Analysis Overview
SHA256
5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350
Threat Level: Known bad
The file 5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Gathers network information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-28 22:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-28 22:17
Reported
2024-09-28 22:20
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1344 created 1216 | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wlnk\\QWLVPM~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\wlnk\\tnlupe.mp3" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2712 set thread context of 1344 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dialer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe
"C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rmxb.vbe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
qwlvpmrupf.mp3 tnlupe.mp3
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rmxb.vbe
| MD5 | be932d231ef60dcf6ad6c579873b550c |
| SHA1 | ca37ae517c7d341e008cbd71beab29aca839002c |
| SHA256 | d47ed1047e043162e221d1a21b5e19d8a24641442bcb17c6c8a51f9456998751 |
| SHA512 | 21385ada5436112899aaa4651a6d561499735e6e59674258c9de6b38a50e671276ae9e8b5c7f70e60321cf41846ae34e299d179fbf6226027d9a9c99751ad09b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
| MD5 | 0adb9b817f1df7807576c2d7068dd931 |
| SHA1 | 4a1b94a9a5113106f40cd8ea724703734d15f118 |
| SHA256 | 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b |
| SHA512 | 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\uraspfn.bin
| MD5 | f1d3c3dae4987deb8f2b79c08da81b67 |
| SHA1 | f5809aebc70a2f23c8ee6b466b5293199545bcf4 |
| SHA256 | fd491ea65d887c3f3fc2aac3197280e4135c8f571b7d6df63212097783254ea5 |
| SHA512 | e552d8114e09ab7655e7fcb1549e1f18b3027558024a0e565a1261f7f075e56ce40b37fe70893875da75ca298bf174940756b91ffbf8e991b13bc02da3d4c00c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\anxv.ppt
| MD5 | d391f8b614a342cff9fcbf8f4e41c934 |
| SHA1 | fc045f44973b9000f63808abd1e59c66ed6755b7 |
| SHA256 | 36568784a413d46056fac31e259c41f4429f08b1564a72ceb777cc80a0aa9f1c |
| SHA512 | e446d6f17e9765ac260f4bd429ffe901c47c46fdfdefba25269a33e570e98b24469b529b815322e1d17ae3b4589ecf5561519d39d3ad65fd164aa8fca50e62ad |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bvtesegdgq.3gp
| MD5 | c3a02fe4f358078606a02b7d8c069957 |
| SHA1 | 4cb6fc80ac829fcdb8088cc95f6c109c719cfa5d |
| SHA256 | d8abe1326e449ca4d9c330a900ce393ee32101793d91e7f556d0c87e77adba0c |
| SHA512 | c016ded65e5a728e3eff1e66ae913ff81677b197b4c809a9f9e509304dc2747a581597760b0d4b79e60c03647dc3569cae21c413152c6e4af8b4dede10e8bb9d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crbvulcpak.msc
| MD5 | 83ca8d8bac38af12453f9d9ff1d02916 |
| SHA1 | dcc6e7ab9858eb9ff63f4cd2dd7e9b84ec694a22 |
| SHA256 | 58412d427987a11c362fc7d921804f58277c3a5e4ea7ce98d4dc260e9aeb6302 |
| SHA512 | 1bf89f1196b9c41e5781f118ce657aec2194d48b0c4d15672a55093778c660e609626a9e5ea5336064590a9bd21f8fa1d9cf6f6435e866a0facf50e438d5d3f0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iutol.das
| MD5 | 8344337d8607eef8ba26fc751f8e0122 |
| SHA1 | 2ab2afce50e3553637aec0b5a65aa2e72d0ce51a |
