Analysis Overview
SHA256
13397a15736988b52fe1634f0188f2252eeac130650a15385852a7d994eb3af9
Threat Level: Known bad
The file 13397a15736988b52fe1634f0188f2252eeac130650a15385852a7d994eb3af9 was found to be: Known bad.
Malicious Activity Summary
SectopRAT payload
PrivateLoader
RedLine payload
Sectoprat family
Privateloader family
Vidar
RedLine
CryptBot
Cryptbot family
Vidar family
SectopRAT
CryptBot payload
Redline family
Nullmixer family
NullMixer
Vidar Stealer
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
System Network Configuration Discovery: Internet Connection Discovery
Program crash
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Runs ping.exe
Checks processor information in registry
Modifies system certificate store
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-06 18:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 18:07
Reported
2024-11-06 18:10
Platform
win7-20240903-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon142081f7d1.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon1405457e414.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14f300fc2dd97c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon1477ca09a8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14cd02cc767.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon142081f7d1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon142ff5ec89a91e09f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon1405457e414.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14f5f58429.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14f5f58429.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14f5f58429.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14d14f0985d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14f5f58429.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon142ff5ec89a91e09f.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1405457e414.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14cd02cc767.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon144d62388e7d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1477ca09a8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon142ff5ec89a91e09f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f300fc2dd97c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f5f58429.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon142081f7d1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14d14f0985d.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon1405457e414.exe
Mon1405457e414.exe
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14f5f58429.exe
Mon14f5f58429.exe
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14d14f0985d.exe
Mon14d14f0985d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14f300fc2dd97c.exe
Mon14f300fc2dd97c.exe
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon142ff5ec89a91e09f.exe
Mon142ff5ec89a91e09f.exe
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14cd02cc767.exe
Mon14cd02cc767.exe
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon1477ca09a8.exe
Mon1477ca09a8.exe
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon142081f7d1.exe
Mon142081f7d1.exe
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon144d62388e7d.exe
Mon144d62388e7d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon1405457e414.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon1405457e414.exe" -a
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Mummia.wmz
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon144d62388e7d.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon144d62388e7d.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 272
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^utIhAQXzKFfZwKOfdWFWGYOHgvUbutPplngusOenUcoCKjfoSNGytadifqZtVmhGQyOCcHYBTuwlPjXeuMFabKtSouQdPYDxoCLEbNMlPtkXdusrrWXoUUouqWxgRHLUDGwhAaEzZcDzniBeO$" Pensavo.wmz
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
Prendero.exe.com z
C:\Windows\SysWOW64\PING.EXE
ping JSMURNPT -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com z
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 932
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| N/A | 127.0.0.1:49274 | tcp | |
| N/A | 127.0.0.1:49276 | tcp | |
| US | 8.8.8.8:53 | KttDLaDomsPITcsmt.KttDLaDomsPITcsmt | udp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| HK | 43.240.239.90:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | your-info-services.xyz | udp |
| US | 8.8.8.8:53 | webboutiquestudio.xyz | udp |
| US | 8.8.8.8:53 | yournewsservices.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| SG | 37.0.10.244:80 | tcp | |
| HK | 43.240.239.90:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.237:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | bunhiv18.top | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 739c9ff1236d3fafaa68d279f1b126b7 |
| SHA1 | 0d27b4f313bb8d324776fcf067adebd3f9e8c53e |
| SHA256 | 36d452657a21c5477f387d83ab923e973a4e3ed8fa9a764741ca75040d725e4d |
| SHA512 | e4c2c086e6f0b8aebe80c4cb484296f8f7de3f59379499d49004be35c9d80f6fab491b49d6ee8c1de4cacdf0979ca135a7811c2a85303fac977ed70691115c5e |
\Users\Admin\AppData\Local\Temp\7zSC487E8B6\setup_install.exe
| MD5 | 9f93f70d65dfcbe1a4f62746fccf0404 |
| SHA1 | 2491ee63a17b3fdfa2186851dfdd926f9903e52e |
| SHA256 | 91aa33387b9e85f299e13c514574b41a905b3c0ee37ab732a23d7660e341b086 |
| SHA512 | accfd48529f44194d07eb5a09dfd03dcf63eb0a1e6662c5c6ead492beb624370007979f571da716214336a0f0616722c8cd98a37f3e5509eee7d40837847c7e6 |
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zSC487E8B6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2828-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2828-59-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC487E8B6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2828-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2828-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2828-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2828-78-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2828-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2828-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2828-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2828-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2828-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2828-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14d14f0985d.exe
| MD5 | 408f2c9252ad66429a8d5401f1833db3 |
| SHA1 | 3829d2d03a728ecd59b38cc189525220a60c05db |
| SHA256 | 890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664 |
