Malware Analysis Report

2024-10-19 08:35

Sample ID 240730-lfwk9awbjj
Target 95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28
SHA256 95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28
Tags
discovery neshta persistence spyware stealer pyinstaller office04 upx quasar
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28

Threat Level: Known bad

The file 95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28 was found to be: Known bad.

Malicious Activity Summary

discovery neshta persistence spyware stealer pyinstaller office04 upx quasar

Quasar family

Quasar payload

Detect Neshta payload

Neshta family

Neshta

Reads user/profile data of web browsers

Loads dropped DLL

UPX packed file

Executes dropped EXE

Checks computer location settings

Modifies system executable filetype association

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Detects Pyinstaller

Enumerates physical storage devices

NSIS installer

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-30 09:29

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta family

neshta

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\Interop.MSTSCLib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\Interop.MSTSCLib.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

137s

Max time network

128s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\SkinSoft.VisualStyler.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\SkinSoft.VisualStyler.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240705-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtCore4.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtCore4.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtCore4.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 228

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240708-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\RestSharp.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\RestSharp.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240704-en

Max time kernel

117s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\SkinSoft.VisualStyler.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\SkinSoft.VisualStyler.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240729-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe

"C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/2744-0-0x0000000000E40000-0x0000000000E58000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe

"C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsdDB7D.tmp\System.dll

MD5 5c22bbf6730572e50eed4108af6081df
SHA1 8a13196f4d47ee7de2e35509058db954db10c72a
SHA256 3198d832c222a9907d3d5822116c944fd1c6670a263b775212104a9ecf88beec
SHA512 264b194a50cb523f5758569d918b5f60cb2959c4d091ae6712efc95644700a7bc2bb440a22acdf2285b754691a9cc04633fcc7c5b354dae75c7260d6b27ebb18

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe

"C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe"

C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe

"C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22922\ucrtbase.dll

MD5 637c17ad8bccc838b0cf83ffb8e2c7fd
SHA1 b2dd2890668e589badb2ba61a27c1da503d73c39
SHA256 be7368df484688493fb49fb0c4ad641485070190db62a2c071c9c50612e43fed
SHA512 f6b727c319ca2e85a9b5c5e0b9d8b9023f0cf4193fab983cfa26060923374c6abd6d11db1da2e524a8b04622a4e13beb4c48dc23f98886d4abb33eb09f3a0776

C:\Users\Admin\AppData\Local\Temp\_MEI22922\python37.dll

MD5 c4709f84e6cf6e082b80c80b87abe551
SHA1 c0c55b229722f7f2010d34e26857df640182f796
SHA256 ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512 e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

C:\Users\Admin\AppData\Local\Temp\_MEI22922\VCRUNTIME140.dll

MD5 89a24c66e7a522f1e0016b1d0b4316dc
SHA1 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA256 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512 e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

C:\Users\Admin\AppData\Local\Temp\_MEI22922\base_library.zip

MD5 eb879c6861570dff2d8e68c5fc3d82c5
SHA1 465fc892fa9953da5984c84d8272f149afd54fc8
SHA256 666d0a0a05d795181a4b6fc5a46774d200ef9ac2befd02f4e5ae4b85e28147c3
SHA512 d108b905cb3e71475773e6b918b3516a762852fc360b1fece9f48d7ced114fd6555a232f55ea11d3ae8804cf9f4b1db3aa0ef6fcc593b1169507175889be0eda

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_ctypes.pyd

MD5 5e869eebb6169ce66225eb6725d5be4a
SHA1 747887da0d7ab152e1d54608c430e78192d5a788
SHA256 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512 feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_bz2.pyd

MD5 cf77513525fc652bad6c7f85e192e94b
SHA1 23ec3bb9cdc356500ec192cac16906864d5e9a81
SHA256 8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512 dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_lzma.pyd

MD5 5fbb728a3b3abbdd830033586183a206
SHA1 066fde2fa80485c4f22e0552a4d433584d672a54
SHA256 f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA512 31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

C:\Users\Admin\AppData\Local\Temp\_MEI22922\pyexpat.pyd

MD5 6500aa010c8b50ffd1544f08af03fa4f
SHA1 a03f9f70d4ecc565f0fae26ef690d63e3711a20a
SHA256 752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec
SHA512 f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_hashlib.pyd

MD5 b32cb9615a9bada55e8f20dcea2fbf48
SHA1 a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256 ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA512 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

C:\Users\Admin\AppData\Local\Temp\_MEI22922\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI22922\select.pyd

MD5 fb4a0d7abaeaa76676846ad0f08fefa5
SHA1 755fd998215511506edd2c5c52807b46ca9393b2
SHA256 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512 f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_socket.pyd

MD5 8ea18d0eeae9044c278d2ea7a1dbae36
SHA1 de210842da8cb1cb14318789575d65117d14e728
SHA256 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512 d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

