Analysis Overview
SHA256
95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28
Threat Level: Known bad
The file Full Tool Scan VPS.zip was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Neshta
Quasar RAT
Detect Neshta payload
Neshta family
Quasar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Identifies Wine through registry keys
Modifies system executable filetype association
UPX packed file
Checks BIOS information in registry
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Drops file in Program Files directory
Detects Pyinstaller
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
NSIS installer
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Opens file in notepad (likely ransom note)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-30 08:21
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta family
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:05
Platform
win10v2004-20240709-en
Max time kernel
1658s
Max time network
1151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 8 wrote to memory of 4548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 8 wrote to memory of 4548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 8 wrote to memory of 4548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\Packet.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\Packet.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:06
Platform
win10v2004-20240704-en
Max time kernel
1765s
Max time network
1160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2680 wrote to memory of 5108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2680 wrote to memory of 5108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2680 wrote to memory of 5108 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\wpcap.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\wpcap.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 644
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/5108-0-0x0000000000E80000-0x0000000000E98000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:06
Platform
win10v2004-20240709-en
Max time kernel
1792s
Max time network
1154s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpconfig.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpshare.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4468 wrote to memory of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe |
| PID 4468 wrote to memory of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe |
| PID 4468 wrote to memory of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe
"C:\Users\Admin\AppData\Local\Temp\NL Brute 2\NLBrute.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute.exe
| MD5 | 025c1c35c3198e6e3497d5dbf97ae81f |
| SHA1 | 6d390038003c298c7ab8f2cbe35a50b07e096554 |
| SHA256 | ffa28db79daca3b93a283ce2a6ff24791956a768cb5fc791c075b638416b51f4 |
| SHA512 | 1d4cf52062b4f1aa9349ee96b234fc51e693ea8231230ec2b35fa896c2c27f47158d6493e26a1881b070b3f86e6c7d9d2ed3f5f161d456eb011551d434e06b50 |
memory/3076-9-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-10-0x0000000077D24000-0x0000000077D26000-memory.dmp
memory/3076-16-0x0000000005F70000-0x0000000005F71000-memory.dmp
memory/3076-15-0x0000000005F90000-0x0000000005F91000-memory.dmp
memory/3076-14-0x0000000005F30000-0x0000000005F31000-memory.dmp
memory/3076-13-0x0000000005F80000-0x0000000005F81000-memory.dmp
memory/3076-17-0x0000000000401000-0x000000000081B000-memory.dmp
memory/3076-12-0x0000000005FA0000-0x0000000005FA2000-memory.dmp
memory/3076-11-0x0000000005F60000-0x0000000005F61000-memory.dmp
memory/3076-18-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-19-0x0000000000400000-0x0000000001C9F400-memory.dmp
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 3b73078a714bf61d1c19ebc3afc0e454 |
| SHA1 | 9abeabd74613a2f533e2244c9ee6f967188e4e7e |
| SHA256 | ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29 |
| SHA512 | 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4 |
memory/3076-39-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-46-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-65-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-83-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-95-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-98-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-110-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-111-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/4468-112-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3076-113-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/4468-114-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3076-115-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-116-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/4468-117-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3076-118-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-119-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/4468-121-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3076-122-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-123-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-124-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-125-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-126-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-127-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-128-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-129-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-130-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-131-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-132-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-133-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-134-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-135-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-136-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-137-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-138-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-139-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-140-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-141-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-142-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-143-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-144-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-145-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-146-