| SHA256 | ecb2d582d697d033a5e5bd06387df5725af74707c0e4b596d564be2bdb1221a7 |
| SHA512 | da3cab35922c97d3d03c073f51915792278919775c9690ad95a8bd7143cd45a5b0fcbb5216ed53dfc3eee1265bb91ddcdd875699ab23b3d95fccc991190caf2b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jmfhuve.bin
| MD5 | 73cdc398766b26d5b3fc2a732b633e80 |
| SHA1 | 4e8178167362c791d19b8dd90284751e6294c041 |
| SHA256 | d078345688738bc731ee73004ac6ad2670cfd6343b570fa5b7c0ab7ad30f0b48 |
| SHA512 | ab55cecf628450ee0e07591c8a6b7e1ebd6f1e1ff0c3184a14bf297c64153c8507b331a391020a5068d7c23cb55e73125e7582d204ce6f5c1e26f3ee3cd32705 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jwphnktqhh.xl
| MD5 | 25b3d4f1279923fd4780981605bce9fb |
| SHA1 | 12257bd64a5ab12eafd4679bdbdf9bcf2903b160 |
| SHA256 | df4f76d702170095fa752d69f1ab793604e9dcce7adcad7c83fdae623f0c0093 |
| SHA512 | f3579a94ebabd59b055d7170e3f9fbaec7d645e3cbe0eff514413621fec6811fb07264e4a5048222e8a84bdeb671d7580989b7e2d6b8987795782b4c7c7e9920 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ldrtopp.msc
| MD5 | ac53ee172cc20f1bc979fd4710cbfa00 |
| SHA1 | 5c83524e42270883ff05c434f3ab62ada8931f51 |
| SHA256 | 774c4cc458e33020b29fa28fc91db540c86f55142d716ca1613da20670435198 |
| SHA512 | 70df2bfe2300aae5bec804e7f0235c1b9601fc1447df84248b6eff030a4f36b908d00d089911d082c7ca10f7f9d30239b1414b754b32cb1adc8f8a5a7286341d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ltmdgplto.3gp
| MD5 | 62a55b40d10bc4ccdf643e624b90d003 |
| SHA1 | 1aafd527e1b40b555b1e68e1f6d9f6c594586913 |
| SHA256 | 9401c3d0cbd1fbb5fb740ea9eff7b4f7af764574a6cbc487c97f99f610ba9852 |
| SHA512 | 421b3694a2f2e080a03459973fe05a2b23f4fa67323529ee8d9afdb6b5e9b8d082193a31f7c2b58d3368158fcdef49d60dbabd3a4f7e656c8ed5b3b95f6bb181 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nbmn.lmk
| MD5 | 35a5cc0e4d021890e72a070ee02dfdc4 |
| SHA1 | ba20de52cdc21e3d8bd69470381b7d0cb53f1d05 |
| SHA256 | 51e725c19b88d14e3d978b54d810398993242c959145f323fde92cfa55557ada |
| SHA512 | afe5510b3a27cf5e308cde1e000289777ab9cfd592052b37c990028f51f4d5113e15fccf7b13cf9a13ed06e3d134ed2009bbd18ddd5b508fa20d050d8d2719c2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nhjdnx.3gp
| MD5 | e3c40d261a890a50e8616efbce725df6 |
| SHA1 | 51087dd64e5c3f673c47a3b03ccaffadb77dce6d |
| SHA256 | a1c8b7a1408638a385956edaaf4ec1defb98e94784a5aeaec9f63fd24cf3f83b |
| SHA512 | 114de87085139632a912f2bdc2700eb60f166623641c460e818ce7a29edc2dac24f9c01b186cfb268976b7605fe496addb4300e6ec20507b101659df2add69f8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\opioxoqv.bmp
| MD5 | c4cea733ef0f8c84e8c7081cdcb01b5e |
| SHA1 | 66050a0f1a5c5a17532e8d449573a31be8e8c693 |
| SHA256 | b75166289cc3acd2e7ecb722f91792cead7bccbe5d230a3aaf211c2027f7e8b4 |
| SHA512 | 013a885c743cae8bc941d76374745d18498cf5f53aeb7c4e02232130a552cc1553c2d3051d85b0494033da2f5367ba078333659823a7ac236254420eea0706da |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qbjid.xls
| MD5 | 4c854c21a4e83906af7ae0b83d1d797b |
| SHA1 | 52a423c95344186d45c66780cd55890820e755e0 |
| SHA256 | 613c53a8e742366747a9253dd19fab2527258f08e40699aaab85d920787a717b |
| SHA512 | bfea86080cffec1e69ec7f5a1371796a656b8a129a1fef437fadc8d170cdfd07c6f1ba514fcd14a138d943d89e26621686c366592d9bf6890c83c22a0efa1963 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qlgigdt.xls
