Malware Analysis Report

2024-10-19 08:35

Sample ID 240730-j8x9favgln
Target Full Tool Scan VPS.zip
SHA256 95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28
Tags
discovery neshta evasion persistence spyware stealer quasar office04 trojan pyinstaller upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28

Threat Level: Known bad

The file Full Tool Scan VPS.zip was found to be: Known bad.

Malicious Activity Summary

discovery neshta evasion persistence spyware stealer quasar office04 trojan pyinstaller upx

Quasar payload

Neshta

Quasar RAT

Detect Neshta payload

Neshta family

Quasar family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Identifies Wine through registry keys

Modifies system executable filetype association

UPX packed file

Checks BIOS information in registry

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Detects Pyinstaller

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-30 08:21

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta family

neshta

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:05

Platform

win10v2004-20240709-en

Max time kernel

1658s

Max time network

1151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\Packet.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 4548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 8 wrote to memory of 4548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 8 wrote to memory of 4548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\Packet.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\Packet.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:06

Platform

win10v2004-20240704-en

Max time kernel

1765s

Max time network

1160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\wpcap.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2680 wrote to memory of 5108 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2680 wrote to memory of 5108 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2680 wrote to memory of 5108 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\wpcap.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\wpcap.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/5108-0-0x0000000000E80000-0x0000000000E98000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:06

Platform

win10v2004-20240709-en

Max time kernel

1792s

Max time network

1154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe

"C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe

MD5 025c1c35c3198e6e3497d5dbf97ae81f
SHA1 6d390038003c298c7ab8f2cbe35a50b07e096554
SHA256 ffa28db79daca3b93a283ce2a6ff24791956a768cb5fc791c075b638416b51f4
SHA512 1d4cf52062b4f1aa9349ee96b234fc51e693ea8231230ec2b35fa896c2c27f47158d6493e26a1881b070b3f86e6c7d9d2ed3f5f161d456eb011551d434e06b50

memory/3076-9-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-10-0x0000000077D24000-0x0000000077D26000-memory.dmp

memory/3076-16-0x0000000005F70000-0x0000000005F71000-memory.dmp

memory/3076-15-0x0000000005F90000-0x0000000005F91000-memory.dmp

memory/3076-14-0x0000000005F30000-0x0000000005F31000-memory.dmp

memory/3076-13-0x0000000005F80000-0x0000000005F81000-memory.dmp

memory/3076-17-0x0000000000401000-0x000000000081B000-memory.dmp

memory/3076-12-0x0000000005FA0000-0x0000000005FA2000-memory.dmp

memory/3076-11-0x0000000005F60000-0x0000000005F61000-memory.dmp

memory/3076-18-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-19-0x0000000000400000-0x0000000001C9F400-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

memory/3076-39-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-46-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-65-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-83-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-95-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-98-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-110-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-111-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/4468-112-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3076-113-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/4468-114-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3076-115-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-116-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/4468-117-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3076-118-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-119-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/4468-121-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3076-122-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-123-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-124-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-125-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-126-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-127-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-128-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-129-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-130-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-131-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-132-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-133-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-134-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-135-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-136-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-137-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-138-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-139-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-140-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-141-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-142-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-143-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-144-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-145-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-146-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-147-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-148-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-149-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-150-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-151-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-152-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-153-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-154-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-155-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-156-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-157-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-158-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-159-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-160-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-161-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-162-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-163-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-164-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-165-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-166-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-167-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-168-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-169-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-170-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-171-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-172-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-173-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-174-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-175-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-176-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-177-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-178-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-179-0x0000000000400000-0x0000000001C9F400-memory.dmp

memory/3076-180-0x0000000000400000-0x0000000001C9F400-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:06

Platform

win10v2004-20240709-en

Max time kernel

1793s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NL Brute 2\tối uu VPS ram cpu.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NL Brute 2\tối uu VPS ram cpu.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NL Brute 2\tối uu VPS ram cpu.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NL Brute 2\tối uu VPS ram cpu.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NL Brute 2\tối uu VPS ram cpu.exe

"C:\Users\Admin\AppData\Local\Temp\NL Brute 2\tối uu VPS ram cpu.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
SG 128.199.64.220:4782 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
SG 128.199.64.220:4782 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
SG 128.199.64.220:4782 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
SG 128.199.64.220:4782 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp
SG 128.199.64.220:4782 tcp

Files

memory/3316-0-0x00007FFC5F5C3000-0x00007FFC5F5C5000-memory.dmp

memory/3316-1-0x0000000000CF0000-0x0000000000D74000-memory.dmp

memory/3316-2-0x00007FFC5F5C0000-0x00007FFC60081000-memory.dmp

memory/3316-3-0x000000001C470000-0x000000001C4C0000-memory.dmp

memory/3316-4-0x000000001C580000-0x000000001C632000-memory.dmp

memory/3316-5-0x00007FFC5F5C3000-0x00007FFC5F5C5000-memory.dmp

memory/3316-6-0x00007FFC5F5C0000-0x00007FFC60081000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:05

Platform

win10v2004-20240729-en

Max time kernel

1334s

Max time network

1158s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\MassScan\_config.ini

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\MassScan\_config.ini

C:\Windows\System32\Upfc.exe

C:\Windows\System32\Upfc.exe /launchtype periodic /cv BxApXNFT8E2y/Q6bkS0ePA.0

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:05

Platform

win10v2004-20240709-en

Max time kernel

1362s

Max time network

1158s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtNetwork4.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 3444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4004 wrote to memory of 3444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4004 wrote to memory of 3444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtNetwork4.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtNetwork4.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3444 -ip 3444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 660