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-147-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-148-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-149-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-150-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-151-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-152-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-153-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-154-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-155-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-156-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-157-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-158-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-159-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-160-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-161-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-162-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-163-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-164-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-165-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-166-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-167-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-168-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-169-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-170-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-171-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-172-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-173-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-174-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-175-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-176-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-177-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-178-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-179-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3076-180-0x0000000000400000-0x0000000001C9F400-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:06
Platform
win10v2004-20240709-en
Max time kernel
1793s
Max time network
1799s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\tối uu VPS ram cpu.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\tối uu VPS ram cpu.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NL Brute 2\tối uu VPS ram cpu.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NL Brute 2\tối uu VPS ram cpu.exe
"C:\Users\Admin\AppData\Local\Temp\NL Brute 2\tối uu VPS ram cpu.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| SG | 128.199.64.220:4782 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| SG | 128.199.64.220:4782 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| SG | 128.199.64.220:4782 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| SG | 128.199.64.220:4782 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp | |
| SG | 128.199.64.220:4782 | tcp |
Files
memory/3316-0-0x00007FFC5F5C3000-0x00007FFC5F5C5000-memory.dmp
memory/3316-1-0x0000000000CF0000-0x0000000000D74000-memory.dmp
memory/3316-2-0x00007FFC5F5C0000-0x00007FFC60081000-memory.dmp
memory/3316-3-0x000000001C470000-0x000000001C4C0000-memory.dmp
memory/3316-4-0x000000001C580000-0x000000001C632000-memory.dmp
memory/3316-5-0x00007FFC5F5C3000-0x00007FFC5F5C5000-memory.dmp
memory/3316-6-0x00007FFC5F5C0000-0x00007FFC60081000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:05
Platform
win10v2004-20240729-en
Max time kernel
1334s
Max time network
1158s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\MassScan\_config.ini
C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv BxApXNFT8E2y/Q6bkS0ePA.0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:05
Platform
win10v2004-20240709-en
Max time kernel
1362s
Max time network
1158s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4004 wrote to memory of 3444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4004 wrote to memory of 3444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4004 wrote to memory of 3444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtNetwork4.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtNetwork4.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3444 -ip 3444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 660
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:04
Platform
win10v2004-20240709-en
Max time kernel
1748s
Max time network
1162s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3224 wrote to memory of 1944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3224 wrote to memory of 1944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3224 wrote to memory of 1944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtGui4.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtGui4.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1944 -ip 1944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 708
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:05
Platform
win10v2004-20240709-en
Max time kernel
1754s
Max time network
1144s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\MassScan\Input.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.201.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:05
Platform
win10v2004-20240709-en
Max time kernel
1732s
Max time network
1151s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe
"C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 48.192.11.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsyB548.tmp\System.dll
| MD5 | 5c22bbf6730572e50eed4108af6081df |
| SHA1 | 8a13196f4d47ee7de2e35509058db954db10c72a |
| SHA256 | 3198d832c222a9907d3d5822116c944fd1c6670a263b775212104a9ecf88beec |
| SHA512 | 264b194a50cb523f5758569d918b5f60cb2959c4d091ae6712efc95644700a7bc2bb440a22acdf2285b754691a9cc04633fcc7c5b354dae75c7260d6b27ebb18 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:06
Platform
win10v2004-20240709-en
Max time kernel
1362s
Max time network
1152s
Command Line
Signatures
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\ScanIP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ScanIP.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4252 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\ScanIP.exe | C:\Users\Admin\AppData\Local\Temp\ScanIP.exe |
| PID 4252 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\ScanIP.exe | C:\Users\Admin\AppData\Local\Temp\ScanIP.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ScanIP.exe