| MD5 | 135f39e327b474dfcf9139f5a9de5a9b |
| SHA1 | 0d70afd4762c1296355dd9e7579eb57b833d4c0c |
| SHA256 | 0988ff10c9f291f32009ca04929c0156a0e10c5003d30ae266b865e56c064b17 |
| SHA512 | 4cd5747c41ef013c5cc884536864c35c45beeb3fbb794ca6cd891c1f787ace6a261a0b2e45bbc87677cf6540e5413564d98c2510ee30ec163e8ee3d0e4863e2b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qlmgqepgjl.xls
| MD5 | 0e969295487775daa7d03b33829684f8 |
| SHA1 | 613cf0518a258ce3ed5bb2aac7bac1fda71b1ec4 |
| SHA256 | 5badefdf6c9490d5ed3a5181bb87a30536776827bf7a155957c62b01028fd4fb |
| SHA512 | 7efcfcee6e15af372a6a57f66531feb1c1873dc22399ce05228369ee3e7e49d69453d75d78131d50217761539bfce82245140163c50abafa1790eec69f1665e1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\srnkdleah.exe
| MD5 | 834d7436b1908047fbc4801e3d9ea735 |
| SHA1 | 8cc6441f6a4a65902ae20c8d0d73a59048227253 |
| SHA256 | 056d4c251de76715737124ccb63e6652840ee3ee66a41f45b109b3f413ee864b |
| SHA512 | effc86ef8949e1c231f9c18c807afc39882cafa2beb5e87f10e2ac5d8378d2f2ac3c94679eefcfe9f4af6c260e524bac051fc789d147215ccd552a1d44edae7a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wbaxv.jpg
| MD5 | 4daa3e600c4d2c162ffe78c5df68ab8e |
| SHA1 | c1f052eb1577599b89b70ae99bd9e6c8dde4f822 |
| SHA256 | c2b1869137e2e69e3969c50a0918eb71c5797f84faf4093aef0c890957a193ea |
| SHA512 | 35c537693df896c6b62118bd38bbdc6c0b4233c391fa11fec0e49373e08e7baedc9fab07489bc9c55d7d69797820aefc6c21c62b5a8669ee8aef297dbf89ed6f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\uraspfn.bin
| MD5 | 5fe3c2e677e90b8971dcaec9d9cf973d |
| SHA1 | cccefd97b61b17f2bc60983d2437925a7b063b20 |
| SHA256 | 762982a2b57b2a93dd63fbf230da414b6c3abc6240d4b0af7bb940dc81b74512 |
| SHA512 | 2c204731cc1bdb18259e737cdce622833367413bf10a75a73e23d3c531e3739093d0e4227c032aab61ea8f26a8d65175ac3072eaf61116ff07bc623e0d402727 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xddkunhuro.msc
| MD5 | 992c91b45a9f3472868d47e61cb8675e |
| SHA1 | fcdfbc8ec428982b4cb0b09fb00244de0bc78073 |
| SHA256 | a8a5116542d33261544e18c4431c11a45f77ab24a7f06a2c1d06480066ec6e62 |
| SHA512 | 24054844512035ab6962f3abe2da36d56ac7e182a72a19d8a38f1c356d7bde30f14fe6fe3ef057c602a73e53a5d9131676c01f1ef99b545877015a4d3243b9eb |
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1344-128-0x0000000000290000-0x00000000008EF000-memory.dmp
memory/1344-133-0x0000000000290000-0x00000000008EF000-memory.dmp
memory/1344-131-0x0000000000290000-0x00000000008EF000-memory.dmp
memory/1344-130-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1344-134-0x0000000000290000-0x00000000008EF000-memory.dmp
memory/1344-136-0x0000000000290000-0x0000000000340000-memory.dmp
memory/1344-137-0x00000000009C0000-0x00000000009C8000-memory.dmp
memory/1344-138-0x0000000000A90000-0x0000000000AA0000-memory.dmp
memory/1344-139-0x0000000005260000-0x0000000005660000-memory.dmp
memory/1344-140-0x0000000005260000-0x0000000005660000-memory.dmp
memory/1344-141-0x0000000077820000-0x00000000779C9000-memory.dmp
memory/1344-143-0x00000000760F0000-0x0000000076137000-memory.dmp
memory/2780-144-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2780-146-0x0000000001D00000-0x0000000002100000-memory.dmp