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:04

Platform

win10v2004-20240709-en

Max time kernel

1748s

Max time network

1162s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtGui4.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3224 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3224 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3224 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtGui4.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtGui4.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1944 -ip 1944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 708

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:05

Platform

win10v2004-20240709-en

Max time kernel

1754s

Max time network

1144s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\MassScan\Input.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\MassScan\Input.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:05

Platform

win10v2004-20240709-en

Max time kernel

1732s

Max time network

1151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe

"C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsyB548.tmp\System.dll

MD5 5c22bbf6730572e50eed4108af6081df
SHA1 8a13196f4d47ee7de2e35509058db954db10c72a
SHA256 3198d832c222a9907d3d5822116c944fd1c6670a263b775212104a9ecf88beec
SHA512 264b194a50cb523f5758569d918b5f60cb2959c4d091ae6712efc95644700a7bc2bb440a22acdf2285b754691a9cc04633fcc7c5b354dae75c7260d6b27ebb18

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:06

Platform

win10v2004-20240709-en

Max time kernel

1362s

Max time network

1152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ScanIP.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ScanIP.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ScanIP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4252 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\ScanIP.exe C:\Users\Admin\AppData\Local\Temp\ScanIP.exe
PID 4252 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\ScanIP.exe C:\Users\Admin\AppData\Local\Temp\ScanIP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ScanIP.exe

"C:\Users\Admin\AppData\Local\Temp\ScanIP.exe"

C:\Users\Admin\AppData\Local\Temp\ScanIP.exe

"C:\Users\Admin\AppData\Local\Temp\ScanIP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI42522\ucrtbase.dll

MD5 637c17ad8bccc838b0cf83ffb8e2c7fd
SHA1 b2dd2890668e589badb2ba61a27c1da503d73c39
SHA256 be7368df484688493fb49fb0c4ad641485070190db62a2c071c9c50612e43fed
SHA512 f6b727c319ca2e85a9b5c5e0b9d8b9023f0cf4193fab983cfa26060923374c6abd6d11db1da2e524a8b04622a4e13beb4c48dc23f98886d4abb33eb09f3a0776

C:\Users\Admin\AppData\Local\Temp\_MEI42522\python37.dll

MD5 c4709f84e6cf6e082b80c80b87abe551
SHA1 c0c55b229722f7f2010d34e26857df640182f796
SHA256 ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512 e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

C:\Users\Admin\AppData\Local\Temp\_MEI42522\VCRUNTIME140.dll

MD5 89a24c66e7a522f1e0016b1d0b4316dc
SHA1 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA256 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512 e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

C:\Users\Admin\AppData\Local\Temp\_MEI42522\base_library.zip

MD5 eb879c6861570dff2d8e68c5fc3d82c5
SHA1 465fc892fa9953da5984c84d8272f149afd54fc8
SHA256 666d0a0a05d795181a4b6fc5a46774d200ef9ac2befd02f4e5ae4b85e28147c3
SHA512 d108b905cb3e71475773e6b918b3516a762852fc360b1fece9f48d7ced114fd6555a232f55ea11d3ae8804cf9f4b1db3aa0ef6fcc593b1169507175889be0eda

C:\Users\Admin\AppData\Local\Temp\_MEI42522\python3.dll

MD5 274853e19235d411a751a750c54b9893
SHA1 97bd15688b549cd5dbf49597af508c72679385af
SHA256 d21eb0fd1b2883e9e0b736b43cbbef9dfa89e31fee4d32af9ad52c3f0484987b
SHA512 580fa23cbe71ae4970a608c8d1ab88fe3f7562ed18398c73b14d5a3e008ea77df3e38abf97c12512786391ee403f675a219fbf5afe5c8cea004941b1d1d02a48

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_ctypes.pyd

MD5 5e869eebb6169ce66225eb6725d5be4a
SHA1 747887da0d7ab152e1d54608c430e78192d5a788
SHA256 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512 feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_bz2.pyd

MD5 cf77513525fc652bad6c7f85e192e94b
SHA1 23ec3bb9cdc356500ec192cac16906864d5e9a81
SHA256 8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512 dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_lzma.pyd

MD5 5fbb728a3b3abbdd830033586183a206
SHA1 066fde2fa80485c4f22e0552a4d433584d672a54
SHA256 f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA512 31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

C:\Users\Admin\AppData\Local\Temp\_MEI42522\pyexpat.pyd

MD5 6500aa010c8b50ffd1544f08af03fa4f
SHA1 a03f9f70d4ecc565f0fae26ef690d63e3711a20a
SHA256 752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec
SHA512 f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1

C:\Users\Admin\AppData\Local\Temp\_MEI42522\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_hashlib.pyd

MD5 b32cb9615a9bada55e8f20dcea2fbf48
SHA1 a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256 ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA512 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_socket.pyd

MD5 8ea18d0eeae9044c278d2ea7a1dbae36
SHA1 de210842da8cb1cb14318789575d65117d14e728
SHA256 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512 d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

C:\Users\Admin\AppData\Local\Temp\_MEI42522\select.pyd

MD5 fb4a0d7abaeaa76676846ad0f08fefa5
SHA1 755fd998215511506edd2c5c52807b46ca9393b2
SHA256 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512 f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk86t.dll

MD5 fdc8a5d96f9576bd70aa1cadc2f21748
SHA1 bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl86t.dll

MD5 c0b23815701dbae2a359cb8adb9ae730
SHA1 5be6736b645ed12e97b9462b77e5a43482673d90
SHA256 f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512 ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_ssl.pyd