C:\Users\Admin\AppData\Local\Temp\_MEI22922\python3.dll

MD5 274853e19235d411a751a750c54b9893
SHA1 97bd15688b549cd5dbf49597af508c72679385af
SHA256 d21eb0fd1b2883e9e0b736b43cbbef9dfa89e31fee4d32af9ad52c3f0484987b
SHA512 580fa23cbe71ae4970a608c8d1ab88fe3f7562ed18398c73b14d5a3e008ea77df3e38abf97c12512786391ee403f675a219fbf5afe5c8cea004941b1d1d02a48

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_tkinter.pyd

MD5 09f66528018ffef916899845d6632307
SHA1 cf9ddad46180ef05a306dcb05fdb6f24912a69ce
SHA256 34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9
SHA512 ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tcl86t.dll

MD5 c0b23815701dbae2a359cb8adb9ae730
SHA1 5be6736b645ed12e97b9462b77e5a43482673d90
SHA256 f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512 ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tk86t.dll

MD5 fdc8a5d96f9576bd70aa1cadc2f21748
SHA1 bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_queue.pyd

MD5 c0a70188685e44e73576e3cd63fc1f68
SHA1 36f88ca5c1dda929b932d656368515e851aeb175
SHA256 e499824d58570c3130ba8ef1ac2d503e71f916c634b2708cc22e95c223f83d0a
SHA512 b9168bf1b98da4a9dfd7b1b040e1214fd69e8dfc2019774890291703ab48075c791cc27af5d735220bd25c47643f098820563dc537748471765aff164b00a4aa

C:\Users\Admin\AppData\Local\Temp\_MEI22922\libssl-1_1.dll

MD5 bc778f33480148efa5d62b2ec85aaa7d
SHA1 b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI22922\_ssl.pyd

MD5 5a393bb4f3ae499541356e57a766eb6a
SHA1 908f68f4ea1a754fd31edb662332cf0df238cf9a
SHA256 b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047
SHA512 958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f

C:\Users\Admin\AppData\Local\Temp\_MEI22922\charset_normalizer\md.cp37-win_amd64.pyd

MD5 dbd015eedea9e5720e46fc6fb3e3a31a
SHA1 1ab6c1d3398a82f71f34e194aa5c6570db93ff63
SHA256 81bfb46f2f398b211231566612a2c94c0f95a244d08500be02a2a3c16dd18e49
SHA512 c3cb4fc5163ecf64f256af4eb95ae83634a207e86f10eb653385958c9eb960bf365db51fc72844f651d27d5760386958c85cce642c6efb5b807137771e46f071

C:\Users\Admin\AppData\Local\Temp\_MEI22922\unicodedata.pyd

MD5 4d3d8e16e98558ff9dac8fc7061e2759
SHA1 c918ab67b580f955b6361f9900930da38cec7c91
SHA256 016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095
SHA512 0dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a

C:\Users\Admin\AppData\Local\Temp\_MEI22922\psutil\_psutil_windows.pyd

MD5 3e579844160de8322d574501a0f91516
SHA1 c8de193854f7fc94f103bd4ac726246981264508
SHA256 95f01ce7e37f6b4b281dbc76e9b88f28a03cb02d41383cc986803275a1cd6333
SHA512 ee2a026e8e70351d395329c78a07acb1b9440261d2557f639e817a8149ba625173ef196aed3d1c986577d78dc1a7ec9fed759c19346c51511474fe6d235b1817

C:\Users\Admin\AppData\Local\Temp\_MEI22922\PIL\_imaging.cp37-win_amd64.pyd

MD5 ad6fff0a653236fe65fb5cf5d88bf91b
SHA1 4845a875fcaa8f5d8f75d7a35b59a1a491f6d29f
SHA256 356142a3639d2b1dc7b71a794ef3c6085a8121eb721f4061a25a82235326ec45
SHA512 6706bc931c5d461b0a2272d206f4dff69440c40a0b68e8c8202928e8d1b9cf7fbc1aba6907b894438f3c31c8f68ed14c9553e9998ef64e0ccd2ee47673b359a5

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tcl\init.tcl

MD5 b900811a252be90c693e5e7ae365869d
SHA1 345752c46f7e8e67dadef7f6fd514bed4b708fc5
SHA256 bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a
SHA512 36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tk\panedwindow.tcl

MD5 2da0a23cc9d6fd970fe00915ea39d8a2
SHA1 dfe3dc663c19e9a50526a513043d2393869d8f90
SHA256 4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29
SHA512 b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tk\menu.tcl

MD5 181ed74919f081eeb34269500e228470
SHA1 953eb429f6d98562468327858ed0967bdc21b5ad
SHA256 564ac0040176cc5744e3860abc36b5ffbc648da20b26a710dc3414eae487299b
SHA512 220e496b464575115baf1dede838e70d5ddd6d199b5b8acc1763e66d66801021b2d7cd0e1e1846868782116ad8a1f127682073d6eacd7e73f91bced89f620109