| SHA512 | d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b |
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon142ff5ec89a91e09f.exe
| MD5 | d23c06e25b4bd295e821274472263572 |
| SHA1 | 9ad295ec3853dc465ae77f9479f8c4f76e2748b8 |
| SHA256 | f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c |
| SHA512 | 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae |
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon142081f7d1.exe
| MD5 | 12b8842dded9134ad0cae031c4f06530 |
| SHA1 | c0ecd0ac8cf3e4851661f62fe283ecec0e6ca25e |
| SHA256 | abd87ec324df8d74245e1671f21e832b563eb8dc3c13b1688a9e85a2f809fe17 |
| SHA512 | 967d70105549641beaa3283c42143aac22e016c911f99ab1c7ef5b4eff2577790fc679a74af6d2df14e87c278762e2c39c96bbdeabeaa1b62fb9072f0baa1825 |
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14f5f58429.exe
| MD5 | cda12ae37191467d0a7d151664ed74aa |
| SHA1 | 2625b2e142c848092aa4a51584143ab7ed7d33d2 |
| SHA256 | 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e |
| SHA512 | 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d |
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon144d62388e7d.exe
| MD5 | 0a0d22f1c9179a67d04166de0db02dbb |
| SHA1 | 106e55bd898b5574f9bd33dac9f3c0b95cecd90d |
| SHA256 | a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac |
| SHA512 | 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b |
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14f300fc2dd97c.exe
| MD5 | df80b76857b74ae1b2ada8efb2a730ee |
| SHA1 | 5653be57533c6eb058fed4963a25a676488ef832 |
| SHA256 | 5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd |
| SHA512 | 060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd |
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon1477ca09a8.exe
| MD5 | 3b2ca1aae0f3a277efde19ed66785e07 |
| SHA1 | edfd0bb11c0baec2475149259c8a88a61a669de9 |
| SHA256 | c65369fd8f5f8a6bcee8325879e912f7f5e5f37e40281077a4902668458887b1 |
| SHA512 | 191aa807ec2c9a663eef6439084fcc68cdba245d9924773d65f42286af1df31238931425de1c18a4b643c7cd9ac4e98e638994630af440b7a1556c1497c8bb25 |
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon14cd02cc767.exe
| MD5 | 742fbfe1027ba9a490c1b41716b9a09b |
| SHA1 | 31257a6c9e52128368c615ee05a6ffe99536c565 |
| SHA256 | 1108105d3a999595c317b6d1ea8b997b25aef1cb0f71c95e5c5c13564f4f309a |
| SHA512 | b4d1433e0b73a25340fdbf5af69f09ced3f371862f077898904bdf530f50f6d7b9b8bfc58b8c0d63e5c443ab5602ef1cb8d332f4cee3527c8db8acf322f5116a |
C:\Users\Admin\AppData\Local\Temp\7zSC487E8B6\Mon1405457e414.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/2948-126-0x00000000012F0000-0x00000000012F8000-memory.dmp
memory/2928-125-0x0000000000CC0000-0x0000000000CEC000-memory.dmp
memory/2928-171-0x0000000000240000-0x0000000000262000-memory.dmp
memory/1956-169-0x0000000003110000-0x0000000003132000-memory.dmp
memory/1956-176-0x0000000004C80000-0x0000000004CA0000-memory.dmp
memory/2828-185-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2828-184-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2828-183-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2828-181-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2828-178-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2828-177-0x0000000000400000-0x000000000051B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC18D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC1AF.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2104-229-0x0000000000400000-0x00000000023AE000-memory.dmp
memory/2368-231-0x0000000000400000-0x0000000002402000-memory.dmp
memory/1956-230-0x0000000000400000-0x0000000002CCD000-memory.dmp
memory/1652-247-0x0000000005DB0000-0x0000000005E53000-memory.dmp
memory/1652-248-0x0000000005DB0000-0x0000000005E53000-memory.dmp
memory/1652-249-0x0000000005DB0000-0x0000000005E53000-memory.dmp
memory/1652-250-0x0000000005DB0000-0x0000000005E53000-memory.dmp
memory/1652-254-0x0000000005DB0000-0x0000000005E53000-memory.dmp
memory/1652-253-0x0000000005DB0000-0x0000000005E53000-memory.dmp
memory/1652-252-0x0000000005DB0000-0x0000000005E53000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xw7Qduq\_Files\_Information.txt
| MD5 | 23cb336dcb8f7daf727fee7dd1d10a7d |
| SHA1 | d1ae985cee8e3313e9c5e65bcf0b584037c880e4 |
| SHA256 | fd07ffa1ce6f7af2f6bd4da34373f66e63ec3293e03b6f60309df841602ba702 |
| SHA512 | 7eb12e09f0d401a1274eacedd0c09d28728db9a35f747608cbe362aeb25a532091711984a716151c80560be27de3bcc509dd6149c4f4f56dd3c391b8d996e1fe |
C:\Users\Admin\AppData\Local\Temp\Xw7Qduq\files_\system_info.txt
| MD5 | ba0d85c5736021ca3be7cf5d5932f7f4 |
| SHA1 | 8177d35f0addbd8523fe466a80f89c51d088f3ac |
| SHA256 | 6616cbf2f31bc3788924c765bc89ff85d7becec0ef1378b6af7749b3a628d8bb |
| SHA512 | d0491e6c94768722406273d5fe30c822396f5d6c37fa734a7c5413034d05d68f88ecc90c9d0f34148fd6d0d0228e31834587ea4da14a6dddfefd97d4cb84865c |
C:\Users\Admin\AppData\Local\Temp\Xw7Qduq\_Files\_Screen_Desktop.jpeg
| MD5 | 49fcb6a7587a19c9e88ee4ebd12ed8f3 |
| SHA1 | ee81ef484b4d561e2f8773edb93fcf25292d6a53 |
| SHA256 | 0ae7385d968d6b3f0efee3bac6d05b53774897225b92d8840e41dc37280bd10e |
| SHA512 | 2db5faf30bd5f62188174ea014b8fa7e376d87455715e72c2297c73235a95553e84a6076a88d6089faafeb02818eba1aab60e58e88ed5d3a70a78d41cd07202d |
C:\Users\Admin\AppData\Local\Temp\Xw7Qduq\_Files\_Files\LockRestore.txt
| MD5 | 215b4ee5a991a423874097180fec7816 |
| SHA1 | 48572932860519a25f679566eeb9672aa254e11b |
| SHA256 | 19b3cb15b9edc501eb426e046c053ab62801e12425bce43cc894bd00d7d143a9 |
| SHA512 | 08978d9f23f045954355f40f16fac5eee7295d9cac86fb8c8824412f8a4202c5a3ec989027d1f65ca2b536b959467b4c87217c4482fc5bf04ef6fb71f2317e21 |
C:\Users\Admin\AppData\Local\Temp\Xw7Qduq\YZVAk50nnz6.zip
| MD5 | ca1346c4ed86b992d95a7209889f87d1 |
| SHA1 | 01d3d9c44a5d0426f4491ba3e1f12212b13de169 |
| SHA256 | 1e736e7598aa50965c02db4edf284b7ac78942829136afddfce1bfd616691f83 |
| SHA512 | 491b74477a4b59cc5217f4f9c0139831cae3c7f8cf7cd0e998d3a89d880eb714384a441cfe9f8caae77fd0ed97e0101f2e2fd0d6c24981963ba18d7ceed4efdc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 18:07
Reported
2024-11-06 18:10