MD5 5a393bb4f3ae499541356e57a766eb6a
SHA1 908f68f4ea1a754fd31edb662332cf0df238cf9a
SHA256 b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047
SHA512 958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f

C:\Users\Admin\AppData\Local\Temp\_MEI42522\libssl-1_1.dll

MD5 bc778f33480148efa5d62b2ec85aaa7d
SHA1 b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI42522\charset_normalizer\md.cp37-win_amd64.pyd

MD5 dbd015eedea9e5720e46fc6fb3e3a31a
SHA1 1ab6c1d3398a82f71f34e194aa5c6570db93ff63
SHA256 81bfb46f2f398b211231566612a2c94c0f95a244d08500be02a2a3c16dd18e49
SHA512 c3cb4fc5163ecf64f256af4eb95ae83634a207e86f10eb653385958c9eb960bf365db51fc72844f651d27d5760386958c85cce642c6efb5b807137771e46f071

C:\Users\Admin\AppData\Local\Temp\_MEI42522\unicodedata.pyd

MD5 4d3d8e16e98558ff9dac8fc7061e2759
SHA1 c918ab67b580f955b6361f9900930da38cec7c91
SHA256 016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095
SHA512 0dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a

C:\Users\Admin\AppData\Local\Temp\_MEI42522\psutil\_psutil_windows.pyd

MD5 3e579844160de8322d574501a0f91516
SHA1 c8de193854f7fc94f103bd4ac726246981264508
SHA256 95f01ce7e37f6b4b281dbc76e9b88f28a03cb02d41383cc986803275a1cd6333
SHA512 ee2a026e8e70351d395329c78a07acb1b9440261d2557f639e817a8149ba625173ef196aed3d1c986577d78dc1a7ec9fed759c19346c51511474fe6d235b1817

C:\Users\Admin\AppData\Local\Temp\_MEI42522\PIL\_imaging.cp37-win_amd64.pyd

MD5 ad6fff0a653236fe65fb5cf5d88bf91b
SHA1 4845a875fcaa8f5d8f75d7a35b59a1a491f6d29f
SHA256 356142a3639d2b1dc7b71a794ef3c6085a8121eb721f4061a25a82235326ec45
SHA512 6706bc931c5d461b0a2272d206f4dff69440c40a0b68e8c8202928e8d1b9cf7fbc1aba6907b894438f3c31c8f68ed14c9553e9998ef64e0ccd2ee47673b359a5

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\init.tcl

MD5 b900811a252be90c693e5e7ae365869d
SHA1 345752c46f7e8e67dadef7f6fd514bed4b708fc5
SHA256 bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a
SHA512 36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\panedwindow.tcl

MD5 2da0a23cc9d6fd970fe00915ea39d8a2
SHA1 dfe3dc663c19e9a50526a513043d2393869d8f90
SHA256 4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29
SHA512 b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\menu.tcl

MD5 181ed74919f081eeb34269500e228470
SHA1 953eb429f6d98562468327858ed0967bdc21b5ad
SHA256 564ac0040176cc5744e3860abc36b5ffbc648da20b26a710dc3414eae487299b
SHA512 220e496b464575115baf1dede838e70d5ddd6d199b5b8acc1763e66d66801021b2d7cd0e1e1846868782116ad8a1f127682073d6eacd7e73f91bced89f620109

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\listbox.tcl

MD5 c33963d3a512f2e728f722e584c21552
SHA1 75499cfa62f2da316915fada2580122dc3318bad
SHA256 39721233855e97bfa508959b6dd91e1924456e381d36fdfc845e589d82b1b0cc
SHA512 ea01d8cb36d446ace31c5d7e50dfae575576fd69fd5d413941eebba7ccc1075f6774af3c69469cd7baf6e1068aa5e5b4c560f550edd2a8679124e48c55c8e8d7

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\entry.tcl

MD5 be28d16510ee78ecc048b2446ee9a11a
SHA1 4829d6e8ab8a283209fb4738134b03b7bd768bad
SHA256 8f57a23c5190b50fad00bdee9430a615ebebfc47843e702374ae21beb2ad8b06
SHA512 f56af7020531249bc26d88b977baffc612b6566146730a681a798ff40be9ebc04d7f80729bafe0b9d4fac5b0582b76f9530f3fe376d42a738c9bc4b3b442df1f

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\button.tcl

MD5 309ab5b70f664648774453bccbe5d3ce
SHA1 51bf685dedd21de3786fe97bc674ab85f34bd061
SHA256 0d95949cfacf0df135a851f7330acc9480b965dac7361151ac67a6c667c6276d
SHA512 d5139752bd7175747a5c912761916efb63b3c193dd133ad25d020a28883a1dea6b04310b751f5fcbe579f392a8f5f18ae556116283b3e137b4ea11a2c536ec6b

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\icons.tcl

MD5 2652aad862e8fe06a4eedfb521e42b75
SHA1 ed22459ad3d192ab05a01a25af07247b89dc6440
SHA256 a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161
SHA512 6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\opt0.4\pkgIndex.tcl

MD5 92ff1e42cfc5fecce95068fc38d995b3
SHA1 b2e71842f14d5422a9093115d52f19bcca1bf881
SHA256 eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718
SHA512 608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\http1.0\pkgIndex.tcl

MD5 10ec7cd64ca949099c818646b6fae31c
SHA1 6001a58a0701dff225e2510a4aaee6489a537657
SHA256 420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c
SHA512 34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\pkgIndex.tcl

