7ce6
SHA1 ff038212807b5cc4ce85009877350a25f3495f1d
SHA256 894aa909df1f26bee14c9f66efd1e9d7a173967b83ee9040d939ce8d448062c7
SHA512 de85d63e87fcc6a8cff1cf1120b33a7b1ef2bcdc068ce24f679df12550f5471ec456de103abac73d0c96d4cbdec7ccb8f2c0f2b868fc4187e92b3c1a9b9225a7

C:\Windows\SysWOW64\uctetbtb.dll

MD5 9b0bdefd566a844ab82d31d41cae80eb
SHA1 11221562bee4503b003ba5f8e7be67df92093dd9
SHA256 c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc
SHA512 66e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909

memory/1848-16-0x00000000002C0000-0x00000000002C1000-memory.dmp

C:\Windows\SysWOW64\hwvetbtb.dll

MD5 af18ffd71cf2abe49e60353b9202bf70
SHA1 fca0fb502f5d79eacfb6b3af613e9f38e30220d8
SHA256 adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac
SHA512 3bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb

\Users\Admin\AppData\Local\Temp\13DE.tmp

MD5 b5eb5bd3066959611e1f7a80fd6cc172
SHA1 6fb1532059212c840737b3f923a9c0b152c0887a
SHA256 1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc
SHA512 6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

memory/1848-56-0x0000000000910000-0x0000000000D2D000-memory.dmp

\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe

MD5 5bac61ee3eeb945c3f8be6e59986d9d6
SHA1 55697ed64c01452387f25d00c21b6d4cbd3e9a2b
SHA256 fa7395c12fc23dd922def2b3bcbeb1d94cbda10a09a176001199f15774026c24
SHA512 0198fe7bb0fa3da0e88403ffcf10886803fe1df8539da4b3372689d1026a161c358d1e9f481463615c84cbe2b0b0cc2c36f5b044751d93741e82b6dd2221e1ed

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 03:49

Reported

2024-05-26 03:52

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe"

Signatures

Disables service(s)

evasion execution

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Rundll32.exe N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" C:\Windows\SysWOW64\Rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\Rundll32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\Rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\system.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
File created C:\Windows\SysWOW64\kkbemgaa.dll C:\Windows\SysWOW64\system.exe N/A
File created C:\Windows\SysWOW64\hhffmgaa.dll C:\Windows\SysWOW64\system.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\AAV\CDriver.sys C:\Windows\SysWOW64\Rundll32.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\ddeexec C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\ddeexec C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /dde" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\ddeexec\ = "[open(\"%1\")]" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\ddeexec\ = "[print(\"%1\")]" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\ = "WalkScriptor.Document" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE,1" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\ddeexec C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ShellNew C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ShellNew\NullFile C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\command C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /ddenoshow" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp\ = "WalkScriptor.Document" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\printto\command C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsp C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\open C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WalkScriptor.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-0~2.EXE /ddenoshow" C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe C:\Windows\SysWOW64\system.exe
PID 1192 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe C:\Windows\SysWOW64\system.exe
PID 1192 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe C:\Windows\SysWOW64\system.exe
PID 228 wrote to memory of 4124 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 228 wrote to memory of 4124 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 228 wrote to memory of 4124 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 4124 wrote to memory of 4756 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 4124 wrote to memory of 4756 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 4124 wrote to memory of 4756 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 4124 wrote to memory of 3412 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 4124 wrote to memory of 3412 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 4124 wrote to memory of 3412 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 4124 wrote to memory of 4344 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4344 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4344 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 3432 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 3432 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 3432 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4672 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4672 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4672 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4048 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4048 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4048 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
PID 4124 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
PID 4124 wrote to memory of 228 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\system.exe
PID 4124 wrote to memory of 228 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\system.exe
PID 4124 wrote to memory of 4756 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 4124 wrote to memory of 4756 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 4124 wrote to memory of 3412 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 4124 wrote to memory of 3412 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\net.exe
PID 4124 wrote to memory of 4344 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4344 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 4124 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\sc.exe
PID 3412 wrote to memory of 5068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3412 wrote to memory of 5068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3412 wrote to memory of 5068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 228 wrote to memory of 3112 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 228 wrote to memory of 3112 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 228 wrote to memory of 3112 N/A C:\Windows\SysWOW64\system.exe C:\Windows\SysWOW64\Rundll32.exe
PID 4756 wrote to memory of 1224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4756 wrote to memory of 1224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4756 wrote to memory of 1224 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1192 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
PID 1192 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe
PID 1192 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe"