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1405457e414.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\setup_install.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon142081f7d1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1405457e414.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14f300fc2dd97c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon142ff5ec89a91e09f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1405457e414.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14cd02cc767.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon142081f7d1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1477ca09a8.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14cd02cc767.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14cd02cc767.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14cd02cc767.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1477ca09a8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1477ca09a8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1477ca09a8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1477ca09a8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1477ca09a8.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14f5f58429.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14d14f0985d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon142ff5ec89a91e09f.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS05318A37\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1405457e414.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14cd02cc767.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon144d62388e7d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1477ca09a8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon142ff5ec89a91e09f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f300fc2dd97c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f5f58429.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon142081f7d1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14d14f0985d.exe
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14f5f58429.exe
Mon14f5f58429.exe
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon142ff5ec89a91e09f.exe
Mon142ff5ec89a91e09f.exe
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon144d62388e7d.exe
Mon144d62388e7d.exe
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14f300fc2dd97c.exe
Mon14f300fc2dd97c.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1405457e414.exe
Mon1405457e414.exe
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1477ca09a8.exe
Mon1477ca09a8.exe
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14cd02cc767.exe
Mon14cd02cc767.exe
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon142081f7d1.exe
Mon142081f7d1.exe
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Mummia.wmz
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14d14f0985d.exe
Mon14d14f0985d.exe
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1405457e414.exe
"C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1405457e414.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1356 -ip 1356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 464 -ip 464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 360
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 576
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^utIhAQXzKFfZwKOfdWFWGYOHgvUbutPplngusOenUcoCKjfoSNGytadifqZtVmhGQyOCcHYBTuwlPjXeuMFabKtSouQdPYDxoCLEbNMlPtkXdusrrWXoUUouqWxgRHLUDGwhAaEzZcDzniBeO$" Pensavo.wmz
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
Prendero.exe.com z
C:\Windows\SysWOW64\PING.EXE
ping GYHASOLS -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com z
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com z
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 748 -ip 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1948
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | your-info-services.xyz | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | webboutiquestudio.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 8.8.8.8:53 | yournewsservices.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| US | 8.8.8.8:53 | KttDLaDomsPITcsmt.KttDLaDomsPITcsmt | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| N/A | 127.0.0.1:61285 | tcp | |
| N/A | 127.0.0.1:61287 | tcp | |
| US | 8.8.8.8:53 | 76.149.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| HK | 43.240.239.90:80 | viacetequn.site | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 90.239.240.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| SG | 37.0.10.237:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| HK | 43.240.239.90:80 | viacetequn.site | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 739c9ff1236d3fafaa68d279f1b126b7 |
| SHA1 | 0d27b4f313bb8d324776fcf067adebd3f9e8c53e |
| SHA256 | 36d452657a21c5477f387d83ab923e973a4e3ed8fa9a764741ca75040d725e4d |
| SHA512 | e4c2c086e6f0b8aebe80c4cb484296f8f7de3f59379499d49004be35c9d80f6fab491b49d6ee8c1de4cacdf0979ca135a7811c2a85303fac977ed70691115c5e |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\setup_install.exe
| MD5 | 9f93f70d65dfcbe1a4f62746fccf0404 |
| SHA1 | 2491ee63a17b3fdfa2186851dfdd926f9903e52e |
| SHA256 | 91aa33387b9e85f299e13c514574b41a905b3c0ee37ab732a23d7660e341b086 |
| SHA512 | accfd48529f44194d07eb5a09dfd03dcf63eb0a1e6662c5c6ead492beb624370007979f571da716214336a0f0616722c8cd98a37f3e5509eee7d40837847c7e6 |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/464-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/464-59-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/464-58-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/464-69-0x0000000064940000-0x0000000064959000-memory.dmp
memory/464-68-0x0000000064941000-0x000000006494F000-memory.dmp
memory/464-67-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/464-66-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/464-65-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/464-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/464-75-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14d14f0985d.exe
| MD5 | 408f2c9252ad66429a8d5401f1833db3 |
| SHA1 | 3829d2d03a728ecd59b38cc189525220a60c05db |
| SHA256 | 890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664 |
| SHA512 | d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon142081f7d1.exe
| MD5 | 12b8842dded9134ad0cae031c4f06530 |
| SHA1 | c0ecd0ac8cf3e4851661f62fe283ecec0e6ca25e |
| SHA256 | abd87ec324df8d74245e1671f21e832b563eb8dc3c13b1688a9e85a2f809fe17 |
| SHA512 | 967d70105549641beaa3283c42143aac22e016c911f99ab1c7ef5b4eff2577790fc679a74af6d2df14e87c278762e2c39c96bbdeabeaa1b62fb9072f0baa1825 |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14f300fc2dd97c.exe
| MD5 | df80b76857b74ae1b2ada8efb2a730ee |
| SHA1 | 5653be57533c6eb058fed4963a25a676488ef832 |
| SHA256 | 5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd |
| SHA512 | 060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon144d62388e7d.exe
| MD5 | 0a0d22f1c9179a67d04166de0db02dbb |
| SHA1 | 106e55bd898b5574f9bd33dac9f3c0b95cecd90d |
| SHA256 | a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac |
| SHA512 | 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon142ff5ec89a91e09f.exe
| MD5 | d23c06e25b4bd295e821274472263572 |
| SHA1 | 9ad295ec3853dc465ae77f9479f8c4f76e2748b8 |
| SHA256 | f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c |
| SHA512 | 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14f5f58429.exe
| MD5 | cda12ae37191467d0a7d151664ed74aa |
| SHA1 | 2625b2e142c848092aa4a51584143ab7ed7d33d2 |
| SHA256 | 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e |
| SHA512 | 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon14cd02cc767.exe
| MD5 | 742fbfe1027ba9a490c1b41716b9a09b |
| SHA1 | 31257a6c9e52128368c615ee05a6ffe99536c565 |
| SHA256 | 1108105d3a999595c317b6d1ea8b997b25aef1cb0f71c95e5c5c13564f4f309a |
| SHA512 | b4d1433e0b73a25340fdbf5af69f09ced3f371862f077898904bdf530f50f6d7b9b8bfc58b8c0d63e5c443ab5602ef1cb8d332f4cee3527c8db8acf322f5116a |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1477ca09a8.exe
| MD5 | 3b2ca1aae0f3a277efde19ed66785e07 |
| SHA1 | edfd0bb11c0baec2475149259c8a88a61a669de9 |
| SHA256 | c65369fd8f5f8a6bcee8325879e912f7f5e5f37e40281077a4902668458887b1 |
| SHA512 | 191aa807ec2c9a663eef6439084fcc68cdba245d9924773d65f42286af1df31238931425de1c18a4b643c7cd9ac4e98e638994630af440b7a1556c1497c8bb25 |
C:\Users\Admin\AppData\Local\Temp\7zS05318A37\Mon1405457e414.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/3264-96-0x00000000008E0000-0x000000000090C000-memory.dmp
memory/464-74-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/464-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/464-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/464-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3264-104-0x0000000000FA0000-0x0000000000FC2000-memory.dmp
memory/3968-97-0x0000000005010000-0x0000000005046000-memory.dmp
memory/3968-105-0x0000000005680000-0x0000000005CA8000-memory.dmp
memory/624-107-0x0000000000540000-0x0000000000548000-memory.dmp
memory/3968-112-0x0000000005E60000-0x0000000005EC6000-memory.dmp
memory/3968-116-0x0000000005F80000-0x0000000005FE6000-memory.dmp
memory/3968-121-0x00000000060F0000-0x0000000006444000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4sr0lwfw.aau.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3968-109-0x0000000005600000-0x0000000005622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mummia.wmz
| MD5 | 6f6fe96279c933c2170e75f49cf43718 |
| SHA1 | bbe211eaebbeb120b9ca3cd204aacbbeef20cb7e |
| SHA256 | e6919da4e2658c82ebbcca670053d77e1231a5a600bf5aeaba71e5852e09022f |
| SHA512 | 76160b79d3cbe2fca6d95b096043641a96b13007f287f8e55b94eab16cbb98691a8e8fa8d035da434e84f689bb8d36478f632976481b56c7170889553a629748 |
memory/3968-124-0x00000000065E0000-0x000000000662C000-memory.dmp
memory/3968-123-0x00000000065B0000-0x00000000065CE000-memory.dmp
memory/464-132-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/464-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/464-125-0x0000000000400000-0x000000000051B000-memory.dmp
memory/464-134-0x0000000064940000-0x0000000064959000-memory.dmp
memory/464-131-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/464-129-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1356-135-0x0000000000400000-0x00000000023AE000-memory.dmp
memory/3968-136-0x0000000006B70000-0x0000000006BA2000-memory.dmp
memory/3968-137-0x000000006E580000-0x000000006E5CC000-memory.dmp
memory/3968-148-0x0000000007560000-0x000000000757E000-memory.dmp
memory/3968-150-0x0000000007840000-0x00000000078E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensavo.wmz
| MD5 | 3928f9cc043cfb53823761dac703fd04 |
| SHA1 | c825e75ae21b995996763487de07176230c2535e |
| SHA256 | c2d4ebb0b7be8eb8683cc1fdcd0b95c834888c56d555e6d23497ae211835f412 |
| SHA512 | 8739619195c9d1409819822ae3c53415ac57a1c485b6947022d81981c9a0c7811ea5a30af0ef32e0a34aacf589f74366866dc1e7e03cd4addf56b71b6b25d9c5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Copia.wmz
| MD5 | a1ac3489d2401d26e3aea9bcb0a85b10 |
| SHA1 | 6a4c4004ef746ed16d25c3fe425a6c78fcefe9b4 |
| SHA256 | 1cb9452373f7b755b1c64b41bd7ffcfe4fe0ab92fd08c61c283c5deccfd89146 |
| SHA512 | 293a84faadb89219945fde5836786cbcf4bdcaf36638603a5e95e80df4f5daf0b180d1f768deecee77b828ef736a337925479c37ae1e1f7126934f80be7b5e2e |
memory/3968-157-0x0000000007F70000-0x00000000085EA000-memory.dmp
memory/3968-159-0x0000000007610000-0x000000000762A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/936-160-0x0000000007430000-0x00000000079D4000-memory.dmp
memory/936-162-0x0000000004ED0000-0x0000000004EF0000-memory.dmp
memory/936-156-0x0000000004D50000-0x0000000004D72000-memory.dmp
memory/3968-163-0x0000000007950000-0x000000000795A000-memory.dmp
memory/936-164-0x00000000079E0000-0x0000000007FF8000-memory.dmp
memory/936-165-0x00000000072E0000-0x00000000072F2000-memory.dmp
memory/936-166-0x0000000007300000-0x000000000733C000-memory.dmp
memory/3968-167-0x0000000007B40000-0x0000000007BD6000-memory.dmp
memory/3968-170-0x0000000007AD0000-0x0000000007AE1000-memory.dmp
memory/936-171-0x00000000081E0000-0x00000000082EA000-memory.dmp
memory/3968-174-0x0000000007B00000-0x0000000007B0E000-memory.dmp
memory/3968-175-0x0000000007B10000-0x0000000007B24000-memory.dmp
memory/3968-176-0x0000000007C00000-0x0000000007C1A000-memory.dmp
memory/3968-177-0x0000000007BF0000-0x0000000007BF8000-memory.dmp
memory/936-181-0x0000000000400000-0x0000000002CCD000-memory.dmp
memory/748-182-0x0000000000400000-0x0000000002402000-memory.dmp
memory/5056-195-0x0000000070ED0000-0x0000000070F64000-memory.dmp
memory/3308-198-0x0000000000AB0000-0x0000000000B0A000-memory.dmp
memory/5056-201-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/936-203-0x0000000075D50000-0x0000000075DC5000-memory.dmp
memory/4584-207-0x0000000075D50000-0x0000000075DC5000-memory.dmp
memory/4584-208-0x00000000756C0000-0x000000007573A000-memory.dmp
memory/624-212-0x00007FF8197E0000-0x00007FF819981000-memory.dmp
memory/748-214-0x0000000070EB0000-0x0000000070EC3000-memory.dmp
memory/4528-218-0x0000000000AB0000-0x0000000000B0A000-memory.dmp
memory/2776-221-0x00007FF817CD0000-0x00007FF817D6D000-memory.dmp
memory/2776-225-0x00007FF6A49C0000-0x00007FF6A49DF000-memory.dmp
memory/5056-226-0x00007FF818F60000-0x00007FF818FB9000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-06 18:07
Reported
2024-11-06 18:10
Platform
win7-20240903-en
Max time kernel
66s
Max time network