MD5 a6448af2c8fafc9a4f42eaca6bf6ab2e
SHA1 0b295b46b6df906e89f40a907022068bc6219302
SHA256 cd44ee7f76c37c0c522bd0cfca41c38cdeddc74392b2191a3af1a63d9d18888e
SHA512 5b1a8ca5b09b7281de55460d21d5195c4ee086bebdc35fa561001181490669ffc67d261f99eaa900467fe97e980eb733c5ffbf9d8c541ede18992bf4a435c749

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\package.tcl

MD5 55e2db5dcf8d49f8cd5b7d64fea640c7
SHA1 8fdc28822b0cc08fa3569a14a8c96edca03bfbbd
SHA256 47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad
SHA512 824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl8\8.5\msgcat-1.6.1.tm

MD5 db52847c625ea3290f81238595a915cd
SHA1 45a4ed9b74965e399430290bcdcd64aca5d29159
SHA256 4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55
SHA512 5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\tm.tcl

MD5 f9ed2096eea0f998c6701db8309f95a6
SHA1 bcdb4f7e3db3e2d78d25ed4e9231297465b45db8
SHA256 6437bd7040206d3f2db734fa482b6e79c68bcc950fba80c544c7f390ba158f9b
SHA512 e4fb8f28dc72ea913f79cedf5776788a0310608236d6607adc441e7f3036d589fd2b31c446c187ef5827fd37dcaa26d9e94d802513e3bf3300e94dd939695b30

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\tk.tcl

MD5 3250ec5b2efe5bbe4d3ec271f94e5359
SHA1 6a0fe910041c8df4f3cdc19871813792e8cc4e4c
SHA256 e1067a0668debb2d8e8ec3b7bc1aec3723627649832b20333f9369f28e4dfdbf
SHA512 f8e403f3d59d44333bce2aa7917e6d8115bec0fe5ae9a1306f215018b05056467643b7aa228154ddced176072bc903dfb556cb2638f5c55c1285c376079e8fe3

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\auto.tcl

MD5 5e9b3e874f8fbeaadef3a004a1b291b5
SHA1 b356286005efb4a3a46a1fdd53e4fcdc406569d0
SHA256 f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840
SHA512 482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\tclIndex

MD5 e127196e9174b429cc09c040158f6aab
SHA1 ff850f5d1bd8efc1a8cb765fe8221330f0c6c699
SHA256 abf7d9d1e86de931096c21820bfa4fd70db1f55005d2db4aa674d86200867806
SHA512 c4b98ebc65e25df41e6b9a93e16e608cf309fa0ae712578ee4974d84f7f33bcf2a6ed7626e88a343350e13da0c5c1a88e24a87fcbd44f7da5983bb3ef036a162

C:\Users\Admin\AppData\Local\Temp\_MEI42522\charset_normalizer\md__mypyc.cp37-win_amd64.pyd

MD5 e82ec44c4814e2a17c1786849292f375
SHA1 de44bdcf984eb92a343f9a5230275f653d806b56
SHA256 3be1963470910839a3560c5838bc2dd780f34d6fb958ad59b8d26fbcf8b89cd5
SHA512 0fad111a5e28dfdd8cf74ec87597ca6313fe4849fd068be339060e18c6d4ccb1ca0d79b09e4f5ed3ec2f681a6600fc74c0855c812bc22c134764196360cef50b

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_queue.pyd

MD5 c0a70188685e44e73576e3cd63fc1f68
SHA1 36f88ca5c1dda929b932d656368515e851aeb175
SHA256 e499824d58570c3130ba8ef1ac2d503e71f916c634b2708cc22e95c223f83d0a
SHA512 b9168bf1b98da4a9dfd7b1b040e1214fd69e8dfc2019774890291703ab48075c791cc27af5d735220bd25c47643f098820563dc537748471765aff164b00a4aa

C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\_MEI42522\_tkinter.pyd

MD5 09f66528018ffef916899845d6632307
SHA1 cf9ddad46180ef05a306dcb05fdb6f24912a69ce
SHA256 34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9
SHA512 ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de

Analysis: behavioral30

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:14

Platform

win10v2004-20240709-en

Max time kernel

1366s

Max time network

1155s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\nVNC\input\passwords.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\nVNC\input\passwords.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:21

Platform

win10v2004-20240709-en

Max time kernel

1359s

Max time network

1150s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\password.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\password.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:01

Platform

win10v2004-20240709-en

Max time kernel

1365s

Max time network

1151s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\AxInterop.MSTSCLib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\AxInterop.MSTSCLib.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:03

Platform

win10v2004-20240709-en

Max time kernel

1365s

Max time network

1156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe

"C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe"

C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe

"C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI48042\ucrtbase.dll

MD5 637c17ad8bccc838b0cf83ffb8e2c7fd
SHA1 b2dd2890668e589badb2ba61a27c1da503d73c39
SHA256 be7368df484688493fb49fb0c4ad641485070190db62a2c071c9c50612e43fed
SHA512 f6b727c319ca2e85a9b5c5e0b9d8b9023f0cf4193fab983cfa26060923374c6abd6d11db1da2e524a8b04622a4e13beb4c48dc23f98886d4abb33eb09f3a0776

C:\Users\Admin\AppData\Local\Temp\_MEI48042\python37.dll

MD5 c4709f84e6cf6e082b80c80b87abe551
SHA1 c0c55b229722f7f2010d34e26857df640182f796
SHA256 ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512 e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

C:\Users\Admin\AppData\Local\Temp\_MEI48042\VCRUNTIME140.dll

MD5 89a24c66e7a522f1e0016b1d0b4316dc
SHA1 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA256 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512 e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