C:\Windows\SysWOW64\system.exe

C:\Windows\system32\system.exe

C:\Windows\SysWOW64\Rundll32.exe

Rundll32 C:\Windows\system32\kkbemgaa.dll Exbcute

C:\Windows\SysWOW64\net.exe

net stop WinDefend

C:\Windows\SysWOW64\net.exe

net stop MpsSvc

C:\Windows\SysWOW64\sc.exe

sc config WinDefend start= disabled

C:\Windows\SysWOW64\sc.exe

sc config MpsSvc start= disabled

C:\Windows\SysWOW64\sc.exe

sc stop ZhuDongFangYu

C:\Windows\SysWOW64\sc.exe

sc delete ZhuDongFangYu

C:\Windows\SysWOW64\sc.exe

sc stop 360rp

C:\Windows\SysWOW64\sc.exe

sc delete 360rp

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" stop PolicyAgent

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop MpsSvc

C:\Windows\SysWOW64\Rundll32.exe

Rundll32 C:\Windows\system32\hhffmgaa.dll Exbcute

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WinDefend

C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tsh16.w3g7j.com udp
FI 193.166.255.171:8080 tsh16.w3g7j.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/1192-1-0x0000000000B30000-0x0000000000F4D000-memory.dmp

C:\Windows\SysWOW64\system.exe

MD5 2de43a2571b821f9cdcd84c3c23b7ce6
SHA1 ff038212807b5cc4ce85009877350a25f3495f1d
SHA256 894aa909df1f26bee14c9f66efd1e9d7a173967b83ee9040d939ce8d448062c7
SHA512 de85d63e87fcc6a8cff1cf1120b33a7b1ef2bcdc068ce24f679df12550f5471ec456de103abac73d0c96d4cbdec7ccb8f2c0f2b868fc4187e92b3c1a9b9225a7

C:\Windows\SysWOW64\kkbemgaa.dll

MD5 9b0bdefd566a844ab82d31d41cae80eb
SHA1 11221562bee4503b003ba5f8e7be67df92093dd9
SHA256 c00834615d7d447d3f9c9803ddf8ed0ced42451170ba930146d04f18d2d880dc
SHA512 66e2fd72a13ffd8bc1ddeca7b9db3eec92f15d744bd2faa11f76f35c92367af7c6ca6cef8405d9542b7ebd193c0e14b05ec96412c5ff0349826ed4e81ad43909

memory/1192-9-0x0000000001420000-0x0000000001421000-memory.dmp

C:\Windows\SysWOW64\hhffmgaa.dll

MD5 af18ffd71cf2abe49e60353b9202bf70
SHA1 fca0fb502f5d79eacfb6b3af613e9f38e30220d8
SHA256 adc6b3bbd691387198f597c9228df74138ed601804ff35d0e78e08cb8bb24aac
SHA512 3bd7f681a659fbdd20953a5f1442102d8c10a9eab55f5ea0b815a205478a81a7eaae180313a80646bc972e486f0f4b8abe338b47ea792c2242f85a6349e9bceb

C:\Users\Admin\AppData\Local\Temp\590D.tmp

MD5 6c7cdd25c2cb0073306eb22aebfc663f
SHA1 a1eba8ab49272b9852fe6a543677e8af36271248
SHA256 58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705
SHA512 17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

C:\Users\Admin\AppData\Local\Temp\2024-05-26_a9a4949fb754d99bc69284cb1cf8c39f_mafia.exe

MD5 5bac61ee3eeb945c3f8be6e59986d9d6
SHA1 55697ed64c01452387f25d00c21b6d4cbd3e9a2b
SHA256 fa7395c12fc23dd922def2b3bcbeb1d94cbda10a09a176001199f15774026c24
SHA512 0198fe7bb0fa3da0e88403ffcf10886803fe1df8539da4b3372689d1026a161c358d1e9f481463615c84cbe2b0b0cc2c36f5b044751d93741e82b6dd2221e1ed