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tk\listbox.tcl

MD5 c33963d3a512f2e728f722e584c21552
SHA1 75499cfa62f2da316915fada2580122dc3318bad
SHA256 39721233855e97bfa508959b6dd91e1924456e381d36fdfc845e589d82b1b0cc
SHA512 ea01d8cb36d446ace31c5d7e50dfae575576fd69fd5d413941eebba7ccc1075f6774af3c69469cd7baf6e1068aa5e5b4c560f550edd2a8679124e48c55c8e8d7

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tk\entry.tcl

MD5 be28d16510ee78ecc048b2446ee9a11a
SHA1 4829d6e8ab8a283209fb4738134b03b7bd768bad
SHA256 8f57a23c5190b50fad00bdee9430a615ebebfc47843e702374ae21beb2ad8b06
SHA512 f56af7020531249bc26d88b977baffc612b6566146730a681a798ff40be9ebc04d7f80729bafe0b9d4fac5b0582b76f9530f3fe376d42a738c9bc4b3b442df1f

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tk\button.tcl

MD5 309ab5b70f664648774453bccbe5d3ce
SHA1 51bf685dedd21de3786fe97bc674ab85f34bd061
SHA256 0d95949cfacf0df135a851f7330acc9480b965dac7361151ac67a6c667c6276d
SHA512 d5139752bd7175747a5c912761916efb63b3c193dd133ad25d020a28883a1dea6b04310b751f5fcbe579f392a8f5f18ae556116283b3e137b4ea11a2c536ec6b

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tk\icons.tcl

MD5 2652aad862e8fe06a4eedfb521e42b75
SHA1 ed22459ad3d192ab05a01a25af07247b89dc6440
SHA256 a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161
SHA512 6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tcl\opt0.4\pkgIndex.tcl

MD5 92ff1e42cfc5fecce95068fc38d995b3
SHA1 b2e71842f14d5422a9093115d52f19bcca1bf881
SHA256 eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718
SHA512 608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tcl\http1.0\pkgIndex.tcl

MD5 10ec7cd64ca949099c818646b6fae31c
SHA1 6001a58a0701dff225e2510a4aaee6489a537657
SHA256 420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c
SHA512 34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tk\pkgIndex.tcl

MD5 a6448af2c8fafc9a4f42eaca6bf6ab2e
SHA1 0b295b46b6df906e89f40a907022068bc6219302
SHA256 cd44ee7f76c37c0c522bd0cfca41c38cdeddc74392b2191a3af1a63d9d18888e
SHA512 5b1a8ca5b09b7281de55460d21d5195c4ee086bebdc35fa561001181490669ffc67d261f99eaa900467fe97e980eb733c5ffbf9d8c541ede18992bf4a435c749

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tcl\package.tcl

MD5 55e2db5dcf8d49f8cd5b7d64fea640c7
SHA1 8fdc28822b0cc08fa3569a14a8c96edca03bfbbd
SHA256 47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad
SHA512 824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tcl8\8.5\msgcat-1.6.1.tm

MD5 db52847c625ea3290f81238595a915cd
SHA1 45a4ed9b74965e399430290bcdcd64aca5d29159
SHA256 4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55
SHA512 5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tcl\tm.tcl

MD5 f9ed2096eea0f998c6701db8309f95a6
SHA1 bcdb4f7e3db3e2d78d25ed4e9231297465b45db8
SHA256 6437bd7040206d3f2db734fa482b6e79c68bcc950fba80c544c7f390ba158f9b
SHA512 e4fb8f28dc72ea913f79cedf5776788a0310608236d6607adc441e7f3036d589fd2b31c446c187ef5827fd37dcaa26d9e94d802513e3bf3300e94dd939695b30

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tk\tk.tcl

MD5 3250ec5b2efe5bbe4d3ec271f94e5359
SHA1 6a0fe910041c8df4f3cdc19871813792e8cc4e4c
SHA256 e1067a0668debb2d8e8ec3b7bc1aec3723627649832b20333f9369f28e4dfdbf
SHA512 f8e403f3d59d44333bce2aa7917e6d8115bec0fe5ae9a1306f215018b05056467643b7aa228154ddced176072bc903dfb556cb2638f5c55c1285c376079e8fe3

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tcl\auto.tcl

MD5 5e9b3e874f8fbeaadef3a004a1b291b5
SHA1 b356286005efb4a3a46a1fdd53e4fcdc406569d0
SHA256 f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840
SHA512 482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tcl\tclIndex