C:\Users\Admin\AppData\Local\Temp\_MEI48042\base_library.zip

MD5 eb879c6861570dff2d8e68c5fc3d82c5
SHA1 465fc892fa9953da5984c84d8272f149afd54fc8
SHA256 666d0a0a05d795181a4b6fc5a46774d200ef9ac2befd02f4e5ae4b85e28147c3
SHA512 d108b905cb3e71475773e6b918b3516a762852fc360b1fece9f48d7ced114fd6555a232f55ea11d3ae8804cf9f4b1db3aa0ef6fcc593b1169507175889be0eda

C:\Users\Admin\AppData\Local\Temp\_MEI48042\python3.DLL

MD5 274853e19235d411a751a750c54b9893
SHA1 97bd15688b549cd5dbf49597af508c72679385af
SHA256 d21eb0fd1b2883e9e0b736b43cbbef9dfa89e31fee4d32af9ad52c3f0484987b
SHA512 580fa23cbe71ae4970a608c8d1ab88fe3f7562ed18398c73b14d5a3e008ea77df3e38abf97c12512786391ee403f675a219fbf5afe5c8cea004941b1d1d02a48

C:\Users\Admin\AppData\Local\Temp\_MEI48042\_ctypes.pyd

MD5 5e869eebb6169ce66225eb6725d5be4a
SHA1 747887da0d7ab152e1d54608c430e78192d5a788
SHA256 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512 feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

C:\Users\Admin\AppData\Local\Temp\_MEI48042\_lzma.pyd

MD5 5fbb728a3b3abbdd830033586183a206
SHA1 066fde2fa80485c4f22e0552a4d433584d672a54
SHA256 f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA512 31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

C:\Users\Admin\AppData\Local\Temp\_MEI48042\_bz2.pyd

MD5 cf77513525fc652bad6c7f85e192e94b
SHA1 23ec3bb9cdc356500ec192cac16906864d5e9a81
SHA256 8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512 dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

C:\Users\Admin\AppData\Local\Temp\_MEI48042\pyexpat.pyd

MD5 6500aa010c8b50ffd1544f08af03fa4f
SHA1 a03f9f70d4ecc565f0fae26ef690d63e3711a20a
SHA256 752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec
SHA512 f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1

C:\Users\Admin\AppData\Local\Temp\_MEI48042\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI48042\_hashlib.pyd

MD5 b32cb9615a9bada55e8f20dcea2fbf48
SHA1 a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256 ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA512 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

C:\Users\Admin\AppData\Local\Temp\_MEI48042\_socket.pyd

MD5 8ea18d0eeae9044c278d2ea7a1dbae36
SHA1 de210842da8cb1cb14318789575d65117d14e728
SHA256 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512 d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

C:\Users\Admin\AppData\Local\Temp\_MEI48042\select.pyd

MD5 fb4a0d7abaeaa76676846ad0f08fefa5
SHA1 755fd998215511506edd2c5c52807b46ca9393b2
SHA256 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512 f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

C:\Users\Admin\AppData\Local\Temp\_MEI48042\_tkinter.pyd

MD5 09f66528018ffef916899845d6632307
SHA1 cf9ddad46180ef05a306dcb05fdb6f24912a69ce
SHA256 34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9
SHA512 ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk86t.dll

MD5 fdc8a5d96f9576bd70aa1cadc2f21748
SHA1 bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl86t.dll

MD5 c0b23815701dbae2a359cb8adb9ae730
SHA1 5be6736b645ed12e97b9462b77e5a43482673d90
SHA256 f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512 ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\_MEI48042\_queue.pyd

MD5 c0a70188685e44e73576e3cd63fc1f68
SHA1 36f88ca5c1dda929b932d656368515e851aeb175
SHA256 e499824d58570c3130ba8ef1ac2d503e71f916c634b2708cc22e95c223f83d0a
SHA512 b9168bf1b98da4a9dfd7b1b040e1214fd69e8dfc2019774890291703ab48075c791cc27af5d735220bd25c47643f098820563dc537748471765aff164b00a4aa

C:\Users\Admin\AppData\Local\Temp\_MEI48042\_ssl.pyd

MD5 5a393bb4f3ae499541356e57a766eb6a
SHA1 908f68f4ea1a754fd31edb662332cf0df238cf9a
SHA256 b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047
SHA512 958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f

C:\Users\Admin\AppData\Local\Temp\_MEI48042\libssl-1_1.dll

MD5 bc778f33480148efa5d62b2ec85aaa7d
SHA1 b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI48042\charset_normalizer\md.cp37-win_amd64.pyd

MD5 dbd015eedea9e5720e46fc6fb3e3a31a
SHA1 1ab6c1d3398a82f71f34e194aa5c6570db93ff63
SHA256 81bfb46f2f398b211231566612a2c94c0f95a244d08500be02a2a3c16dd18e49
SHA512 c3cb4fc5163ecf64f256af4eb95ae83634a207e86f10eb653385958c9eb960bf365db51fc72844f651d27d5760386958c85cce642c6efb5b807137771e46f071

C:\Users\Admin\AppData\Local\Temp\_MEI48042\charset_normalizer\md__mypyc.cp37-win_amd64.pyd

MD5 e82ec44c4814e2a17c1786849292f375
SHA1 de44bdcf984eb92a343f9a5230275f653d806b56
SHA256 3be1963470910839a3560c5838bc2dd780f34d6fb958ad59b8d26fbcf8b89cd5
SHA512 0fad111a5e28dfdd8cf74ec87597ca6313fe4849fd068be339060e18c6d4ccb1ca0d79b09e4f5ed3ec2f681a6600fc74c0855c812bc22c134764196360cef50b