150s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon142081f7d1.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1405457e414.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1405457e414.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14cd02cc767.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon142ff5ec89a91e09f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon142081f7d1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14f300fc2dd97c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1477ca09a8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1477ca09a8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1477ca09a8.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1477ca09a8.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14f5f58429.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14d14f0985d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon142ff5ec89a91e09f.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1405457e414.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14cd02cc767.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon144d62388e7d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1477ca09a8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon142ff5ec89a91e09f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f300fc2dd97c.exe
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1405457e414.exe
Mon1405457e414.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f5f58429.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon142081f7d1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14d14f0985d.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon142ff5ec89a91e09f.exe
Mon142ff5ec89a91e09f.exe
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon144d62388e7d.exe
Mon144d62388e7d.exe
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon144d62388e7d.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon144d62388e7d.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon142081f7d1.exe
Mon142081f7d1.exe
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14f5f58429.exe
Mon14f5f58429.exe
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14d14f0985d.exe
Mon14d14f0985d.exe
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1477ca09a8.exe
Mon1477ca09a8.exe
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14f300fc2dd97c.exe
Mon14f300fc2dd97c.exe
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14cd02cc767.exe
Mon14cd02cc767.exe
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1405457e414.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1405457e414.exe" -a
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Mummia.wmz
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 272
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^utIhAQXzKFfZwKOfdWFWGYOHgvUbutPplngusOenUcoCKjfoSNGytadifqZtVmhGQyOCcHYBTuwlPjXeuMFabKtSouQdPYDxoCLEbNMlPtkXdusrrWXoUUouqWxgRHLUDGwhAaEzZcDzniBeO$" Pensavo.wmz
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
Prendero.exe.com z
C:\Windows\SysWOW64\PING.EXE
ping ZQABOPWE -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com z
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 932
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | KttDLaDomsPITcsmt.KttDLaDomsPITcsmt | udp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| HK | 43.240.239.90:80 | viacetequn.site | tcp |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | your-info-services.xyz | udp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | webboutiquestudio.xyz | udp |
| US | 8.8.8.8:53 | yournewsservices.xyz | udp |
| N/A | 127.0.0.1:49265 | tcp | |
| N/A | 127.0.0.1:49267 | tcp | |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.237:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | bunhiv18.top | udp |
Files
\Users\Admin\AppData\Local\Temp\7zS8A8748E6\setup_install.exe
| MD5 | 9f93f70d65dfcbe1a4f62746fccf0404 |
| SHA1 | 2491ee63a17b3fdfa2186851dfdd926f9903e52e |
| SHA256 | 91aa33387b9e85f299e13c514574b41a905b3c0ee37ab732a23d7660e341b086 |
| SHA512 | accfd48529f44194d07eb5a09dfd03dcf63eb0a1e6662c5c6ead492beb624370007979f571da716214336a0f0616722c8cd98a37f3e5509eee7d40837847c7e6 |
\Users\Admin\AppData\Local\Temp\7zS8A8748E6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2764-47-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8A8748E6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS8A8748E6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2764-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8A8748E6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zS8A8748E6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2764-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2764-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2764-65-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2764-71-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2764-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1405457e414.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14f300fc2dd97c.exe
| MD5 | df80b76857b74ae1b2ada8efb2a730ee |
| SHA1 | 5653be57533c6eb058fed4963a25a676488ef832 |
| SHA256 | 5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd |
| SHA512 | 060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd |
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon142ff5ec89a91e09f.exe
| MD5 | d23c06e25b4bd295e821274472263572 |
| SHA1 | 9ad295ec3853dc465ae77f9479f8c4f76e2748b8 |
| SHA256 | f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c |
| SHA512 | 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae |
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon144d62388e7d.exe
| MD5 | 0a0d22f1c9179a67d04166de0db02dbb |
| SHA1 | 106e55bd898b5574f9bd33dac9f3c0b95cecd90d |
| SHA256 | a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac |
| SHA512 | 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b |
\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon142081f7d1.exe
| MD5 | 12b8842dded9134ad0cae031c4f06530 |
| SHA1 | c0ecd0ac8cf3e4851661f62fe283ecec0e6ca25e |
| SHA256 | abd87ec324df8d74245e1671f21e832b563eb8dc3c13b1688a9e85a2f809fe17 |
| SHA512 | 967d70105549641beaa3283c42143aac22e016c911f99ab1c7ef5b4eff2577790fc679a74af6d2df14e87c278762e2c39c96bbdeabeaa1b62fb9072f0baa1825 |
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14f5f58429.exe
| MD5 | cda12ae37191467d0a7d151664ed74aa |
| SHA1 | 2625b2e142c848092aa4a51584143ab7ed7d33d2 |
| SHA256 | 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e |
| SHA512 | 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d |
\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon1477ca09a8.exe
| MD5 | 3b2ca1aae0f3a277efde19ed66785e07 |
| SHA1 | edfd0bb11c0baec2475149259c8a88a61a669de9 |
| SHA256 | c65369fd8f5f8a6bcee8325879e912f7f5e5f37e40281077a4902668458887b1 |