MD5 e127196e9174b429cc09c040158f6aab
SHA1 ff850f5d1bd8efc1a8cb765fe8221330f0c6c699
SHA256 abf7d9d1e86de931096c21820bfa4fd70db1f55005d2db4aa674d86200867806
SHA512 c4b98ebc65e25df41e6b9a93e16e608cf309fa0ae712578ee4974d84f7f33bcf2a6ed7626e88a343350e13da0c5c1a88e24a87fcbd44f7da5983bb3ef036a162

C:\Users\Admin\AppData\Local\Temp\_MEI22922\charset_normalizer\md__mypyc.cp37-win_amd64.pyd

MD5 e82ec44c4814e2a17c1786849292f375
SHA1 de44bdcf984eb92a343f9a5230275f653d806b56
SHA256 3be1963470910839a3560c5838bc2dd780f34d6fb958ad59b8d26fbcf8b89cd5
SHA512 0fad111a5e28dfdd8cf74ec87597ca6313fe4849fd068be339060e18c6d4ccb1ca0d79b09e4f5ed3ec2f681a6600fc74c0855c812bc22c134764196360cef50b

C:\Users\Admin\AppData\Local\Temp\_MEI22922\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

141s

Max time network

149s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtGui4.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3584 wrote to memory of 4000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3584 wrote to memory of 4000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3584 wrote to memory of 4000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtGui4.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtGui4.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4000 -ip 4000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 700

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240708-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe

"C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ipdeny.com udp
NL 51.15.12.186:80 www.ipdeny.com tcp
NL 51.15.12.186:443 www.ipdeny.com tcp

Files

memory/2968-0-0x00000000740EE000-0x00000000740EF000-memory.dmp

memory/2968-1-0x0000000000BB0000-0x0000000000C0A000-memory.dmp

memory/2968-2-0x00000000740E0000-0x00000000747CE000-memory.dmp

memory/2968-3-0x00000000740E0000-0x00000000747CE000-memory.dmp

memory/2968-4-0x00000000740EE000-0x00000000740EF000-memory.dmp

memory/2968-5-0x00000000740E0000-0x00000000747CE000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240705-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\msvcr100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 220

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240704-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 728

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe

MD5 43e6a8477f860a82dd1dbd8606e15d76
SHA1 f0f1ab3a7907191816c8781b4065034e991201dc
SHA256 e2bad47239cd4180d0a1b98f404791fceaf9b1192273ccef07708ff80606574e
SHA512 77dfcaccee0d716eba878a069d1865ee737439d03d499b87ca1466d6889097ad5f33532579151b970ee4ed26c13396ecc3cf1593193910b8b490ace44f5af584

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

memory/2332-12-0x000000007476E000-0x000000007476F000-memory.dmp

memory/2332-13-0x0000000000D50000-0x0000000000F14000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/2332-18-0x00000000005D0000-0x00000000005E0000-memory.dmp

memory/2332-19-0x0000000074760000-0x0000000074E4E000-memory.dmp

memory/2332-20-0x0000000074760000-0x0000000074E4E000-memory.dmp

memory/2332-22-0x0000000074760000-0x0000000074E4E000-memory.dmp

memory/2332-23-0x0000000074760000-0x0000000074E4E000-memory.dmp

memory/2332-25-0x0000000074760000-0x0000000074E4E000-memory.dmp

memory/2332-24-0x0000000074760000-0x0000000074E4E000-memory.dmp

memory/2332-21-0x0000000074760000-0x0000000074E4E000-memory.dmp

memory/2332-26-0x0000000074760000-0x0000000074E4E000-memory.dmp

memory/2332-27-0x0000000074760000-0x0000000074E4E000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2232-105-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2232-107-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2332-108-0x0000000074760000-0x0000000074E4E000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

135s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Hit Sender\NLBrute Hit Sender-Checker.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1252 -ip 1252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1164

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\NLBrute Hit Sender-Checker.exe

MD5 43e6a8477f860a82dd1dbd8606e15d76
SHA1 f0f1ab3a7907191816c8781b4065034e991201dc
SHA256 e2bad47239cd4180d0a1b98f404791fceaf9b1192273ccef07708ff80606574e
SHA512 77dfcaccee0d716eba878a069d1865ee737439d03d499b87ca1466d6889097ad5f33532579151b970ee4ed26c13396ecc3cf1593193910b8b490ace44f5af584

memory/1252-12-0x0000000073B5E000-0x0000000073B5F000-memory.dmp

memory/1252-13-0x0000000000840000-0x0000000000A04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/1252-19-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/1252-20-0x0000000073B50000-0x0000000074300000-memory.dmp

memory/1252-21-0x0000000073B50000-0x0000000074300000-memory.dmp

memory/1252-23-0x0000000005A00000-0x0000000005A92000-memory.dmp

memory/1252-22-0x0000000005F10000-0x00000000064B4000-memory.dmp

memory/1252-24-0x0000000073B50000-0x0000000074300000-memory.dmp

memory/1252-25-0x0000000073B50000-0x0000000074300000-memory.dmp

memory/1252-26-0x00000000059E0000-0x00000000059EA000-memory.dmp

memory/1252-27-0x0000000073B50000-0x0000000074300000-memory.dmp

memory/1252-28-0x0000000073B50000-0x0000000074300000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

memory/1252-43-0x0000000073B50000-0x0000000074300000-memory.dmp

memory/2596-114-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2596-115-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2596-117-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240729-en