memory/2780-147-0x0000000077820000-0x00000000779C9000-memory.dmp
memory/2780-149-0x00000000760F0000-0x0000000076137000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-28 22:17
Reported
2024-09-28 22:20
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
132s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4760 created 2608 | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | C:\Windows\system32\sihost.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wlnk\\QWLVPM~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\wlnk\\tnlupe.mp3" | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2124 set thread context of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe
"C:\Users\Admin\AppData\Local\Temp\5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rmxb.vbe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3004 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
qwlvpmrupf.mp3 tnlupe.mp3
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rmxb.vbe
| MD5 | be932d231ef60dcf6ad6c579873b550c |
| SHA1 | ca37ae517c7d341e008cbd71beab29aca839002c |
| SHA256 | d47ed1047e043162e221d1a21b5e19d8a24641442bcb17c6c8a51f9456998751 |
| SHA512 | 21385ada5436112899aaa4651a6d561499735e6e59674258c9de6b38a50e671276ae9e8b5c7f70e60321cf41846ae34e299d179fbf6226027d9a9c99751ad09b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
| MD5 | 0adb9b817f1df7807576c2d7068dd931 |
| SHA1 | 4a1b94a9a5113106f40cd8ea724703734d15f118 |
| SHA256 | 98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b |
| SHA512 | 883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\uraspfn.bin
| MD5 | f1d3c3dae4987deb8f2b79c08da81b67 |
| SHA1 | f5809aebc70a2f23c8ee6b466b5293199545bcf4 |
| SHA256 | fd491ea65d887c3f3fc2aac3197280e4135c8f571b7d6df63212097783254ea5 |
| SHA512 | e552d8114e09ab7655e7fcb1549e1f18b3027558024a0e565a1261f7f075e56ce40b37fe70893875da75ca298bf174940756b91ffbf8e991b13bc02da3d4c00c |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bvtesegdgq.3gp
| MD5 | c3a02fe4f358078606a02b7d8c069957 |
| SHA1 | 4cb6fc80ac829fcdb8088cc95f6c109c719cfa5d |
| SHA256 | d8abe1326e449ca4d9c330a900ce393ee32101793d91e7f556d0c87e77adba0c |
| SHA512 | c016ded65e5a728e3eff1e66ae913ff81677b197b4c809a9f9e509304dc2747a581597760b0d4b79e60c03647dc3569cae21c413152c6e4af8b4dede10e8bb9d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\anxv.ppt
| MD5 | d391f8b614a342cff9fcbf8f4e41c934 |
| SHA1 | fc045f44973b9000f63808abd1e59c66ed6755b7 |
| SHA256 | 36568784a413d46056fac31e259c41f4429f08b1564a72ceb777cc80a0aa9f1c |
| SHA512 | e446d6f17e9765ac260f4bd429ffe901c47c46fdfdefba25269a33e570e98b24469b529b815322e1d17ae3b4589ecf5561519d39d3ad65fd164aa8fca50e62ad |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jmfhuve.bin
| MD5 | 73cdc398766b26d5b3fc2a732b633e80 |
| SHA1 | 4e8178167362c791d19b8dd90284751e6294c041 |
| SHA256 | d078345688738bc731ee73004ac6ad2670cfd6343b570fa5b7c0ab7ad30f0b48 |
| SHA512 | ab55cecf628450ee0e07591c8a6b7e1ebd6f1e1ff0c3184a14bf297c64153c8507b331a391020a5068d7c23cb55e73125e7582d204ce6f5c1e26f3ee3cd32705 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iutol.das
| MD5 | 8344337d8607eef8ba26fc751f8e0122 |
| SHA1 | 2ab2afce50e3553637aec0b5a65aa2e72d0ce51a |