C:\Users\Admin\AppData\Local\Temp\_MEI48042\unicodedata.pyd

MD5 4d3d8e16e98558ff9dac8fc7061e2759
SHA1 c918ab67b580f955b6361f9900930da38cec7c91
SHA256 016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095
SHA512 0dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a

C:\Users\Admin\AppData\Local\Temp\_MEI48042\psutil\_psutil_windows.pyd

MD5 3e579844160de8322d574501a0f91516
SHA1 c8de193854f7fc94f103bd4ac726246981264508
SHA256 95f01ce7e37f6b4b281dbc76e9b88f28a03cb02d41383cc986803275a1cd6333
SHA512 ee2a026e8e70351d395329c78a07acb1b9440261d2557f639e817a8149ba625173ef196aed3d1c986577d78dc1a7ec9fed759c19346c51511474fe6d235b1817

C:\Users\Admin\AppData\Local\Temp\_MEI48042\PIL\_imaging.cp37-win_amd64.pyd

MD5 ad6fff0a653236fe65fb5cf5d88bf91b
SHA1 4845a875fcaa8f5d8f75d7a35b59a1a491f6d29f
SHA256 356142a3639d2b1dc7b71a794ef3c6085a8121eb721f4061a25a82235326ec45
SHA512 6706bc931c5d461b0a2272d206f4dff69440c40a0b68e8c8202928e8d1b9cf7fbc1aba6907b894438f3c31c8f68ed14c9553e9998ef64e0ccd2ee47673b359a5

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\init.tcl

MD5 b900811a252be90c693e5e7ae365869d
SHA1 345752c46f7e8e67dadef7f6fd514bed4b708fc5
SHA256 bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a
SHA512 36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\icons.tcl

MD5 2652aad862e8fe06a4eedfb521e42b75
SHA1 ed22459ad3d192ab05a01a25af07247b89dc6440
SHA256 a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161
SHA512 6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\panedwindow.tcl

MD5 2da0a23cc9d6fd970fe00915ea39d8a2
SHA1 dfe3dc663c19e9a50526a513043d2393869d8f90
SHA256 4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29
SHA512 b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\menu.tcl

MD5 181ed74919f081eeb34269500e228470
SHA1 953eb429f6d98562468327858ed0967bdc21b5ad
SHA256 564ac0040176cc5744e3860abc36b5ffbc648da20b26a710dc3414eae487299b
SHA512 220e496b464575115baf1dede838e70d5ddd6d199b5b8acc1763e66d66801021b2d7cd0e1e1846868782116ad8a1f127682073d6eacd7e73f91bced89f620109

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\listbox.tcl

MD5 c33963d3a512f2e728f722e584c21552
SHA1 75499cfa62f2da316915fada2580122dc3318bad
SHA256 39721233855e97bfa508959b6dd91e1924456e381d36fdfc845e589d82b1b0cc
SHA512 ea01d8cb36d446ace31c5d7e50dfae575576fd69fd5d413941eebba7ccc1075f6774af3c69469cd7baf6e1068aa5e5b4c560f550edd2a8679124e48c55c8e8d7

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\entry.tcl

MD5 be28d16510ee78ecc048b2446ee9a11a
SHA1 4829d6e8ab8a283209fb4738134b03b7bd768bad
SHA256 8f57a23c5190b50fad00bdee9430a615ebebfc47843e702374ae21beb2ad8b06
SHA512 f56af7020531249bc26d88b977baffc612b6566146730a681a798ff40be9ebc04d7f80729bafe0b9d4fac5b0582b76f9530f3fe376d42a738c9bc4b3b442df1f

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\button.tcl

MD5 309ab5b70f664648774453bccbe5d3ce
SHA1 51bf685dedd21de3786fe97bc674ab85f34bd061
SHA256 0d95949cfacf0df135a851f7330acc9480b965dac7361151ac67a6c667c6276d
SHA512 d5139752bd7175747a5c912761916efb63b3c193dd133ad25d020a28883a1dea6b04310b751f5fcbe579f392a8f5f18ae556116283b3e137b4ea11a2c536ec6b

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\opt0.4\pkgIndex.tcl

MD5 92ff1e42cfc5fecce95068fc38d995b3
SHA1 b2e71842f14d5422a9093115d52f19bcca1bf881
SHA256 eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718
SHA512 608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\http1.0\pkgIndex.tcl

MD5 10ec7cd64ca949099c818646b6fae31c
SHA1 6001a58a0701dff225e2510a4aaee6489a537657
SHA256 420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c
SHA512 34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\pkgIndex.tcl

MD5 a6448af2c8fafc9a4f42eaca6bf6ab2e
SHA1 0b295b46b6df906e89f40a907022068bc6219302
SHA256 cd44ee7f76c37c0c522bd0cfca41c38cdeddc74392b2191a3af1a63d9d18888e
SHA512 5b1a8ca5b09b7281de55460d21d5195c4ee086bebdc35fa561001181490669ffc67d261f99eaa900467fe97e980eb733c5ffbf9d8c541ede18992bf4a435c749

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\package.tcl

MD5 55e2db5dcf8d49f8cd5b7d64fea640c7
SHA1 8fdc28822b0cc08fa3569a14a8c96edca03bfbbd
SHA256 47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad
SHA512 824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl8\8.5\msgcat-1.6.1.tm