Max time kernel

92s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\msedge.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\126025~1.113\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe

"C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe

MD5 c0a8af17a2912a08a20d65fe85191c28
SHA1 0fbc897bf6046718524d05b6bc144c3785224802
SHA256 080c6108c3bd0f8a43d5647db36dc434032842339f0ba38ad1ff62f72999c4e5
SHA512 bd6b67a2f285a5634c5d38f742d5528a661414d3fb88f8065433f6a6a1a3a3f707dede9be7bda9bac9327240422c2314081d0a9eb9b6bc61687465ac96868ef9

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

memory/1156-115-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1156-116-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1156-118-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

134s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe

"C:\Users\Admin\AppData\Local\Temp\MassScan\Massscan_GUI.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 www.ipdeny.com udp
NL 51.15.12.186:80 www.ipdeny.com tcp
NL 51.15.12.186:443 www.ipdeny.com tcp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 186.12.15.51.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1272-0-0x000000007456E000-0x000000007456F000-memory.dmp

memory/1272-1-0x0000000000650000-0x00000000006AA000-memory.dmp

memory/1272-2-0x0000000005110000-0x00000000051AC000-memory.dmp

memory/1272-3-0x0000000005760000-0x0000000005D04000-memory.dmp

memory/1272-4-0x00000000051B0000-0x0000000005242000-memory.dmp

memory/1272-5-0x0000000005090000-0x000000000509A000-memory.dmp

memory/1272-6-0x00000000053F0000-0x0000000005446000-memory.dmp

memory/1272-7-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/1272-8-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/1272-9-0x000000007456E000-0x000000007456F000-memory.dmp

memory/1272-10-0x0000000074560000-0x0000000074D10000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240729-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe

"C:\Users\Admin\AppData\Local\Temp\MassScan\masscan.exe"

Network

N/A

Files

memory/3016-0-0x0000000000080000-0x0000000000098000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240704-en

Max time kernel

10s

Max time network

19s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\Interop.MSTSCLib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\Interop.MSTSCLib.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240708-en

Max time kernel

14s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe

"C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe"

C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe

"C:\Users\Admin\AppData\Local\Temp\IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)\IP Scanner.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22202\ucrtbase.dll

MD5 637c17ad8bccc838b0cf83ffb8e2c7fd
SHA1 b2dd2890668e589badb2ba61a27c1da503d73c39
SHA256 be7368df484688493fb49fb0c4ad641485070190db62a2c071c9c50612e43fed
SHA512 f6b727c319ca2e85a9b5c5e0b9d8b9023f0cf4193fab983cfa26060923374c6abd6d11db1da2e524a8b04622a4e13beb4c48dc23f98886d4abb33eb09f3a0776

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-core-localization-l1-2-0.dll

MD5 2395f675152f25bdc501c1b698b3f70a
SHA1 829eb4dee9604330072c124b9bddf4a4e96a7c98
SHA256 4173e50962540ec0708930d7c456164d4e0fa96d49efb034621eb06e67ac0563
SHA512 7c0125e248387d268a337fa2a0090e6b8713e6205d22fb23a4ce9635fb0f5b79a0e3d28aab3050cc0445ef065632052c23341b1ac22dbd947ac4262fd63a1b51

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-core-processthreads-l1-1-1.dll

MD5 81a255549e9b3467276810f94a67512d
SHA1 c3bf694f5d030d5a29ebb9ae70010be4571cec17
SHA256 8447c3c56f83e5a9407bf446cfc037d149b945611f03798f731e49145fca81c2
SHA512 05e6d83baa20b38d8710ed06c62ef8603c37d70fd0f6036f54a50ad041575d52f23c56bcebb12df8bf7cd9327c46522e59bcda47e2fcabfb0e5c11247708afa4

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-core-file-l1-2-0.dll

MD5 fa6953700659b11c2d82fb521d2e8664
SHA1 07c7d14fdfd1686a424820f77733d1d4f3c75e31
SHA256 4dcc72554ffaa121decaf6e5bd3081198f017d735a07cc6d23d8a56b1383a61e
SHA512 1300c6ab6377e717dfac9e2f78c1218dee91e8fde25454f65ab32095a949c1be5b67aa3ed1c1d9f78d0c8bc9830f5c1dc0e6e01e91effec20ead6cdd9a3f639f