"C:\Users\Admin\AppData\Local\Temp\ScanIP.exe"
C:\Users\Admin\AppData\Local\Temp\ScanIP.exe
"C:\Users\Admin\AppData\Local\Temp\ScanIP.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 194.98.74.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI42522\ucrtbase.dll
| MD5 | 637c17ad8bccc838b0cf83ffb8e2c7fd |
| SHA1 | b2dd2890668e589badb2ba61a27c1da503d73c39 |
| SHA256 | be7368df484688493fb49fb0c4ad641485070190db62a2c071c9c50612e43fed |
| SHA512 | f6b727c319ca2e85a9b5c5e0b9d8b9023f0cf4193fab983cfa26060923374c6abd6d11db1da2e524a8b04622a4e13beb4c48dc23f98886d4abb33eb09f3a0776 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\python37.dll
| MD5 | c4709f84e6cf6e082b80c80b87abe551 |
| SHA1 | c0c55b229722f7f2010d34e26857df640182f796 |
| SHA256 | ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3 |
| SHA512 | e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\VCRUNTIME140.dll
| MD5 | 89a24c66e7a522f1e0016b1d0b4316dc |
| SHA1 | 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42 |
| SHA256 | 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6 |
| SHA512 | e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\base_library.zip
| MD5 | eb879c6861570dff2d8e68c5fc3d82c5 |
| SHA1 | 465fc892fa9953da5984c84d8272f149afd54fc8 |
| SHA256 | 666d0a0a05d795181a4b6fc5a46774d200ef9ac2befd02f4e5ae4b85e28147c3 |
| SHA512 | d108b905cb3e71475773e6b918b3516a762852fc360b1fece9f48d7ced114fd6555a232f55ea11d3ae8804cf9f4b1db3aa0ef6fcc593b1169507175889be0eda |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\python3.dll
| MD5 | 274853e19235d411a751a750c54b9893 |
| SHA1 | 97bd15688b549cd5dbf49597af508c72679385af |
| SHA256 | d21eb0fd1b2883e9e0b736b43cbbef9dfa89e31fee4d32af9ad52c3f0484987b |
| SHA512 | 580fa23cbe71ae4970a608c8d1ab88fe3f7562ed18398c73b14d5a3e008ea77df3e38abf97c12512786391ee403f675a219fbf5afe5c8cea004941b1d1d02a48 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_ctypes.pyd
| MD5 | 5e869eebb6169ce66225eb6725d5be4a |
| SHA1 | 747887da0d7ab152e1d54608c430e78192d5a788 |
| SHA256 | 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173 |
| SHA512 | feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_bz2.pyd
| MD5 | cf77513525fc652bad6c7f85e192e94b |
| SHA1 | 23ec3bb9cdc356500ec192cac16906864d5e9a81 |
| SHA256 | 8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41 |
| SHA512 | dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_lzma.pyd
| MD5 | 5fbb728a3b3abbdd830033586183a206 |
| SHA1 | 066fde2fa80485c4f22e0552a4d433584d672a54 |
| SHA256 | f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b |
| SHA512 | 31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\pyexpat.pyd
| MD5 | 6500aa010c8b50ffd1544f08af03fa4f |
| SHA1 | a03f9f70d4ecc565f0fae26ef690d63e3711a20a |
| SHA256 | 752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec |
| SHA512 | f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_hashlib.pyd
| MD5 | b32cb9615a9bada55e8f20dcea2fbf48 |
| SHA1 | a9c6e2d44b07b31c898a6d83b7093bf90915062d |
| SHA256 | ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5 |
| SHA512 | 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_socket.pyd
| MD5 | 8ea18d0eeae9044c278d2ea7a1dbae36 |
| SHA1 | de210842da8cb1cb14318789575d65117d14e728 |
| SHA256 | 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2 |
| SHA512 | d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\select.pyd
| MD5 | fb4a0d7abaeaa76676846ad0f08fefa5 |
| SHA1 | 755fd998215511506edd2c5c52807b46ca9393b2 |
| SHA256 | 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429 |
| SHA512 | f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk86t.dll
| MD5 | fdc8a5d96f9576bd70aa1cadc2f21748 |
| SHA1 | bae145525a18ce7e5bc69c5f43c6044de7b6e004 |
| SHA256 | 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5 |
| SHA512 | 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl86t.dll
| MD5 | c0b23815701dbae2a359cb8adb9ae730 |
| SHA1 | 5be6736b645ed12e97b9462b77e5a43482673d90 |
| SHA256 | f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768 |
| SHA512 | ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_ssl.pyd
| MD5 | 5a393bb4f3ae499541356e57a766eb6a |
| SHA1 | 908f68f4ea1a754fd31edb662332cf0df238cf9a |
| SHA256 | b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047 |
| SHA512 | 958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\libssl-1_1.dll
| MD5 | bc778f33480148efa5d62b2ec85aaa7d |
| SHA1 | b1ec87cbd8bc4398c6ebb26549961c8aab53d855 |
| SHA256 | 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843 |
| SHA512 | 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\charset_normalizer\md.cp37-win_amd64.pyd
| MD5 | dbd015eedea9e5720e46fc6fb3e3a31a |
| SHA1 | 1ab6c1d3398a82f71f34e194aa5c6570db93ff63 |
| SHA256 | 81bfb46f2f398b211231566612a2c94c0f95a244d08500be02a2a3c16dd18e49 |
| SHA512 | c3cb4fc5163ecf64f256af4eb95ae83634a207e86f10eb653385958c9eb960bf365db51fc72844f651d27d5760386958c85cce642c6efb5b807137771e46f071 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\unicodedata.pyd
| MD5 | 4d3d8e16e98558ff9dac8fc7061e2759 |
| SHA1 | c918ab67b580f955b6361f9900930da38cec7c91 |
| SHA256 | 016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095 |
| SHA512 | 0dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\psutil\_psutil_windows.pyd
| MD5 | 3e579844160de8322d574501a0f91516 |
| SHA1 | c8de193854f7fc94f103bd4ac726246981264508 |
| SHA256 | 95f01ce7e37f6b4b281dbc76e9b88f28a03cb02d41383cc986803275a1cd6333 |
| SHA512 | ee2a026e8e70351d395329c78a07acb1b9440261d2557f639e817a8149ba625173ef196aed3d1c986577d78dc1a7ec9fed759c19346c51511474fe6d235b1817 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\PIL\_imaging.cp37-win_amd64.pyd
| MD5 | ad6fff0a653236fe65fb5cf5d88bf91b |
| SHA1 | 4845a875fcaa8f5d8f75d7a35b59a1a491f6d29f |
| SHA256 | 356142a3639d2b1dc7b71a794ef3c6085a8121eb721f4061a25a82235326ec45 |
| SHA512 | 6706bc931c5d461b0a2272d206f4dff69440c40a0b68e8c8202928e8d1b9cf7fbc1aba6907b894438f3c31c8f68ed14c9553e9998ef64e0ccd2ee47673b359a5 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\init.tcl
| MD5 | b900811a252be90c693e5e7ae365869d |
| SHA1 | 345752c46f7e8e67dadef7f6fd514bed4b708fc5 |
| SHA256 | bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a |
| SHA512 | 36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\panedwindow.tcl
| MD5 | 2da0a23cc9d6fd970fe00915ea39d8a2 |