MD5 db52847c625ea3290f81238595a915cd
SHA1 45a4ed9b74965e399430290bcdcd64aca5d29159
SHA256 4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55
SHA512 5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\tm.tcl

MD5 f9ed2096eea0f998c6701db8309f95a6
SHA1 bcdb4f7e3db3e2d78d25ed4e9231297465b45db8
SHA256 6437bd7040206d3f2db734fa482b6e79c68bcc950fba80c544c7f390ba158f9b
SHA512 e4fb8f28dc72ea913f79cedf5776788a0310608236d6607adc441e7f3036d589fd2b31c446c187ef5827fd37dcaa26d9e94d802513e3bf3300e94dd939695b30

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\tk.tcl

MD5 3250ec5b2efe5bbe4d3ec271f94e5359
SHA1 6a0fe910041c8df4f3cdc19871813792e8cc4e4c
SHA256 e1067a0668debb2d8e8ec3b7bc1aec3723627649832b20333f9369f28e4dfdbf
SHA512 f8e403f3d59d44333bce2aa7917e6d8115bec0fe5ae9a1306f215018b05056467643b7aa228154ddced176072bc903dfb556cb2638f5c55c1285c376079e8fe3

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\auto.tcl

MD5 5e9b3e874f8fbeaadef3a004a1b291b5
SHA1 b356286005efb4a3a46a1fdd53e4fcdc406569d0
SHA256 f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840
SHA512 482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\tclIndex

MD5 e127196e9174b429cc09c040158f6aab
SHA1 ff850f5d1bd8efc1a8cb765fe8221330f0c6c699
SHA256 abf7d9d1e86de931096c21820bfa4fd70db1f55005d2db4aa674d86200867806
SHA512 c4b98ebc65e25df41e6b9a93e16e608cf309fa0ae712578ee4974d84f7f33bcf2a6ed7626e88a343350e13da0c5c1a88e24a87fcbd44f7da5983bb3ef036a162

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:04

Platform

win10v2004-20240709-en

Max time kernel

1750s

Max time network

1141s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ScanIP.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ScanIP.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:04

Platform

win10v2004-20240709-en

Max time kernel

1342s

Max time network

1135s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtCore4.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 1444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1552 wrote to memory of 1444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1552 wrote to memory of 1444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtCore4.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtCore4.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1444 -ip 1444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 648

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:07

Platform

win10v2004-20240709-en

Max time kernel

1657s

Max time network

1152s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\NL Brute 2\settings.ini"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\NL Brute 2\settings.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:20

Platform

win10v2004-20240709-en

Max time kernel

1701s

Max time network

1152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe

"C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe"

C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe

"C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI35642\nvnc.exe.manifest

MD5 95b60b99fa7a60b3d17e5a792be83fdd
SHA1 672eb0187a961b11c87d5ce82c45a03ba3496b63
SHA256 09c7f09d9e15b33ff5e58d6dcf7f31aaf16426fc104377e91e03cff0f1bb941c
SHA512 18559064b7f20385a93ac66a2f8c90280aa39767083458dd18fe886f4707c2f3fceb32eb087a3fc703746b0475a9d232195874f75e4059ff7d607a4e893a1c86

C:\Users\Admin\AppData\Local\Temp\_MEI35642\python27.dll

MD5 7584228b7aa01d99944df388ba62a197
SHA1 9e3d84241053d0ff82d83104fe9f73b9f02a3b3e
SHA256 75e9a929d9f0f4ee2c5164c5829bebc05ea9aca0b664b41bb8e7ff53fbb1bb8e
SHA512 217bbd7cf8a27a18c15856e6506f0bbc51b9d22e55ec15339aa53e81e966d65c8af445c55d79f1ff0cf1757e0c3a3da5de9818f00be8bf14f708ff1c5db88165

C:\Users\Admin\AppData\Local\Temp\_MEI35642\_socket.pyd

MD5 07789a8c23bcebe32f8bfd4ce4af5ffb
SHA1 132d7ad9d2a7c3ff51b246fd14f0a4f738d68e10
SHA256 235cc97584c3d31e5f3146121f64699d30cf372a86868ea755a9a0afa6c56144
SHA512 d461d8313c285e568ce44c08d1af7c54aafae0d1e8235109d5d71f6baffe8f677ae3202590cf33ab34625ac87285c7dc4c1df2e2181acd4b998309d23e12fd3e

memory/400-19-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI35642\_ssl.pyd

MD5 12fb0bcc8b79ecadd52ba8d97e08bfed
SHA1 b52b26e16841d3b03f36792df7ed1825aa95ee54
SHA256 360b506df81ffc0b49ac15924314fa549084227b998b202572eed90b695dfd3a
SHA512 3a6e78965cf58bb94efe1802f5fd39b2820935c277fb8773ecc3b4a0608fc444ace952a619dead204476981c78c38992867172bc0584cae01306ef226e5fce21

C:\Users\Admin\AppData\Local\Temp\_MEI35642\_ctypes.pyd

MD5 f9982f8b1176597b81ed1285d1616ce7
SHA1 7cf74cce8b20adeeff83e29eacc028bdf2d7c18a
SHA256 d14315cf03aa7d96b714bfc13f7990ec245d205e4a5f9f002d2805e369199239
SHA512 cd3339dc69ff918d3e4db2ae219ff7df58f18a151f088fa051b4cdf48e4cfd6569a9ca9e414708818004de7d0cb3cea64fa2ee4c0a1f6b832d86229446e22153

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 08:31

Platform

win10v2004-20240729-en

Max time kernel

424s

Max time network

426s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Full Tool Scan VPS.zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Full Tool Scan VPS.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:02

Platform

win10v2004-20240709-en

Max time kernel

1665s

Max time network

1160s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\RestSharp.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\RestSharp.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:05

Platform

win10v2004-20240709-en

Max time kernel

1368s

Max time network

1159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe

"C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 www.ipdeny.com udp
NL 51.15.12.186:80 www.ipdeny.com tcp
NL 51.15.12.186:443 www.ipdeny.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 186.12.15.51.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/3660-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/3660-1-0x00000000001C0000-0x000000000021A000-memory.dmp

memory/3660-2-0x0000000004BB0000-0x0000000004C4C000-memory.dmp

memory/3660-3-0x0000000005270000-0x0000000005814000-memory.dmp

memory/3660-4-0x0000000004D60000-0x0000000004DF2000-memory.dmp

memory/3660-5-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

memory/3660-6-0x0000000004EF0000-0x0000000004F46000-memory.dmp

memory/3660-7-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/3660-8-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/3660-9-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/3660-10-0x0000000074B10000-0x00000000752C0000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:06

Platform

win10v2004-20240704-en

Max time kernel

1365s

Max time network

1160s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\final.ini

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\final.ini

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:02

Platform

win10v2004-20240709-en

Max time kernel

1362s

Max time network

1153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4040 -ip 4040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1164

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe

MD5 43e6a8477f860a82dd1dbd8606e15d76
SHA1 f0f1ab3a7907191816c8781b4065034e991201dc
SHA256 e2bad47239cd4180d0a1b98f404791fceaf9b1192273ccef07708ff80606574e
SHA512 77dfcaccee0d716eba878a069d1865ee737439d03d499b87ca1466d6889097ad5f33532579151b970ee4ed26c13396ecc3cf1593193910b8b490ace44f5af584

memory/4040-12-0x00000000736FE000-0x00000000736FF000-memory.dmp

memory/4040-13-0x0000000000250000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/4040-19-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/4040-20-0x00000000736F0000-0x0000000073EA0000-memory.dmp

memory/4040-21-0x00000000736F0000-0x0000000073EA0000-memory.dmp

memory/4040-22-0x0000000005A20000-0x0000000005FC4000-memory.dmp

memory/4040-23-0x0000000005510000-0x00000000055A2000-memory.dmp

memory/4040-24-0x00000000736F0000-0x0000000073EA0000-memory.dmp

memory/4040-25-0x00000000736F0000-0x0000000073EA0000-memory.dmp

memory/4040-26-0x00000000055C0000-0x00000000055CA000-memory.dmp

memory/4040-27-0x00000000736F0000-0x0000000073EA0000-memory.dmp

memory/4040-28-0x00000000736F0000-0x0000000073EA0000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

memory/4040-47-0x00000000736F0000-0x0000000073EA0000-memory.dmp

memory/1908-115-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1908-116-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1908-118-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:04

Platform

win10v2004-20240729-en

Max time kernel

1326s

Max time network

1150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13195~1.15\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\msedge.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe

"C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe

MD5 c0a8af17a2912a08a20d65fe85191c28
SHA1 0fbc897bf6046718524d05b6bc144c3785224802
SHA256 080c6108c3bd0f8a43d5647db36dc434032842339f0ba38ad1ff62f72999c4e5
SHA512 bd6b67a2f285a5634c5d38f742d5528a661414d3fb88f8065433f6a6a1a3a3f707dede9be7bda9bac9327240422c2314081d0a9eb9b6bc61687465ac96868ef9

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

memory/4796-115-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4796-116-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4796-118-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:02

Platform

win10v2004-20240709-en

Max time kernel

1360s

Max time network

1153s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\Interop.MSTSCLib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\Interop.MSTSCLib.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:05

Platform

win10v2004-20240709-en

Max time kernel

1755s

Max time network

1149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe

"C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp

Files

memory/3640-0-0x00000000007D0000-0x00000000007E8000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:06

Platform

win10v2004-20240709-en

Max time kernel

1341s

Max time network

1130s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\options.ini

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\options.ini

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:06

Platform

win10v2004-20240709-en

Max time kernel

1369s

Max time network

1157s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ScanIP.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ScanIP.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:07

Platform

win10v2004-20240709-en

Max time kernel

1790s

Max time network

1166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3648 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe C:\Windows\system32\cmd.exe
PID 3648 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe

"C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7733.tmp\7734.tmp\7735.bat C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

memory/3648-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7733.tmp\7734.tmp\7735.bat

MD5 78814a514c34812d96730e940f1e6333
SHA1 8f13c95b7048f32e708c7f0ae2764dd73fe9ba6b
SHA256 adbbdb4da2905a476b84ef57390c51ee26617eba55802998e83ff5d33b92fdc7
SHA512 d1dd81c1401c6024c358bfbefa38c4b459961ec354c5bffe25b3f390ca691a1b040b313aefcef537a79a14e3f20e8bfb0164e5ac2d4019bf6c9677ac41603f67

memory/3648-3-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:12

Platform

win10v2004-20240709-en

Max time kernel

1365s

Max time network

1156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\nVNC\bin\config.conf

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\nVNC\bin\config.conf

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:03

Platform

win10v2004-20240709-en

Max time kernel

1663s

Max time network

1157s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\SkinSoft.VisualStyler.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\SkinSoft.VisualStyler.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-30 08:20

Reported

2024-07-30 09:05

Platform

win10v2004-20240709-en

Max time kernel

1364s

Max time network

1155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\msvcr100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3540 -ip 3540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A