| SHA512 | 191aa807ec2c9a663eef6439084fcc68cdba245d9924773d65f42286af1df31238931425de1c18a4b643c7cd9ac4e98e638994630af440b7a1556c1497c8bb25 |
C:\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14d14f0985d.exe
| MD5 | 408f2c9252ad66429a8d5401f1833db3 |
| SHA1 | 3829d2d03a728ecd59b38cc189525220a60c05db |
| SHA256 | 890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664 |
| SHA512 | d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b |
\Users\Admin\AppData\Local\Temp\7zS8A8748E6\Mon14cd02cc767.exe
| MD5 | 742fbfe1027ba9a490c1b41716b9a09b |
| SHA1 | 31257a6c9e52128368c615ee05a6ffe99536c565 |
| SHA256 | 1108105d3a999595c317b6d1ea8b997b25aef1cb0f71c95e5c5c13564f4f309a |
| SHA512 | b4d1433e0b73a25340fdbf5af69f09ced3f371862f077898904bdf530f50f6d7b9b8bfc58b8c0d63e5c443ab5602ef1cb8d332f4cee3527c8db8acf322f5116a |
memory/2764-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2764-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1940-153-0x0000000001220000-0x000000000124C000-memory.dmp
memory/2044-156-0x0000000000FB0000-0x0000000000FB8000-memory.dmp
memory/1804-166-0x0000000003440000-0x0000000003462000-memory.dmp
memory/1940-168-0x0000000000560000-0x0000000000582000-memory.dmp
memory/2764-70-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2764-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2764-63-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2764-62-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1804-174-0x0000000004D90000-0x0000000004DB0000-memory.dmp
memory/2764-61-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2764-60-0x0000000064941000-0x000000006494F000-memory.dmp
memory/1348-175-0x0000000000400000-0x00000000023AE000-memory.dmp
memory/2764-183-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2764-185-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2764-187-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2764-188-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2764-186-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1804-189-0x0000000000400000-0x0000000002CCD000-memory.dmp
memory/1984-193-0x0000000000400000-0x0000000002402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFE6D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarFECE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2764-241-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2764-242-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2764-243-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2764-244-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2764-245-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2764-246-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2764-248-0x0000000000400000-0x000000000051B000-memory.dmp
memory/2764-252-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2764-254-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2764-255-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2764-256-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2764-257-0x0000000064940000-0x0000000064959000-memory.dmp
memory/780-260-0x0000000005DA0000-0x0000000005E43000-memory.dmp
memory/780-261-0x0000000005DA0000-0x0000000005E43000-memory.dmp
memory/780-262-0x0000000005DA0000-0x0000000005E43000-memory.dmp
memory/780-263-0x0000000005DA0000-0x0000000005E43000-memory.dmp
memory/780-267-0x0000000005DA0000-0x0000000005E43000-memory.dmp
memory/780-266-0x0000000005DA0000-0x0000000005E43000-memory.dmp
memory/780-265-0x0000000005DA0000-0x0000000005E43000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FMdRYuTTK\_Files\_Information.txt
| MD5 | 11fae8bea0907e7289733a25ab2e7a96 |
| SHA1 | 8e3a182ad3ec193d6efc5fc0d814c6adabd0b41c |
| SHA256 | 929ee3bdd1922ca4467b74a1e9d24ef25827f605f4e64c541e8bb89e084e8500 |
| SHA512 | f0d243d084a6c09557cad2c55ebae869bb3a11065bfa6877e95ed833807adf5067ecf1f2765a2a2a699a706289ea78c72ae009087f4787bf29cac2cb1fb835ce |
C:\Users\Admin\AppData\Local\Temp\FMdRYuTTK\_Files\_Information.txt
| MD5 | 7ecf6d53d82ce5b78040fd4516f9dd32 |
| SHA1 | 4fd0686b44137f80807c443d9188e12f642b0fa8 |
| SHA256 | 8364919d71698972e23c8867f922538a991d90bf4eab921d40ff5f615ac4f774 |
| SHA512 | 9197822f0a7b4156854755c5b1cc1e1bc3ddc714444ac8a773b97fbd3dd6a473d18295029cfd9bfc9cfe1aa0fce5a97a59d57f62d311139ec3458fafce8e9646 |
C:\Users\Admin\AppData\Local\Temp\FMdRYuTTK\files_\system_info.txt
| MD5 | 66f136e26fe5c61170f980fd4c1031dd |
| SHA1 | a39803f1b65f0516e12136b6cf27175be20a0177 |
| SHA256 | 75421bc62cdf7ba7377405128daa9abdc55abf6b8b6091e4e7e320d2b2ec0c2d |
| SHA512 | c4d9cc6fa515cbfa05685780b50afeb4abb2924d227edd348104f83e23efef05f85f72b301d8fd279bb0382b0c851505ddc534f5377f69e31b3bf9fd598df43b |
C:\Users\Admin\AppData\Local\Temp\FMdRYuTTK\_Files\_Screen_Desktop.jpeg
| MD5 | 5941a64394989694c90b51450c34fc47 |
| SHA1 | cad75389a3339667b5e29809bfbcb0e8f81cd28e |
| SHA256 | fea4168b133e606ed7854db788554f14672d7f8cec0f374df2325ef8f4373324 |
| SHA512 | b8bef2cf4831ec4f688557266e1202b843f271db01688b717a97be0056b7982ad39e8f6d4e65c543c46b02b6fdfdbad87e40e11adfd631ea545e6db1c65d7535 |
C:\Users\Admin\AppData\Local\Temp\FMdRYuTTK\_Files\_Files\UseSync.txt
| MD5 | cee2095158aba80a19cb369bd34911b9 |
| SHA1 | 24801eec90de1222ec3e69bdce9da35cc1cb94be |
| SHA256 | aa69b12eaf6004b1844e4a07fb39b48406405b748877e23d9f40488c9987d076 |
| SHA512 | 92721338f38b2c692a726b1eed7a5a0fc5656b2c6ef480db01ee41c44b89d817e09bbb86ecefa8c4f3833e593810b3df8da4c5d9d86e1bf85f93ceb7b594f128 |
C:\Users\Admin\AppData\Local\Temp\FMdRYuTTK\YMhEkWQH0LY51.zip
| MD5 | c9fed9ab20e1a849c957bd9191220eba |
| SHA1 | c4b93e2fe9c5ee66e22a46a9ff6328501857f678 |
| SHA256 | 6a054d5f86db7cf11cdfd58896f2d030cecbc1f8024cbce0950319d7a29c2d26 |
| SHA512 | 9caef14e8f59843d601fbee9d603161639b430c1c0dc20800e3f7a5e787abf223742c87f5dc7a629934260a117bec0660e2e55fbd2b36c505270018018a37ed9 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-06 18:07
Reported
2024-11-06 18:10