| SHA1 | dfe3dc663c19e9a50526a513043d2393869d8f90 |
| SHA256 | 4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29 |
| SHA512 | b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\menu.tcl
| MD5 | 181ed74919f081eeb34269500e228470 |
| SHA1 | 953eb429f6d98562468327858ed0967bdc21b5ad |
| SHA256 | 564ac0040176cc5744e3860abc36b5ffbc648da20b26a710dc3414eae487299b |
| SHA512 | 220e496b464575115baf1dede838e70d5ddd6d199b5b8acc1763e66d66801021b2d7cd0e1e1846868782116ad8a1f127682073d6eacd7e73f91bced89f620109 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\listbox.tcl
| MD5 | c33963d3a512f2e728f722e584c21552 |
| SHA1 | 75499cfa62f2da316915fada2580122dc3318bad |
| SHA256 | 39721233855e97bfa508959b6dd91e1924456e381d36fdfc845e589d82b1b0cc |
| SHA512 | ea01d8cb36d446ace31c5d7e50dfae575576fd69fd5d413941eebba7ccc1075f6774af3c69469cd7baf6e1068aa5e5b4c560f550edd2a8679124e48c55c8e8d7 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\entry.tcl
| MD5 | be28d16510ee78ecc048b2446ee9a11a |
| SHA1 | 4829d6e8ab8a283209fb4738134b03b7bd768bad |
| SHA256 | 8f57a23c5190b50fad00bdee9430a615ebebfc47843e702374ae21beb2ad8b06 |
| SHA512 | f56af7020531249bc26d88b977baffc612b6566146730a681a798ff40be9ebc04d7f80729bafe0b9d4fac5b0582b76f9530f3fe376d42a738c9bc4b3b442df1f |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\button.tcl
| MD5 | 309ab5b70f664648774453bccbe5d3ce |
| SHA1 | 51bf685dedd21de3786fe97bc674ab85f34bd061 |
| SHA256 | 0d95949cfacf0df135a851f7330acc9480b965dac7361151ac67a6c667c6276d |
| SHA512 | d5139752bd7175747a5c912761916efb63b3c193dd133ad25d020a28883a1dea6b04310b751f5fcbe579f392a8f5f18ae556116283b3e137b4ea11a2c536ec6b |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\icons.tcl
| MD5 | 2652aad862e8fe06a4eedfb521e42b75 |
| SHA1 | ed22459ad3d192ab05a01a25af07247b89dc6440 |
| SHA256 | a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161 |
| SHA512 | 6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\opt0.4\pkgIndex.tcl
| MD5 | 92ff1e42cfc5fecce95068fc38d995b3 |
| SHA1 | b2e71842f14d5422a9093115d52f19bcca1bf881 |
| SHA256 | eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718 |
| SHA512 | 608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\http1.0\pkgIndex.tcl
| MD5 | 10ec7cd64ca949099c818646b6fae31c |
| SHA1 | 6001a58a0701dff225e2510a4aaee6489a537657 |
| SHA256 | 420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c |
| SHA512 | 34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\pkgIndex.tcl
| MD5 | a6448af2c8fafc9a4f42eaca6bf6ab2e |
| SHA1 | 0b295b46b6df906e89f40a907022068bc6219302 |
| SHA256 | cd44ee7f76c37c0c522bd0cfca41c38cdeddc74392b2191a3af1a63d9d18888e |
| SHA512 | 5b1a8ca5b09b7281de55460d21d5195c4ee086bebdc35fa561001181490669ffc67d261f99eaa900467fe97e980eb733c5ffbf9d8c541ede18992bf4a435c749 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\package.tcl
| MD5 | 55e2db5dcf8d49f8cd5b7d64fea640c7 |
| SHA1 | 8fdc28822b0cc08fa3569a14a8c96edca03bfbbd |
| SHA256 | 47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad |
| SHA512 | 824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl8\8.5\msgcat-1.6.1.tm
| MD5 | db52847c625ea3290f81238595a915cd |
| SHA1 | 45a4ed9b74965e399430290bcdcd64aca5d29159 |
| SHA256 | 4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55 |
| SHA512 | 5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\tm.tcl
| MD5 | f9ed2096eea0f998c6701db8309f95a6 |
| SHA1 | bcdb4f7e3db3e2d78d25ed4e9231297465b45db8 |
| SHA256 | 6437bd7040206d3f2db734fa482b6e79c68bcc950fba80c544c7f390ba158f9b |
| SHA512 | e4fb8f28dc72ea913f79cedf5776788a0310608236d6607adc441e7f3036d589fd2b31c446c187ef5827fd37dcaa26d9e94d802513e3bf3300e94dd939695b30 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tk\tk.tcl
| MD5 | 3250ec5b2efe5bbe4d3ec271f94e5359 |
| SHA1 | 6a0fe910041c8df4f3cdc19871813792e8cc4e4c |
| SHA256 | e1067a0668debb2d8e8ec3b7bc1aec3723627649832b20333f9369f28e4dfdbf |
| SHA512 | f8e403f3d59d44333bce2aa7917e6d8115bec0fe5ae9a1306f215018b05056467643b7aa228154ddced176072bc903dfb556cb2638f5c55c1285c376079e8fe3 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\auto.tcl
| MD5 | 5e9b3e874f8fbeaadef3a004a1b291b5 |
| SHA1 | b356286005efb4a3a46a1fdd53e4fcdc406569d0 |
| SHA256 | f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840 |
| SHA512 | 482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\tclIndex
| MD5 | e127196e9174b429cc09c040158f6aab |
| SHA1 | ff850f5d1bd8efc1a8cb765fe8221330f0c6c699 |
| SHA256 | abf7d9d1e86de931096c21820bfa4fd70db1f55005d2db4aa674d86200867806 |
| SHA512 | c4b98ebc65e25df41e6b9a93e16e608cf309fa0ae712578ee4974d84f7f33bcf2a6ed7626e88a343350e13da0c5c1a88e24a87fcbd44f7da5983bb3ef036a162 |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\charset_normalizer\md__mypyc.cp37-win_amd64.pyd
| MD5 | e82ec44c4814e2a17c1786849292f375 |
| SHA1 | de44bdcf984eb92a343f9a5230275f653d806b56 |
| SHA256 | 3be1963470910839a3560c5838bc2dd780f34d6fb958ad59b8d26fbcf8b89cd5 |
| SHA512 | 0fad111a5e28dfdd8cf74ec87597ca6313fe4849fd068be339060e18c6d4ccb1ca0d79b09e4f5ed3ec2f681a6600fc74c0855c812bc22c134764196360cef50b |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_queue.pyd
| MD5 | c0a70188685e44e73576e3cd63fc1f68 |
| SHA1 | 36f88ca5c1dda929b932d656368515e851aeb175 |
| SHA256 | e499824d58570c3130ba8ef1ac2d503e71f916c634b2708cc22e95c223f83d0a |
| SHA512 | b9168bf1b98da4a9dfd7b1b040e1214fd69e8dfc2019774890291703ab48075c791cc27af5d735220bd25c47643f098820563dc537748471765aff164b00a4aa |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\tcl\encoding\cp1252.enc
| MD5 | 5900f51fd8b5ff75e65594eb7dd50533 |
| SHA1 | 2e21300e0bc8a847d0423671b08d3c65761ee172 |
| SHA256 | 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0 |
| SHA512 | ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc |
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_tkinter.pyd
| MD5 | 09f66528018ffef916899845d6632307 |
| SHA1 | cf9ddad46180ef05a306dcb05fdb6f24912a69ce |
| SHA256 | 34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9 |
| SHA512 | ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de |
Analysis: behavioral30
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:14
Platform
win10v2004-20240709-en
Max time kernel
1366s
Max time network
1155s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\nVNC\input\passwords.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:21
Platform
win10v2004-20240709-en
Max time kernel
1359s
Max time network