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-core-timezone-l1-1-0.dll

MD5 59f3aeb2eda80ffc000b99f27ec99d14
SHA1 2961c514b480424b3512d424dcd7d295477b243a
SHA256 e1c41c6525ed510aa75ec671f86d22a005ffd9a856a74dcf09bf3256e301a8ab
SHA512 ff1980c859c7a23ded484a51e596fd591df855e0266961c4620373d42190152f92df83683779a79561d46bd5d238d7d178cfa2952dee316a742a72835be44992

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-core-file-l2-1-0.dll

MD5 621a34a36c202e4c4e59a6077c22cb5e
SHA1 ec696fd4e8e5935a722e88a551593593a12e882e
SHA256 746cde47f460ab4ef45a3158cbc038b166c86b03114c259ea5c759001692c079
SHA512 04e94784a70a576235d5bec58c57b8b3cfc01d7b292287f299deaf52523cef51c2790874116e666e5bc672453beafe173cf1afbe49a5f3076b83344298643ae0

C:\Users\Admin\AppData\Local\Temp\_MEI22202\python37.dll

MD5 c4709f84e6cf6e082b80c80b87abe551
SHA1 c0c55b229722f7f2010d34e26857df640182f796
SHA256 ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512 e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

C:\Users\Admin\AppData\Local\Temp\_MEI22202\VCRUNTIME140.dll

MD5 89a24c66e7a522f1e0016b1d0b4316dc
SHA1 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA256 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512 e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-runtime-l1-1-0.dll

MD5 9206d6bb749266ac31da559029003fbb
SHA1 496d3051b66d93951253686b73023b64350b521b
SHA256 19da9d0027faed99ef3685a706da4256a24bc705e1f3c0dfcb89df0508620814
SHA512 cd316a52b289e223f607a88033efe1de085a1fba3228a55900ef5908bd90c6342930bdfb73a1ae995c5e496977336186bb3c4e1a0f4f3de52a6465014ee917bf

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-string-l1-1-0.dll

MD5 017cd4317c9ff229fe723b4cef459e06
SHA1 d4355b4257d2efd5b1fc1a8b1ec8fbcde2260c75
SHA256 9800d19f55385efdb4bb215d7de0773fb9574fd5ce2773f0217973c780bb8ccf
SHA512 513e20936e54e179772669a5c097e61369e6b9e62b7a8c246e4bb518a190078968b6aa8c434418eae739b2081421faec4e396ae21803d383e853c77c8b914dc7

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-heap-l1-1-0.dll

MD5 dd79fe03815d8d96a70955257b85d025
SHA1 d98f5a2d2d52fc361064427fdecffbe1620b1d68
SHA256 505b61565d51d0c95d9bc77337d063cd18c97a575f5e318cc5a0458d10ef4638
SHA512 3fa3d9a9cddb493786c557f0738c6fad181a862749447c8172093709c4e931708cce12c9d177dbc4f9a0de0f950ebeaf02271e7cbc2b1f177e9c7f838b9ad7d0

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-stdio-l1-1-0.dll

MD5 7f21f2ae857b6ed53ba086feca60e4d9
SHA1 abf957cf28b85c48a86ae255c36a978b4f1e0744
SHA256 479e452662de08c4f65572d78ad553d8a9ce0612e39e3b2aa274b77b40b398f2
SHA512 1a2d46806b48cf91beb7dcc9219af80f02d622b1aa9af7785e6b92dca138781a04a3c1bcc15f166fff96ee6bf3be19ae63e32b74a57d0f281acc1685fbca8148

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-convert-l1-1-0.dll

MD5 d360a829d5376ff0961f62bbe5ac9e06
SHA1 7965077b47bf9949570656df5160f55d27eed1a4
SHA256 6db47157030960e7106cec7825601ce7a33ea58ece603c90ecd9532ece1d1afe
SHA512 aaeed59b187bb277239a07e539e34520e8bc321e4f398e44ee396751e76c189c0180171202380974f12c1c302e77b533b7a93898dd8ddfd5c524143a22b3b748

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-math-l1-1-0.dll

MD5 0d517e23b98b6e465214a25b0e73a49b
SHA1 8900d523d919a42ef4750eee7ce87cfb835fa455
SHA256 90d5f4615e9aadf8f38f98a8443ca3cdcee6f082d07ee2abd1a74204dbefe73a
SHA512 d850881bd7b042051fecee9e2fb4be105184e678c82d25095f88dc3c4e6ca9eb4ef818eee36443a62a1f54225a5213363b5a058d3a70baa29dd83f44dc9a1eb4

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-locale-l1-1-0.dll

MD5 ed7e63157d241abb713998265b3987d1
SHA1 00d80cfe269434a4bbc7b2266e0e3d7f7ff72f2f
SHA256 3afe87a1dd2463fc3a9b5ba0bfc97fb3689764ac10d2c408f5a7b7d6caf06657
SHA512 3e89d1c1c3fca451a3d693873ebf58cceb73720c4c56d7449a96192fd240ac285a3da4e200ec289bfd5cfcfbdac4d83671059ed672739ca83deef9c891d84165