| SHA256 | ecb2d582d697d033a5e5bd06387df5725af74707c0e4b596d564be2bdb1221a7 |
| SHA512 | da3cab35922c97d3d03c073f51915792278919775c9690ad95a8bd7143cd45a5b0fcbb5216ed53dfc3eee1265bb91ddcdd875699ab23b3d95fccc991190caf2b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crbvulcpak.msc
| MD5 | 83ca8d8bac38af12453f9d9ff1d02916 |
| SHA1 | dcc6e7ab9858eb9ff63f4cd2dd7e9b84ec694a22 |
| SHA256 | 58412d427987a11c362fc7d921804f58277c3a5e4ea7ce98d4dc260e9aeb6302 |
| SHA512 | 1bf89f1196b9c41e5781f118ce657aec2194d48b0c4d15672a55093778c660e609626a9e5ea5336064590a9bd21f8fa1d9cf6f6435e866a0facf50e438d5d3f0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jwphnktqhh.xl
| MD5 | 25b3d4f1279923fd4780981605bce9fb |
| SHA1 | 12257bd64a5ab12eafd4679bdbdf9bcf2903b160 |
| SHA256 | df4f76d702170095fa752d69f1ab793604e9dcce7adcad7c83fdae623f0c0093 |
| SHA512 | f3579a94ebabd59b055d7170e3f9fbaec7d645e3cbe0eff514413621fec6811fb07264e4a5048222e8a84bdeb671d7580989b7e2d6b8987795782b4c7c7e9920 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ldrtopp.msc
| MD5 | ac53ee172cc20f1bc979fd4710cbfa00 |
| SHA1 | 5c83524e42270883ff05c434f3ab62ada8931f51 |
| SHA256 | 774c4cc458e33020b29fa28fc91db540c86f55142d716ca1613da20670435198 |
| SHA512 | 70df2bfe2300aae5bec804e7f0235c1b9601fc1447df84248b6eff030a4f36b908d00d089911d082c7ca10f7f9d30239b1414b754b32cb1adc8f8a5a7286341d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ltmdgplto.3gp
| MD5 | 62a55b40d10bc4ccdf643e624b90d003 |
| SHA1 | 1aafd527e1b40b555b1e68e1f6d9f6c594586913 |
| SHA256 | 9401c3d0cbd1fbb5fb740ea9eff7b4f7af764574a6cbc487c97f99f610ba9852 |
| SHA512 | 421b3694a2f2e080a03459973fe05a2b23f4fa67323529ee8d9afdb6b5e9b8d082193a31f7c2b58d3368158fcdef49d60dbabd3a4f7e656c8ed5b3b95f6bb181 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nbmn.lmk
| MD5 | 35a5cc0e4d021890e72a070ee02dfdc4 |
| SHA1 | ba20de52cdc21e3d8bd69470381b7d0cb53f1d05 |
| SHA256 | 51e725c19b88d14e3d978b54d810398993242c959145f323fde92cfa55557ada |
| SHA512 | afe5510b3a27cf5e308cde1e000289777ab9cfd592052b37c990028f51f4d5113e15fccf7b13cf9a13ed06e3d134ed2009bbd18ddd5b508fa20d050d8d2719c2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nhjdnx.3gp
| MD5 | e3c40d261a890a50e8616efbce725df6 |
| SHA1 | 51087dd64e5c3f673c47a3b03ccaffadb77dce6d |
| SHA256 | a1c8b7a1408638a385956edaaf4ec1defb98e94784a5aeaec9f63fd24cf3f83b |
| SHA512 | 114de87085139632a912f2bdc2700eb60f166623641c460e818ce7a29edc2dac24f9c01b186cfb268976b7605fe496addb4300e6ec20507b101659df2add69f8 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qlmgqepgjl.xls
| MD5 | 0e969295487775daa7d03b33829684f8 |
| SHA1 | 613cf0518a258ce3ed5bb2aac7bac1fda71b1ec4 |
| SHA256 | 5badefdf6c9490d5ed3a5181bb87a30536776827bf7a155957c62b01028fd4fb |
| SHA512 | 7efcfcee6e15af372a6a57f66531feb1c1873dc22399ce05228369ee3e7e49d69453d75d78131d50217761539bfce82245140163c50abafa1790eec69f1665e1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qlgigdt.xls
| MD5 | 135f39e327b474dfcf9139f5a9de5a9b |
| SHA1 | 0d70afd4762c1296355dd9e7579eb57b833d4c0c |
| SHA256 | 0988ff10c9f291f32009ca04929c0156a0e10c5003d30ae266b865e56c064b17 |