1150s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\password.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:01
Platform
win10v2004-20240709-en
Max time kernel
1365s
Max time network
1151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\AxInterop.MSTSCLib.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:03
Platform
win10v2004-20240709-en
Max time kernel
1365s
Max time network
1156s
Command Line
Signatures
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe
"C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe"
C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe
"C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI48042\ucrtbase.dll
| MD5 | 637c17ad8bccc838b0cf83ffb8e2c7fd |
| SHA1 | b2dd2890668e589badb2ba61a27c1da503d73c39 |
| SHA256 | be7368df484688493fb49fb0c4ad641485070190db62a2c071c9c50612e43fed |
| SHA512 | f6b727c319ca2e85a9b5c5e0b9d8b9023f0cf4193fab983cfa26060923374c6abd6d11db1da2e524a8b04622a4e13beb4c48dc23f98886d4abb33eb09f3a0776 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\python37.dll
| MD5 | c4709f84e6cf6e082b80c80b87abe551 |
| SHA1 | c0c55b229722f7f2010d34e26857df640182f796 |
| SHA256 | ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3 |
| SHA512 | e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\VCRUNTIME140.dll
| MD5 | 89a24c66e7a522f1e0016b1d0b4316dc |
| SHA1 | 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42 |
| SHA256 | 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6 |
| SHA512 | e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\base_library.zip
| MD5 | eb879c6861570dff2d8e68c5fc3d82c5 |
| SHA1 | 465fc892fa9953da5984c84d8272f149afd54fc8 |
| SHA256 | 666d0a0a05d795181a4b6fc5a46774d200ef9ac2befd02f4e5ae4b85e28147c3 |
| SHA512 | d108b905cb3e71475773e6b918b3516a762852fc360b1fece9f48d7ced114fd6555a232f55ea11d3ae8804cf9f4b1db3aa0ef6fcc593b1169507175889be0eda |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\python3.DLL
| MD5 | 274853e19235d411a751a750c54b9893 |
| SHA1 | 97bd15688b549cd5dbf49597af508c72679385af |
| SHA256 | d21eb0fd1b2883e9e0b736b43cbbef9dfa89e31fee4d32af9ad52c3f0484987b |
| SHA512 | 580fa23cbe71ae4970a608c8d1ab88fe3f7562ed18398c73b14d5a3e008ea77df3e38abf97c12512786391ee403f675a219fbf5afe5c8cea004941b1d1d02a48 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_ctypes.pyd
| MD5 | 5e869eebb6169ce66225eb6725d5be4a |
| SHA1 | 747887da0d7ab152e1d54608c430e78192d5a788 |
| SHA256 | 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173 |
| SHA512 | feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_lzma.pyd
| MD5 | 5fbb728a3b3abbdd830033586183a206 |
| SHA1 | 066fde2fa80485c4f22e0552a4d433584d672a54 |
| SHA256 | f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b |
| SHA512 | 31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_bz2.pyd
| MD5 | cf77513525fc652bad6c7f85e192e94b |
| SHA1 | 23ec3bb9cdc356500ec192cac16906864d5e9a81 |
| SHA256 | 8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41 |
| SHA512 | dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\pyexpat.pyd
| MD5 | 6500aa010c8b50ffd1544f08af03fa4f |
| SHA1 | a03f9f70d4ecc565f0fae26ef690d63e3711a20a |
| SHA256 | 752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec |
| SHA512 | f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_hashlib.pyd
| MD5 | b32cb9615a9bada55e8f20dcea2fbf48 |
| SHA1 | a9c6e2d44b07b31c898a6d83b7093bf90915062d |
| SHA256 | ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5 |
| SHA512 | 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_socket.pyd
| MD5 | 8ea18d0eeae9044c278d2ea7a1dbae36 |
| SHA1 | de210842da8cb1cb14318789575d65117d14e728 |
| SHA256 | 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2 |
| SHA512 | d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\select.pyd
| MD5 | fb4a0d7abaeaa76676846ad0f08fefa5 |
| SHA1 | 755fd998215511506edd2c5c52807b46ca9393b2 |
| SHA256 | 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429 |
| SHA512 | f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_tkinter.pyd
| MD5 | 09f66528018ffef916899845d6632307 |
| SHA1 | cf9ddad46180ef05a306dcb05fdb6f24912a69ce |
| SHA256 | 34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9 |
| SHA512 | ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk86t.dll
| MD5 | fdc8a5d96f9576bd70aa1cadc2f21748 |
| SHA1 | bae145525a18ce7e5bc69c5f43c6044de7b6e004 |
| SHA256 | 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5 |
| SHA512 | 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl86t.dll
| MD5 | c0b23815701dbae2a359cb8adb9ae730 |
| SHA1 | 5be6736b645ed12e97b9462b77e5a43482673d90 |
| SHA256 | f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768 |
| SHA512 | ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\encoding\cp1252.enc
| MD5 | 5900f51fd8b5ff75e65594eb7dd50533 |
| SHA1 | 2e21300e0bc8a847d0423671b08d3c65761ee172 |
| SHA256 | 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0 |
| SHA512 | ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_queue.pyd
| MD5 | c0a70188685e44e73576e3cd63fc1f68 |
| SHA1 | 36f88ca5c1dda929b932d656368515e851aeb175 |
| SHA256 | e499824d58570c3130ba8ef1ac2d503e71f916c634b2708cc22e95c223f83d0a |
| SHA512 | b9168bf1b98da4a9dfd7b1b040e1214fd69e8dfc2019774890291703ab48075c791cc27af5d735220bd25c47643f098820563dc537748471765aff164b00a4aa |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\_ssl.pyd
| MD5 | 5a393bb4f3ae499541356e57a766eb6a |
| SHA1 | 908f68f4ea1a754fd31edb662332cf0df238cf9a |
| SHA256 | b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047 |
| SHA512 | 958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\libssl-1_1.dll
| MD5 | bc778f33480148efa5d62b2ec85aaa7d |
| SHA1 | b1ec87cbd8bc4398c6ebb26549961c8aab53d855 |
| SHA256 | 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843 |
| SHA512 | 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\charset_normalizer\md.cp37-win_amd64.pyd
| MD5 | dbd015eedea9e5720e46fc6fb3e3a31a |
| SHA1 | 1ab6c1d3398a82f71f34e194aa5c6570db93ff63 |
| SHA256 | 81bfb46f2f398b211231566612a2c94c0f95a244d08500be02a2a3c16dd18e49 |
| SHA512 | c3cb4fc5163ecf64f256af4eb95ae83634a207e86f10eb653385958c9eb960bf365db51fc72844f651d27d5760386958c85cce642c6efb5b807137771e46f071 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\charset_normalizer\md__mypyc.cp37-win_amd64.pyd
| MD5 | e82ec44c4814e2a17c1786849292f375 |
| SHA1 | de44bdcf984eb92a343f9a5230275f653d806b56 |