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-time-l1-1-0.dll

MD5 7e767ac571d63bcaeb64e243b2600b8d
SHA1 995ce687f655ff937fdf80c1ac7bae043e23e45a
SHA256 c7643c68c3a33a2f67edca02d713749cafeb200daf1f3db7bd2eb168809132ab
SHA512 10b0f0c4844b4beef38d9bd51bbde19ff83caa8e9ac2673528056535872b07e48515c973c50dea9da0ac335cf1a98374d31f52cb04bb0e95eb0e5e6337eee95e

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-environment-l1-1-0.dll

MD5 0ed33abfad3cedf07f538e2152443683
SHA1 78eed147eb33efd14f03d8e2fbe0ec0f41ae4056
SHA256 f76d2547bfc429e14b49d030679fdefa12383c1f3a8e09fa69b760a89f469e9a
SHA512 42b9417b464f6ddd45294e85b3f9143e5c76f512ca70214d1fc302f0cd28c8b7c29d9e213c78861d10ef4316aa02c14ecec2d9bc5a8021880f4186798eb4e317

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-process-l1-1-0.dll

MD5 e9208bf204cc2f705533328fa24f3a8b
SHA1 d2d6549d7a85dfb4d5877c59f3ba110985a202c9
SHA256 c679988b7dac986ec8d92b994d92b9979e565f6adbfd356b66a920f20e9caa86
SHA512 fb648540545c25d15a19cb9605fd78cbb5a214ff4d91d925400632aca85b59611493db71c65182cc189529fe767bcee114ac7e6c7980afa64875ca622ff1b038

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-conio-l1-1-0.dll

MD5 218334da1ed369d2b694d3dff42da6ce
SHA1 afcb936ebfc7a2d6cd3b0c7f25a3fb125bcb8a8a
SHA256 b6ff4feabbe5f1fdc56f2e4e440dd8258702c3fc2a314440100319a62304baff
SHA512 9f2d009935b0847f89639b80c79dbe0fdfd08aa0c958ff67665a90971d3b304edf0e87b99112ca3ce988c2065147a41b63f47cd107d3a02e1a164ceb9bc4c13d

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 442a686b00c22cc9affcecb15a569267
SHA1 10f02b15493737d30aacebad19ecadb8bab81817
SHA256 cb0be4a28ff15650353aa3ea778e7b4076f77d394b6c406b2d288a8ccdf88a05
SHA512 3d1da7ce726a435629d492ee2191e9818ddc975fc686835d61f1259fbb123de522f419a4571fb24c2c5227a2d12a83db2815aca6b7360a75a4b0671ea212acbd

C:\Users\Admin\AppData\Local\Temp\_MEI22202\base_library.zip

MD5 eb879c6861570dff2d8e68c5fc3d82c5
SHA1 465fc892fa9953da5984c84d8272f149afd54fc8
SHA256 666d0a0a05d795181a4b6fc5a46774d200ef9ac2befd02f4e5ae4b85e28147c3
SHA512 d108b905cb3e71475773e6b918b3516a762852fc360b1fece9f48d7ced114fd6555a232f55ea11d3ae8804cf9f4b1db3aa0ef6fcc593b1169507175889be0eda

C:\Users\Admin\AppData\Local\Temp\_MEI22202\_ctypes.pyd

MD5 5e869eebb6169ce66225eb6725d5be4a
SHA1 747887da0d7ab152e1d54608c430e78192d5a788
SHA256 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512 feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

C:\Users\Admin\AppData\Local\Temp\_MEI22202\python3.DLL

MD5 274853e19235d411a751a750c54b9893
SHA1 97bd15688b549cd5dbf49597af508c72679385af
SHA256 d21eb0fd1b2883e9e0b736b43cbbef9dfa89e31fee4d32af9ad52c3f0484987b
SHA512 580fa23cbe71ae4970a608c8d1ab88fe3f7562ed18398c73b14d5a3e008ea77df3e38abf97c12512786391ee403f675a219fbf5afe5c8cea004941b1d1d02a48

C:\Users\Admin\AppData\Local\Temp\_MEI22202\_bz2.pyd

MD5 cf77513525fc652bad6c7f85e192e94b
SHA1 23ec3bb9cdc356500ec192cac16906864d5e9a81
SHA256 8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512 dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

C:\Users\Admin\AppData\Local\Temp\_MEI22202\_lzma.pyd

MD5 5fbb728a3b3abbdd830033586183a206
SHA1 066fde2fa80485c4f22e0552a4d433584d672a54
SHA256 f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA512 31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

C:\Users\Admin\AppData\Local\Temp\_MEI22202\pyexpat.pyd

MD5 6500aa010c8b50ffd1544f08af03fa4f
SHA1 a03f9f70d4ecc565f0fae26ef690d63e3711a20a
SHA256 752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec
SHA512 f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1