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon1405457e414.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS07677197\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS07677197\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS07677197\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS07677197\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS07677197\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS07677197\setup_install.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon142081f7d1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS07677197\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14cd02cc767.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS07677197\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon1405457e414.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon1477ca09a8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14f300fc2dd97c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon142081f7d1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon142ff5ec89a91e09f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14cd02cc767.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon1405457e414.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14cd02cc767.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14cd02cc767.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14cd02cc767.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14d14f0985d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14f5f58429.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon142ff5ec89a91e09f.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS07677197\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS07677197\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1405457e414.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14cd02cc767.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon144d62388e7d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1477ca09a8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon142ff5ec89a91e09f.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f300fc2dd97c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14f5f58429.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon142081f7d1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon14d14f0985d.exe
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon1405457e414.exe
Mon1405457e414.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14cd02cc767.exe
Mon14cd02cc767.exe
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon144d62388e7d.exe
Mon144d62388e7d.exe
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon142ff5ec89a91e09f.exe
Mon142ff5ec89a91e09f.exe
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14f5f58429.exe
Mon14f5f58429.exe
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14f300fc2dd97c.exe
Mon14f300fc2dd97c.exe
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14d14f0985d.exe
Mon14d14f0985d.exe
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon142081f7d1.exe
Mon142081f7d1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1900 -ip 1900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 564
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3212 -ip 3212
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon1477ca09a8.exe
Mon1477ca09a8.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Mummia.wmz
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 360
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon1405457e414.exe
"C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon1405457e414.exe" -a
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^utIhAQXzKFfZwKOfdWFWGYOHgvUbutPplngusOenUcoCKjfoSNGytadifqZtVmhGQyOCcHYBTuwlPjXeuMFabKtSouQdPYDxoCLEbNMlPtkXdusrrWXoUUouqWxgRHLUDGwhAaEzZcDzniBeO$" Pensavo.wmz
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
Prendero.exe.com z
C:\Windows\SysWOW64\PING.EXE
ping OZMCVSQS -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com z
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hsiens.xyz | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | your-info-services.xyz | udp |
| SG | 37.0.10.214:80 | tcp | |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | webboutiquestudio.xyz | udp |
| US | 8.8.8.8:53 | yournewsservices.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 8.8.8.8:53 | KttDLaDomsPITcsmt.KttDLaDomsPITcsmt | udp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| US | 8.8.8.8:53 | 22.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| N/A | 127.0.0.1:65340 | tcp | |
| N/A | 127.0.0.1:65342 | tcp | |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 76.149.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | viacetequn.site | udp |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 172.64.149.23:80 | crl.usertrust.com | tcp |
| HK | 43.240.239.90:80 | viacetequn.site | tcp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | 90.239.240.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS07677197\setup_install.exe
| MD5 | 9f93f70d65dfcbe1a4f62746fccf0404 |
| SHA1 | 2491ee63a17b3fdfa2186851dfdd926f9903e52e |
| SHA256 | 91aa33387b9e85f299e13c514574b41a905b3c0ee37ab732a23d7660e341b086 |
| SHA512 | accfd48529f44194d07eb5a09dfd03dcf63eb0a1e6662c5c6ead492beb624370007979f571da716214336a0f0616722c8cd98a37f3e5509eee7d40837847c7e6 |
C:\Users\Admin\AppData\Local\Temp\7zS07677197\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS07677197\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/1900-50-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1900-64-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14d14f0985d.exe
| MD5 | 408f2c9252ad66429a8d5401f1833db3 |
| SHA1 | 3829d2d03a728ecd59b38cc189525220a60c05db |
| SHA256 | 890db580fac738971bc7c714735ff6f1f2ee31edccd7881044da3e98452af664 |
| SHA512 | d4c89dfd928023b9f4380808b27e032342d2a85963b95bbed3191cc03b455dbc6f5ffecf29828a53b1d9011b3881f1cda9d15d269a2cbcbd4be5c993bcd9643b |
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14f300fc2dd97c.exe
| MD5 | df80b76857b74ae1b2ada8efb2a730ee |
| SHA1 | 5653be57533c6eb058fed4963a25a676488ef832 |
| SHA256 | 5545c43eb14b0519ab997673efa379343f98d2b6b1578d9fdeb369234789f9dd |
| SHA512 | 060b04536003ce4a91e5847d487701eed7e093408e427198be552f0af37aee498929586f3a0110c78173873a28d95c6c0a4cdd01c7218274f5849a4730f9efdd |
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14f5f58429.exe
| MD5 | cda12ae37191467d0a7d151664ed74aa |
| SHA1 | 2625b2e142c848092aa4a51584143ab7ed7d33d2 |
| SHA256 | 1e07bb767e9979d4afa4f8d69b68e33dd7c1a43f6863096a2b091047a10cdc2e |
| SHA512 | 77c4429e22754e50828d9ec344cd63780acd31c350ef16ef69e2a396114df10e7c43d791440faee90e7f80be73e845ab579fd7b38efbd12f5de11bbc906f1c1d |
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon142ff5ec89a91e09f.exe
| MD5 | d23c06e25b4bd295e821274472263572 |
| SHA1 | 9ad295ec3853dc465ae77f9479f8c4f76e2748b8 |
| SHA256 | f02c1351a8b3dc296cf815bb4cd2bcc2d25b3b9a258ab2ad95e8be3d9602322c |
| SHA512 | 122b0ef44682f83651d81df622bbff5ad9fa0f5bbd6b925e35add9568825c0316c0f9921dac21cf92cb44658fc854f7829c01ae3b84aa0745929f8ef5e6ae1ae |
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon144d62388e7d.exe
| MD5 | 0a0d22f1c9179a67d04166de0db02dbb |
| SHA1 | 106e55bd898b5574f9bd33dac9f3c0b95cecd90d |