| SHA256 | 3be1963470910839a3560c5838bc2dd780f34d6fb958ad59b8d26fbcf8b89cd5 |
| SHA512 | 0fad111a5e28dfdd8cf74ec87597ca6313fe4849fd068be339060e18c6d4ccb1ca0d79b09e4f5ed3ec2f681a6600fc74c0855c812bc22c134764196360cef50b |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\unicodedata.pyd
| MD5 | 4d3d8e16e98558ff9dac8fc7061e2759 |
| SHA1 | c918ab67b580f955b6361f9900930da38cec7c91 |
| SHA256 | 016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095 |
| SHA512 | 0dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\psutil\_psutil_windows.pyd
| MD5 | 3e579844160de8322d574501a0f91516 |
| SHA1 | c8de193854f7fc94f103bd4ac726246981264508 |
| SHA256 | 95f01ce7e37f6b4b281dbc76e9b88f28a03cb02d41383cc986803275a1cd6333 |
| SHA512 | ee2a026e8e70351d395329c78a07acb1b9440261d2557f639e817a8149ba625173ef196aed3d1c986577d78dc1a7ec9fed759c19346c51511474fe6d235b1817 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\PIL\_imaging.cp37-win_amd64.pyd
| MD5 | ad6fff0a653236fe65fb5cf5d88bf91b |
| SHA1 | 4845a875fcaa8f5d8f75d7a35b59a1a491f6d29f |
| SHA256 | 356142a3639d2b1dc7b71a794ef3c6085a8121eb721f4061a25a82235326ec45 |
| SHA512 | 6706bc931c5d461b0a2272d206f4dff69440c40a0b68e8c8202928e8d1b9cf7fbc1aba6907b894438f3c31c8f68ed14c9553e9998ef64e0ccd2ee47673b359a5 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\init.tcl
| MD5 | b900811a252be90c693e5e7ae365869d |
| SHA1 | 345752c46f7e8e67dadef7f6fd514bed4b708fc5 |
| SHA256 | bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a |
| SHA512 | 36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\icons.tcl
| MD5 | 2652aad862e8fe06a4eedfb521e42b75 |
| SHA1 | ed22459ad3d192ab05a01a25af07247b89dc6440 |
| SHA256 | a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161 |
| SHA512 | 6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\panedwindow.tcl
| MD5 | 2da0a23cc9d6fd970fe00915ea39d8a2 |
| SHA1 | dfe3dc663c19e9a50526a513043d2393869d8f90 |
| SHA256 | 4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29 |
| SHA512 | b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\menu.tcl
| MD5 | 181ed74919f081eeb34269500e228470 |
| SHA1 | 953eb429f6d98562468327858ed0967bdc21b5ad |
| SHA256 | 564ac0040176cc5744e3860abc36b5ffbc648da20b26a710dc3414eae487299b |
| SHA512 | 220e496b464575115baf1dede838e70d5ddd6d199b5b8acc1763e66d66801021b2d7cd0e1e1846868782116ad8a1f127682073d6eacd7e73f91bced89f620109 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\listbox.tcl
| MD5 | c33963d3a512f2e728f722e584c21552 |
| SHA1 | 75499cfa62f2da316915fada2580122dc3318bad |
| SHA256 | 39721233855e97bfa508959b6dd91e1924456e381d36fdfc845e589d82b1b0cc |
| SHA512 | ea01d8cb36d446ace31c5d7e50dfae575576fd69fd5d413941eebba7ccc1075f6774af3c69469cd7baf6e1068aa5e5b4c560f550edd2a8679124e48c55c8e8d7 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\entry.tcl
| MD5 | be28d16510ee78ecc048b2446ee9a11a |
| SHA1 | 4829d6e8ab8a283209fb4738134b03b7bd768bad |
| SHA256 | 8f57a23c5190b50fad00bdee9430a615ebebfc47843e702374ae21beb2ad8b06 |
| SHA512 | f56af7020531249bc26d88b977baffc612b6566146730a681a798ff40be9ebc04d7f80729bafe0b9d4fac5b0582b76f9530f3fe376d42a738c9bc4b3b442df1f |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\button.tcl
| MD5 | 309ab5b70f664648774453bccbe5d3ce |
| SHA1 | 51bf685dedd21de3786fe97bc674ab85f34bd061 |
| SHA256 | 0d95949cfacf0df135a851f7330acc9480b965dac7361151ac67a6c667c6276d |
| SHA512 | d5139752bd7175747a5c912761916efb63b3c193dd133ad25d020a28883a1dea6b04310b751f5fcbe579f392a8f5f18ae556116283b3e137b4ea11a2c536ec6b |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\opt0.4\pkgIndex.tcl
| MD5 | 92ff1e42cfc5fecce95068fc38d995b3 |
| SHA1 | b2e71842f14d5422a9093115d52f19bcca1bf881 |
| SHA256 | eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718 |
| SHA512 | 608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\http1.0\pkgIndex.tcl
| MD5 | 10ec7cd64ca949099c818646b6fae31c |
| SHA1 | 6001a58a0701dff225e2510a4aaee6489a537657 |
| SHA256 | 420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c |
| SHA512 | 34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\pkgIndex.tcl
| MD5 | a6448af2c8fafc9a4f42eaca6bf6ab2e |
| SHA1 | 0b295b46b6df906e89f40a907022068bc6219302 |
| SHA256 | cd44ee7f76c37c0c522bd0cfca41c38cdeddc74392b2191a3af1a63d9d18888e |
| SHA512 | 5b1a8ca5b09b7281de55460d21d5195c4ee086bebdc35fa561001181490669ffc67d261f99eaa900467fe97e980eb733c5ffbf9d8c541ede18992bf4a435c749 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\package.tcl
| MD5 | 55e2db5dcf8d49f8cd5b7d64fea640c7 |
| SHA1 | 8fdc28822b0cc08fa3569a14a8c96edca03bfbbd |
| SHA256 | 47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad |
| SHA512 | 824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl8\8.5\msgcat-1.6.1.tm
| MD5 | db52847c625ea3290f81238595a915cd |
| SHA1 | 45a4ed9b74965e399430290bcdcd64aca5d29159 |
| SHA256 | 4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55 |
| SHA512 | 5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\tm.tcl
| MD5 | f9ed2096eea0f998c6701db8309f95a6 |
| SHA1 | bcdb4f7e3db3e2d78d25ed4e9231297465b45db8 |
| SHA256 | 6437bd7040206d3f2db734fa482b6e79c68bcc950fba80c544c7f390ba158f9b |
| SHA512 | e4fb8f28dc72ea913f79cedf5776788a0310608236d6607adc441e7f3036d589fd2b31c446c187ef5827fd37dcaa26d9e94d802513e3bf3300e94dd939695b30 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tk\tk.tcl
| MD5 | 3250ec5b2efe5bbe4d3ec271f94e5359 |
| SHA1 | 6a0fe910041c8df4f3cdc19871813792e8cc4e4c |
| SHA256 | e1067a0668debb2d8e8ec3b7bc1aec3723627649832b20333f9369f28e4dfdbf |
| SHA512 | f8e403f3d59d44333bce2aa7917e6d8115bec0fe5ae9a1306f215018b05056467643b7aa228154ddced176072bc903dfb556cb2638f5c55c1285c376079e8fe3 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\auto.tcl
| MD5 | 5e9b3e874f8fbeaadef3a004a1b291b5 |
| SHA1 | b356286005efb4a3a46a1fdd53e4fcdc406569d0 |
| SHA256 | f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840 |
| SHA512 | 482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790 |
C:\Users\Admin\AppData\Local\Temp\_MEI48042\tcl\tclIndex
| MD5 | e127196e9174b429cc09c040158f6aab |
| SHA1 | ff850f5d1bd8efc1a8cb765fe8221330f0c6c699 |
| SHA256 | abf7d9d1e86de931096c21820bfa4fd70db1f55005d2db4aa674d86200867806 |
| SHA512 | c4b98ebc65e25df41e6b9a93e16e608cf309fa0ae712578ee4974d84f7f33bcf2a6ed7626e88a343350e13da0c5c1a88e24a87fcbd44f7da5983bb3ef036a162 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:04
Platform