C:\Users\Admin\AppData\Local\Temp\_MEI22202\api-ms-win-crt-utility-l1-1-0.dll

MD5 3138b144c99759b77dbd488dc91134ae
SHA1 664718852f84ad49623ffd401fac7959eda57704
SHA256 3f78ca473da2335c8f26e32ac5a12ab6a76e4c415d923a930abbc0ef5630c835
SHA512 4e5c519facb1580eca906821d0956b750c63f8882acd5dd0be1531ee2ee45e8b0fb10de6db0f1cd254844131680e19206942d7be24e976bd34cf1ebfa434b16b

C:\Users\Admin\AppData\Local\Temp\_MEI22202\_hashlib.pyd

MD5 b32cb9615a9bada55e8f20dcea2fbf48
SHA1 a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256 ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA512 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

C:\Users\Admin\AppData\Local\Temp\_MEI22202\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI22202\_socket.pyd

MD5 8ea18d0eeae9044c278d2ea7a1dbae36
SHA1 de210842da8cb1cb14318789575d65117d14e728
SHA256 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512 d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

C:\Users\Admin\AppData\Local\Temp\_MEI22202\select.pyd

MD5 fb4a0d7abaeaa76676846ad0f08fefa5
SHA1 755fd998215511506edd2c5c52807b46ca9393b2
SHA256 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512 f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

C:\Users\Admin\AppData\Local\Temp\_MEI22202\_tkinter.pyd

MD5 09f66528018ffef916899845d6632307
SHA1 cf9ddad46180ef05a306dcb05fdb6f24912a69ce
SHA256 34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9
SHA512 ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de

C:\Users\Admin\AppData\Local\Temp\_MEI22202\tcl86t.dll

MD5 c0b23815701dbae2a359cb8adb9ae730
SHA1 5be6736b645ed12e97b9462b77e5a43482673d90
SHA256 f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512 ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtNetwork4.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtNetwork4.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtNetwork4.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 236

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240708-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\Packet.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2056 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2056 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2056 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2056 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2056 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2056 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\Packet.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\Packet.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

130s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\Packet.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 536 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 536 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 536 wrote to memory of 2852 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\Packet.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\Packet.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

135s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3544 wrote to memory of 1008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3544 wrote to memory of 1008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3544 wrote to memory of 1008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1008 -ip 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240705-en

Max time kernel

16s

Max time network

18s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\AxInterop.MSTSCLib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\AxInterop.MSTSCLib.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

92s

Max time network

125s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\AxInterop.MSTSCLib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\AxInterop.MSTSCLib.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240729-en

Max time kernel

92s

Max time network

97s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\RestSharp.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Hit Sender\RestSharp.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240704-en

Max time kernel

41s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe

"C:\Users\Admin\AppData\Local\Temp\KPort Scaner\KPortScan V3.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\KPortScan V3.exe

MD5 c0a8af17a2912a08a20d65fe85191c28
SHA1 0fbc897bf6046718524d05b6bc144c3785224802
SHA256 080c6108c3bd0f8a43d5647db36dc434032842339f0ba38ad1ff62f72999c4e5
SHA512 bd6b67a2f285a5634c5d38f742d5528a661414d3fb88f8065433f6a6a1a3a3f707dede9be7bda9bac9327240422c2314081d0a9eb9b6bc61687465ac96868ef9

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2092-83-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2092-84-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2092-85-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2092-87-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

132s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\msvcr100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5044 wrote to memory of 4684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5044 wrote to memory of 4684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5044 wrote to memory of 4684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MassScan\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4684 -ip 4684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240708-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe

"C:\Users\Admin\AppData\Local\Temp\MassScan\winpcap-4.3.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsjD3D5.tmp\System.dll

MD5 5c22bbf6730572e50eed4108af6081df
SHA1 8a13196f4d47ee7de2e35509058db954db10c72a
SHA256 3198d832c222a9907d3d5822116c944fd1c6670a263b775212104a9ecf88beec
SHA512 264b194a50cb523f5758569d918b5f60cb2959c4d091ae6712efc95644700a7bc2bb440a22acdf2285b754691a9cc04633fcc7c5b354dae75c7260d6b27ebb18

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240709-en

Max time kernel

146s

Max time network

153s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtNetwork4.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 3396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4584 wrote to memory of 3396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4584 wrote to memory of 3396 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtNetwork4.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtNetwork4.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3396 -ip 3396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 660

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:33

Platform

win7-20240705-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 244

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtCore4.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3348 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3348 wrote to memory of 3276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtCore4.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtCore4.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 648

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-30 09:29

Reported

2024-07-30 09:32

Platform

win7-20240705-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtGui4.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtGui4.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\KPort Scaner\QtGui4.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 280

Network

N/A

Files

N/A