| SHA512 | 4cd5747c41ef013c5cc884536864c35c45beeb3fbb794ca6cd891c1f787ace6a261a0b2e45bbc87677cf6540e5413564d98c2510ee30ec163e8ee3d0e4863e2b |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qbjid.xls
| MD5 | 4c854c21a4e83906af7ae0b83d1d797b |
| SHA1 | 52a423c95344186d45c66780cd55890820e755e0 |
| SHA256 | 613c53a8e742366747a9253dd19fab2527258f08e40699aaab85d920787a717b |
| SHA512 | bfea86080cffec1e69ec7f5a1371796a656b8a129a1fef437fadc8d170cdfd07c6f1ba514fcd14a138d943d89e26621686c366592d9bf6890c83c22a0efa1963 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\opioxoqv.bmp
| MD5 | c4cea733ef0f8c84e8c7081cdcb01b5e |
| SHA1 | 66050a0f1a5c5a17532e8d449573a31be8e8c693 |
| SHA256 | b75166289cc3acd2e7ecb722f91792cead7bccbe5d230a3aaf211c2027f7e8b4 |
| SHA512 | 013a885c743cae8bc941d76374745d18498cf5f53aeb7c4e02232130a552cc1553c2d3051d85b0494033da2f5367ba078333659823a7ac236254420eea0706da |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\srnkdleah.exe
| MD5 | 834d7436b1908047fbc4801e3d9ea735 |
| SHA1 | 8cc6441f6a4a65902ae20c8d0d73a59048227253 |
| SHA256 | 056d4c251de76715737124ccb63e6652840ee3ee66a41f45b109b3f413ee864b |
| SHA512 | effc86ef8949e1c231f9c18c807afc39882cafa2beb5e87f10e2ac5d8378d2f2ac3c94679eefcfe9f4af6c260e524bac051fc789d147215ccd552a1d44edae7a |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xddkunhuro.msc
| MD5 | 992c91b45a9f3472868d47e61cb8675e |
| SHA1 | fcdfbc8ec428982b4cb0b09fb00244de0bc78073 |
| SHA256 | a8a5116542d33261544e18c4431c11a45f77ab24a7f06a2c1d06480066ec6e62 |
| SHA512 | 24054844512035ab6962f3abe2da36d56ac7e182a72a19d8a38f1c356d7bde30f14fe6fe3ef057c602a73e53a5d9131676c01f1ef99b545877015a4d3243b9eb |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wbaxv.jpg
| MD5 | 4daa3e600c4d2c162ffe78c5df68ab8e |
| SHA1 | c1f052eb1577599b89b70ae99bd9e6c8dde4f822 |
| SHA256 | c2b1869137e2e69e3969c50a0918eb71c5797f84faf4093aef0c890957a193ea |
| SHA512 | 35c537693df896c6b62118bd38bbdc6c0b4233c391fa11fec0e49373e08e7baedc9fab07489bc9c55d7d69797820aefc6c21c62b5a8669ee8aef297dbf89ed6f |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\uraspfn.bin
| MD5 | 5fe3c2e677e90b8971dcaec9d9cf973d |
| SHA1 | cccefd97b61b17f2bc60983d2437925a7b063b20 |
| SHA256 | 762982a2b57b2a93dd63fbf230da414b6c3abc6240d4b0af7bb940dc81b74512 |
| SHA512 | 2c204731cc1bdb18259e737cdce622833367413bf10a75a73e23d3c531e3739093d0e4227c032aab61ea8f26a8d65175ac3072eaf61116ff07bc623e0d402727 |
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/4760-128-0x0000000000E20000-0x0000000001445000-memory.dmp
memory/4760-131-0x0000000000E20000-0x0000000000ED0000-memory.dmp
memory/4760-132-0x0000000005A60000-0x0000000005AF2000-memory.dmp
memory/4760-133-0x0000000005A00000-0x0000000005A08000-memory.dmp
memory/4760-134-0x0000000005A10000-0x0000000005A20000-memory.dmp
memory/4760-135-0x0000000005CA0000-0x00000000060A0000-memory.dmp
memory/4760-136-0x0000000005CA0000-0x00000000060A0000-memory.dmp
memory/4760-137-0x00007FFDC2EF0000-0x00007FFDC30E5000-memory.dmp
memory/452-140-0x0000000000B10000-0x0000000000B19000-memory.dmp
memory/4760-139-0x00000000750C0000-0x00000000752D5000-memory.dmp
memory/452-143-0x00000000027A0000-0x0000000002BA0000-memory.dmp
memory/452-144-0x00007FFDC2EF0000-0x00007FFDC30E5000-memory.dmp
memory/452-146-0x00000000750C0000-0x00000000752D5000-memory.dmp