win10v2004-20240709-en
Max time kernel
1750s
Max time network
1141s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ScanIP.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:04
Platform
win10v2004-20240709-en
Max time kernel
1342s
Max time network
1135s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1552 wrote to memory of 1444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1552 wrote to memory of 1444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1552 wrote to memory of 1444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtCore4.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtCore4.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 648
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:07
Platform
win10v2004-20240709-en
Max time kernel
1657s
Max time network
1152s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\NL Brute 2\settings.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:20
Platform
win10v2004-20240709-en
Max time kernel
1701s
Max time network
1152s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3564 wrote to memory of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe |
| PID 3564 wrote to memory of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe |
| PID 3564 wrote to memory of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe |
| PID 400 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 400 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 400 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe
"C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe"
C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe
"C:\Users\Admin\AppData\Local\Temp\nVNC\nvnc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CLS
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI35642\nvnc.exe.manifest
| MD5 | 95b60b99fa7a60b3d17e5a792be83fdd |
| SHA1 | 672eb0187a961b11c87d5ce82c45a03ba3496b63 |
| SHA256 | 09c7f09d9e15b33ff5e58d6dcf7f31aaf16426fc104377e91e03cff0f1bb941c |
| SHA512 | 18559064b7f20385a93ac66a2f8c90280aa39767083458dd18fe886f4707c2f3fceb32eb087a3fc703746b0475a9d232195874f75e4059ff7d607a4e893a1c86 |
C:\Users\Admin\AppData\Local\Temp\_MEI35642\python27.dll
| MD5 | 7584228b7aa01d99944df388ba62a197 |
| SHA1 | 9e3d84241053d0ff82d83104fe9f73b9f02a3b3e |
| SHA256 | 75e9a929d9f0f4ee2c5164c5829bebc05ea9aca0b664b41bb8e7ff53fbb1bb8e |
| SHA512 | 217bbd7cf8a27a18c15856e6506f0bbc51b9d22e55ec15339aa53e81e966d65c8af445c55d79f1ff0cf1757e0c3a3da5de9818f00be8bf14f708ff1c5db88165 |
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_socket.pyd
| MD5 | 07789a8c23bcebe32f8bfd4ce4af5ffb |
| SHA1 | 132d7ad9d2a7c3ff51b246fd14f0a4f738d68e10 |
| SHA256 | 235cc97584c3d31e5f3146121f64699d30cf372a86868ea755a9a0afa6c56144 |
| SHA512 | d461d8313c285e568ce44c08d1af7c54aafae0d1e8235109d5d71f6baffe8f677ae3202590cf33ab34625ac87285c7dc4c1df2e2181acd4b998309d23e12fd3e |
memory/400-19-0x0000000000CA0000-0x0000000000CAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_ssl.pyd
| MD5 | 12fb0bcc8b79ecadd52ba8d97e08bfed |
| SHA1 | b52b26e16841d3b03f36792df7ed1825aa95ee54 |
| SHA256 | 360b506df81ffc0b49ac15924314fa549084227b998b202572eed90b695dfd3a |
| SHA512 | 3a6e78965cf58bb94efe1802f5fd39b2820935c277fb8773ecc3b4a0608fc444ace952a619dead204476981c78c38992867172bc0584cae01306ef226e5fce21 |
C:\Users\Admin\AppData\Local\Temp\_MEI35642\_ctypes.pyd
| MD5 | f9982f8b1176597b81ed1285d1616ce7 |
| SHA1 | 7cf74cce8b20adeeff83e29eacc028bdf2d7c18a |
| SHA256 | d14315cf03aa7d96b714bfc13f7990ec245d205e4a5f9f002d2805e369199239 |
| SHA512 | cd3339dc69ff918d3e4db2ae219ff7df58f18a151f088fa051b4cdf48e4cfd6569a9ca9e414708818004de7d0cb3cea64fa2ee4c0a1f6b832d86229446e22153 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 08:31
Platform
win10v2004-20240729-en
Max time kernel
424s
Max time network
426s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Full Tool Scan VPS.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:02
Platform
win10v2004-20240709-en
Max time kernel
1665s
Max time network
1160s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\RestSharp.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:05
Platform
win10v2004-20240709-en
Max time kernel
1368s
Max time network
1159s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe
"C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ipdeny.com | udp |
| NL | 51.15.12.186:80 | www.ipdeny.com | tcp |
| NL | 51.15.12.186:443 | www.ipdeny.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.12.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/3660-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp
memory/3660-1-0x00000000001C0000-0x000000000021A000-memory.dmp
memory/3660-2-0x0000000004BB0000-0x0000000004C4C000-memory.dmp
memory/3660-3-0x0000000005270000-0x0000000005814000-memory.dmp
memory/3660-4-0x0000000004D60000-0x0000000004DF2000-memory.dmp
memory/3660-5-0x0000000004CA0000-0x0000000004CAA000-memory.dmp
memory/3660-6-0x0000000004EF0000-0x0000000004F46000-memory.dmp
memory/3660-7-0x0000000074B10000-0x00000000752C0000-memory.dmp
memory/3660-8-0x0000000074B10000-0x00000000752C0000-memory.dmp
memory/3660-9-0x0000000074B1E000-0x0000000074B1F000-memory.dmp
memory/3660-10-0x0000000074B10000-0x00000000752C0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:06
Platform
win10v2004-20240704-en
Max time kernel
1365s
Max time network
1160s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\final.ini
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:02
Platform
win10v2004-20240709-en
Max time kernel
1362s
Max time network
1153s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\setup_wm.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpconfig.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpshare.exe | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1908 wrote to memory of 4040 | N/A | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe |
| PID 1908 wrote to memory of 4040 | N/A | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe |
| PID 1908 wrote to memory of 4040 | N/A | C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4040 -ip 4040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1164
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe
| MD5 | 43e6a8477f860a82dd1dbd8606e15d76 |
| SHA1 | f0f1ab3a7907191816c8781b4065034e991201dc |
| SHA256 | e2bad47239cd4180d0a1b98f404791fceaf9b1192273ccef07708ff80606574e |