| SHA256 | a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac |
| SHA512 | 8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b |
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon14cd02cc767.exe
| MD5 | 742fbfe1027ba9a490c1b41716b9a09b |
| SHA1 | 31257a6c9e52128368c615ee05a6ffe99536c565 |
| SHA256 | 1108105d3a999595c317b6d1ea8b997b25aef1cb0f71c95e5c5c13564f4f309a |
| SHA512 | b4d1433e0b73a25340fdbf5af69f09ced3f371862f077898904bdf530f50f6d7b9b8bfc58b8c0d63e5c443ab5602ef1cb8d332f4cee3527c8db8acf322f5116a |
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon1405457e414.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon142081f7d1.exe
| MD5 | 12b8842dded9134ad0cae031c4f06530 |
| SHA1 | c0ecd0ac8cf3e4851661f62fe283ecec0e6ca25e |
| SHA256 | abd87ec324df8d74245e1671f21e832b563eb8dc3c13b1688a9e85a2f809fe17 |
| SHA512 | 967d70105549641beaa3283c42143aac22e016c911f99ab1c7ef5b4eff2577790fc679a74af6d2df14e87c278762e2c39c96bbdeabeaa1b62fb9072f0baa1825 |
C:\Users\Admin\AppData\Local\Temp\7zS07677197\Mon1477ca09a8.exe
| MD5 | 3b2ca1aae0f3a277efde19ed66785e07 |
| SHA1 | edfd0bb11c0baec2475149259c8a88a61a669de9 |
| SHA256 | c65369fd8f5f8a6bcee8325879e912f7f5e5f37e40281077a4902668458887b1 |
| SHA512 | 191aa807ec2c9a663eef6439084fcc68cdba245d9924773d65f42286af1df31238931425de1c18a4b643c7cd9ac4e98e638994630af440b7a1556c1497c8bb25 |
memory/1900-63-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1900-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1900-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1900-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1900-56-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1900-57-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1900-54-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1900-55-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1900-53-0x0000000064941000-0x000000006494F000-memory.dmp
memory/1900-52-0x0000000000EF0000-0x0000000000F7F000-memory.dmp
memory/1900-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS07677197\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2448-84-0x0000000000520000-0x0000000000528000-memory.dmp
memory/2776-85-0x0000000000710000-0x000000000073C000-memory.dmp
memory/2776-87-0x0000000000DE0000-0x0000000000E02000-memory.dmp
memory/2344-86-0x00000000027F0000-0x0000000002826000-memory.dmp
memory/2344-88-0x0000000005250000-0x0000000005878000-memory.dmp
memory/1900-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2344-99-0x0000000005A90000-0x0000000005AF6000-memory.dmp
memory/2344-98-0x0000000005A20000-0x0000000005A86000-memory.dmp
memory/2344-100-0x0000000005B00000-0x0000000005E54000-memory.dmp
memory/2344-97-0x0000000005980000-0x00000000059A2000-memory.dmp
memory/1900-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS07677197\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS07677197\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymfztozg.ks0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1900-117-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1900-120-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1900-119-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1900-118-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1900-115-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1900-111-0x0000000000400000-0x000000000051B000-memory.dmp
memory/3212-121-0x0000000000400000-0x00000000023AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mummia.wmz
| MD5 | 6f6fe96279c933c2170e75f49cf43718 |
| SHA1 | bbe211eaebbeb120b9ca3cd204aacbbeef20cb7e |
| SHA256 | e6919da4e2658c82ebbcca670053d77e1231a5a600bf5aeaba71e5852e09022f |
| SHA512 | 76160b79d3cbe2fca6d95b096043641a96b13007f287f8e55b94eab16cbb98691a8e8fa8d035da434e84f689bb8d36478f632976481b56c7170889553a629748 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensavo.wmz
| MD5 | 3928f9cc043cfb53823761dac703fd04 |
| SHA1 | c825e75ae21b995996763487de07176230c2535e |
| SHA256 | c2d4ebb0b7be8eb8683cc1fdcd0b95c834888c56d555e6d23497ae211835f412 |
| SHA512 | 8739619195c9d1409819822ae3c53415ac57a1c485b6947022d81981c9a0c7811ea5a30af0ef32e0a34aacf589f74366866dc1e7e03cd4addf56b71b6b25d9c5 |
memory/2344-126-0x00000000060F0000-0x000000000610E000-memory.dmp
memory/2344-127-0x0000000006120000-0x000000000616C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Copia.wmz
| MD5 | a1ac3489d2401d26e3aea9bcb0a85b10 |
| SHA1 | 6a4c4004ef746ed16d25c3fe425a6c78fcefe9b4 |
| SHA256 | 1cb9452373f7b755b1c64b41bd7ffcfe4fe0ab92fd08c61c283c5deccfd89146 |
| SHA512 | 293a84faadb89219945fde5836786cbcf4bdcaf36638603a5e95e80df4f5daf0b180d1f768deecee77b828ef736a337925479c37ae1e1f7126934f80be7b5e2e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Prendero.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2344-134-0x00000000066B0000-0x00000000066E2000-memory.dmp
memory/2344-135-0x0000000074510000-0x000000007455C000-memory.dmp
memory/2344-146-0x00000000070B0000-0x0000000007153000-memory.dmp
memory/2344-145-0x0000000006690000-0x00000000066AE000-memory.dmp
memory/2344-150-0x0000000007420000-0x000000000743A000-memory.dmp
memory/2344-149-0x0000000007A60000-0x00000000080DA000-memory.dmp
memory/2344-151-0x00000000074A0000-0x00000000074AA000-memory.dmp
memory/2344-152-0x0000000007690000-0x0000000007726000-memory.dmp
memory/2344-153-0x0000000007620000-0x0000000007631000-memory.dmp
memory/2344-154-0x0000000007650000-0x000000000765E000-memory.dmp
memory/2344-155-0x0000000007660000-0x0000000007674000-memory.dmp
memory/2344-156-0x0000000007750000-0x000000000776A000-memory.dmp
memory/2344-157-0x0000000007740000-0x0000000007748000-memory.dmp
memory/4504-160-0x0000000004B70000-0x0000000004B92000-memory.dmp
memory/4504-161-0x00000000073A0000-0x0000000007944000-memory.dmp
memory/4504-162-0x0000000004C90000-0x0000000004CB0000-memory.dmp
memory/4504-164-0x00000000072E0000-0x00000000072F2000-memory.dmp
memory/4504-163-0x0000000007950000-0x0000000007F68000-memory.dmp
memory/4504-165-0x0000000007300000-0x000000000733C000-memory.dmp
memory/4504-166-0x0000000007F70000-0x0000000007FBC000-memory.dmp
memory/4504-167-0x00000000080D0000-0x00000000081DA000-memory.dmp
memory/4760-178-0x00007FF8EBCE0000-0x00007FF8EBD63000-memory.dmp
memory/4984-179-0x00000000006E0000-0x00000000006E9000-memory.dmp
memory/4044-187-0x0000000074230000-0x000000007423E000-memory.dmp
memory/4044-188-0x0000000074750000-0x0000000074758000-memory.dmp
memory/4760-191-0x0000000000FA0000-0x0000000000FFA000-memory.dmp
memory/5100-214-0x0000000000FA0000-0x0000000000FFA000-memory.dmp
memory/4044-216-0x0000000000280000-0x000000000035F000-memory.dmp