| SHA512 | 77dfcaccee0d716eba878a069d1865ee737439d03d499b87ca1466d6889097ad5f33532579151b970ee4ed26c13396ecc3cf1593193910b8b490ace44f5af584 |
memory/4040-12-0x00000000736FE000-0x00000000736FF000-memory.dmp
memory/4040-13-0x0000000000250000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/4040-19-0x0000000004E40000-0x0000000004E50000-memory.dmp
memory/4040-20-0x00000000736F0000-0x0000000073EA0000-memory.dmp
memory/4040-21-0x00000000736F0000-0x0000000073EA0000-memory.dmp
memory/4040-22-0x0000000005A20000-0x0000000005FC4000-memory.dmp
memory/4040-23-0x0000000005510000-0x00000000055A2000-memory.dmp
memory/4040-24-0x00000000736F0000-0x0000000073EA0000-memory.dmp
memory/4040-25-0x00000000736F0000-0x0000000073EA0000-memory.dmp
memory/4040-26-0x00000000055C0000-0x00000000055CA000-memory.dmp
memory/4040-27-0x00000000736F0000-0x0000000073EA0000-memory.dmp
memory/4040-28-0x00000000736F0000-0x0000000073EA0000-memory.dmp
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 3b73078a714bf61d1c19ebc3afc0e454 |
| SHA1 | 9abeabd74613a2f533e2244c9ee6f967188e4e7e |
| SHA256 | ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29 |
| SHA512 | 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4 |
memory/4040-47-0x00000000736F0000-0x0000000073EA0000-memory.dmp
memory/1908-115-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1908-116-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1908-118-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:04
Platform
win10v2004-20240729-en
Max time kernel
1326s
Max time network
1150s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\COOKIE~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~4.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\ELEVAT~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\MSEDGE~2.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\MSEDGE~3.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MIA062~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13195~1.15\MICROS~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\NOTIFI~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI9C33~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\setup_wm.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\IDENTI~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\msedge.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~3.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4796 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe |
| PID 4796 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe |
| PID 4796 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe
"C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe
| MD5 | c0a8af17a2912a08a20d65fe85191c28 |
| SHA1 | 0fbc897bf6046718524d05b6bc144c3785224802 |
| SHA256 | 080c6108c3bd0f8a43d5647db36dc434032842339f0ba38ad1ff62f72999c4e5 |
| SHA512 | bd6b67a2f285a5634c5d38f742d5528a661414d3fb88f8065433f6a6a1a3a3f707dede9be7bda9bac9327240422c2314081d0a9eb9b6bc61687465ac96868ef9 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 3b73078a714bf61d1c19ebc3afc0e454 |
| SHA1 | 9abeabd74613a2f533e2244c9ee6f967188e4e7e |
| SHA256 | ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29 |
| SHA512 | 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4 |
memory/4796-115-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4796-116-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4796-118-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:02
Platform
win10v2004-20240709-en
Max time kernel
1360s
Max time network
1153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\Interop.MSTSCLib.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:05
Platform
win10v2004-20240709-en
Max time kernel
1755s
Max time network
1149s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe
"C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
Files
memory/3640-0-0x00000000007D0000-0x00000000007E8000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:06
Platform
win10v2004-20240709-en
Max time kernel
1341s
Max time network
1130s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\options.ini
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:06
Platform
win10v2004-20240709-en
Max time kernel
1369s
Max time network
1157s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ScanIP.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:07
Platform
win10v2004-20240709-en
Max time kernel
1790s
Max time network
1166s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3648 wrote to memory of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe | C:\Windows\system32\cmd.exe |
| PID 3648 wrote to memory of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe
"C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7733.tmp\7734.tmp\7735.bat C:\Users\Admin\AppData\Local\Temp\UsefulRDPScript.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 107.116.69.13.in-addr.arpa | udp |
Files
memory/3648-0-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7733.tmp\7734.tmp\7735.bat
| MD5 | 78814a514c34812d96730e940f1e6333 |
| SHA1 | 8f13c95b7048f32e708c7f0ae2764dd73fe9ba6b |
| SHA256 | adbbdb4da2905a476b84ef57390c51ee26617eba55802998e83ff5d33b92fdc7 |
| SHA512 | d1dd81c1401c6024c358bfbefa38c4b459961ec354c5bffe25b3f390ca691a1b040b313aefcef537a79a14e3f20e8bfb0164e5ac2d4019bf6c9677ac41603f67 |
memory/3648-3-0x0000000000400000-0x000000000041F000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:12
Platform
win10v2004-20240709-en
Max time kernel
1365s
Max time network
1156s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\nVNC\bin\config.conf
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:03
Platform
win10v2004-20240709-en
Max time kernel
1663s
Max time network
1157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\SkinSoft.VisualStyler.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-30 08:20
Reported
2024-07-30 09:05
Platform
win10v2004-20240709-en
Max time kernel
1364s
Max time network
1155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4012 wrote to memory of 3540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4012 wrote to memory of 3540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4012 wrote to memory of 3540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\msvcr100.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\msvcr100.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3540 -ip 3540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |