Malware Analysis Report

2024-12-07 11:32

Sample ID 241113-vxyavawfnk
Target 8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe
SHA256 8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9
Tags
discovery evasion persistence privilege_escalation trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9

Threat Level: Likely malicious

The file 8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence privilege_escalation trojan

Modifies Windows Firewall

Deletes itself

Drops startup file

Loads dropped DLL

Checks whether UAC is enabled

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SendNotifyMessage

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:22

Reported

2024-11-13 17:24

Platform

win7-20241010-en

Max time kernel

93s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.lnk C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.lnk C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2412 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1116 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1116 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1116 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2412 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2392 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2392 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2392 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2412 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe

"C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tque09a6909fa9eaa27229c3b85\xps0863e.bat

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe" profile=All

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tque09a6909fa9eaa27229c3b85\yqq7bd654e.bat

C:\Windows\SysWOW64\netsh.exe

netsh.exe firewall add allowedprogram PROGRAM="C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe" NAME="Session Win32" MODE=ENABLE PROFILE=ALL

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tque09a6909fa9eaa27229c3b85\vrn54ef231b.bat

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe" profile=All

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tque09a6909fa9eaa27229c3b85\xzy51ce1a73656e8104d48f6.bat

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tque09a6909fa9eaa27229c3b85\ssnd9d671bb300c9f.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.2chemodana.com.ua udp
US 8.8.8.8:53 mechathlon.ismu.ac.in udp
US 8.8.8.8:53 tamilcinemax.net udp
US 8.8.8.8:53 www.artemon.cz udp
IT 80.211.101.117:80 www.artemon.cz tcp
US 8.8.8.8:53 remtl.ca udp
US 8.8.8.8:53 airlux.bg udp
CA 23.227.38.65:80 airlux.bg tcp
US 8.8.8.8:53 www.airlux.bg udp
CA 23.227.38.74:443 www.airlux.bg tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 www.aviafilm.com.ua udp
UA 91.203.4.45:80 www.aviafilm.com.ua tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.201.100:80 www.google.com tcp
US 8.8.8.8:53 www.ip-adress.com udp
US 172.67.156.27:80 www.ip-adress.com tcp
US 8.8.8.8:53 www.clickptc.com.br udp
US 8.8.8.8:53 www.interpraevent.at udp
DE 82.96.70.180:80 www.interpraevent.at tcp
DE 82.96.70.180:443 www.interpraevent.at tcp
US 8.8.8.8:53 www.travelnext.nl udp
US 162.159.134.42:443 www.travelnext.nl tcp
US 8.8.8.8:53 cpl.yonsei.ac.kr udp
KR 165.132.228.113:80 cpl.yonsei.ac.kr tcp
US 8.8.8.8:53 www.myroms.org udp
US 165.230.169.162:443 www.myroms.org tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 artist.ba udp
BA 185.150.195.66:80 artist.ba tcp
BA 185.150.195.66:443 artist.ba tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.105:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.modelclub.gr udp
GR 93.174.123.3:443 www.modelclub.gr tcp

Files

C:\Users\Admin\AppData\Local\Temp\tque09a6909fa9eaa27229c3b85\xps0863e.bat

MD5 2161c950695588f385f7c77297614991
SHA1 2b764330a98a32c5b352409b8a7fc257b79d1f5e
SHA256 5aee4c7026edeba8cfe1343c3553751d4016467c12f8c309954ebf0ba3486744
SHA512 ba83faecb367e90fab346f9c95ad798c0d535700c267ba7906f157749393ccee3409aa782389c7ef180c62e9283e10e5e388419133be6bab36d459b970cd37ce

C:\Users\Admin\AppData\Local\Temp\tque09a6909fa9eaa27229c3b85\yqq7bd654e.bat

MD5 212a7beabc02abe3209356de90226229
SHA1 f22b310f7066e771ba1fd5452a63b59b2ea18f56
SHA256 d299076297420c9f2cd19f1f4516250d54c1cf02196ceab2af749e71c8e865a8
SHA512 5989b5ececfa97c49cf71943d0dd0f94aa93ed4f92de23732785d1c6cde1364dc2bf5b6b334316056cb4e0354b5049ef439709f2b7b4f718366ea8cae34c1357

C:\Users\Admin\AppData\Local\Temp\Cab41A4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar438B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\tque09a6909fa9eaa27229c3b85\vrn54ef231b.bat

MD5 d52afc562dbcfee2523aadfbfb5437a2
SHA1 db767ed94ab529ef5a19e86aac568328309826d5
SHA256 0028c3f0f8cdc0bb1d0b1e1aadf0d760d44321e35a46c968e0b2902a5c67257d
SHA512 5ba1b5ace2e834957f3918f17e4bcd29a3144ff565c54c9273dc2a8997f0bb30d2e6f5e5409d2ee4c5290af21edbaeda78f301c35e0c8777812b7f78566c337b

C:\Users\Admin\AppData\Local\Temp\config\configure

MD5 05a3623b1033931188b391385af0a8bb
SHA1 cec5e7d3716d846642cf2a67f11a6ec0f303f050
SHA256 fbe4db01eebf06dc14cef013bf6a2b154bb575aa0436ca6ad593b672d29c0553
SHA512 60cc3f7db9851e1b18a9e7e109eac962f841fa26092c1bf459857e062f237d6fdb0bda176e76355094dc86bc301eb739f8f085aa3ed3b53ff04d60744ba9dcd0

C:\Users\Admin\pqz8b4308c78ec3775e94\config\script.txt

MD5 7789e3e782fe4d1baefb3a39fcbba03b
SHA1 7c8f1204eddc6997cc3ce4f9bfff477b6716ac19
SHA256 ecf36498860fcc69a2dd2a1164f5973cbfd48fd8d9708cb3e4c99b52d806936f
SHA512 fe77c4678cc6f828e3fe4a5204d248d7a5d122da088b224ba7d26b3ac9547c131120a02ba662d0d453cea98f43feae6f008cf6279b1914e84aab0f61f8614c81

C:\Users\Admin\pqz8b4308c78ec3775e94\config\update.txt

MD5 78962aa5a060a2aef9141bd2d2700af2
SHA1 1646eb7823628d12e6ae6d52c3f572d66290254c
SHA256 b93f2aa97da9190e64e057caae3174191a0423f6693d312437a238f9a1e23547
SHA512 87e2038876368cee92ed0d96369f18d53c70548986218aa4add83bde6e4ba40296203d18d6944279fcab9e97aa2235b7f1e6e1ccdb43bc6d458648abb6f536ab

C:\Users\Admin\pqz8b4308c78ec3775e94\config\name.drv

MD5 4f97957eab4a817f441dec4a8fb4d7d5
SHA1 cd138abf294e0a622958c6d5fa56df1ce0ed17c6
SHA256 6425ffda0430d85e7912653c7ac3aabf73e206370827780ec2fc7e6dafdea335
SHA512 e71942efdc0bd628e1eb3eed3e6e44c459b3daf002da89868ecf88555ccc478019bc9355bb53ea2f4802214fff60c0676d9c74dbc2502da8d9216d0d3d7cfe23

C:\Users\Admin\AppData\Local\Temp\config\exitd.vxd

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\tque09a6909fa9eaa27229c3b85\xzy51ce1a73656e8104d48f6.bat

MD5 804effa7a66c2a3afb0f8144d3552207
SHA1 e99f519d1f250194416e4bf128a572b84181cffb
SHA256 8e32e809893f856dbcf182ed88be4c1ce60f6b7f6478cbbf84ece9e2ad9c0c9c
SHA512 4aadbcc791ea977ba7e4cb9f5212049677f02a5c5d34e476a8cfb23b65056e752016e922e0fbce3ffe228eb967c7d7409eb0b0278e37fbee60d72ed762027bdf

C:\Users\Admin\pqz8b4308c78ec3775e94\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe

MD5 42c3bbe8743cea1a15ca4835cd490843
SHA1 d119054cc95eed0354b193bab490d11fff34eb21
SHA256 9a3f3e3889b1f7382183af9c72d35d1818e35491ce9fff635cfe9820220ec7ae
SHA512 e0f0a1e747709f55e1b374c7cbeaffa2809310781475e6eca9e72e26eb8dec7d78aec864e7e8e6604b9343d866b0a4bb361e6d8e1abd8ef7a348ff9c8b299cf2

C:\Users\Admin\AppData\Local\Temp\tque09a6909fa9eaa27229c3b85\ssnd9d671bb300c9f.bat

MD5 6ce64db5cdb3fd38e237f0e4c25afc6c
SHA1 f31acbed7be5f1b9134c0521f0df81d88180e311
SHA256 caa10149f76900216918be73fb989dc460ec5d11980976c6a22b1a1008435e81
SHA512 bcd7b4b4def53599ca1bc1e32fa1607c2fc583cfd024317e99ff0fc247217b4f83d511fd5d938d26154a9a724df62199d0f344cc9aa332de91ffa9c19cfaf2d6

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:22

Reported

2024-11-13 17:24

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.lnk C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.lnk C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5024 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3936 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3936 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5024 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4416 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4416 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5024 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4564 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4564 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5024 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe

"C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zord43eb819b4c\uwsbe88ed4f7ab09.bat

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe" profile=All

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zord43eb819b4c\vvq54ea826a4ed76.bat

C:\Windows\SysWOW64\netsh.exe

netsh.exe firewall add allowedprogram PROGRAM="C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe" NAME="Session Win32" MODE=ENABLE PROFILE=ALL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zord43eb819b4c\yzndac47f584d413.bat

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe" profile=All

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zord43eb819b4c\vnuaa26f0b46d99c3ac9a6.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zord43eb819b4c\ouy9982769b63eee4.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 remtl.ca udp
US 8.8.8.8:53 mechathlon.ismu.ac.in udp
US 8.8.8.8:53 tamilcinemax.net udp
US 8.8.8.8:53 www.artemon.cz udp
IT 80.211.101.117:80 www.artemon.cz tcp
US 8.8.8.8:53 airlux.bg udp
CA 23.227.38.65:80 airlux.bg tcp
US 8.8.8.8:53 www.airlux.bg udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 117.101.211.80.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 65.38.227.23.in-addr.arpa udp
CA 23.227.38.74:443 www.airlux.bg tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 www.2chemodana.com.ua udp
US 8.8.8.8:53 www.aviafilm.com.ua udp
UA 91.203.4.45:80 www.aviafilm.com.ua tcp
US 8.8.8.8:53 74.38.227.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 45.4.203.91.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.201.100:80 www.google.com tcp
US 8.8.8.8:53 www.ip-adress.com udp
US 172.67.156.27:80 www.ip-adress.com tcp
US 8.8.8.8:53 100.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 27.156.67.172.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.educalys.edu.lb udp
LB 193.227.165.70:80 www.educalys.edu.lb tcp
US 8.8.8.8:53 www.clickptc.com.br udp
US 8.8.8.8:53 www.interpraevent.at udp
DE 82.96.70.180:80 www.interpraevent.at tcp
DE 82.96.70.180:443 www.interpraevent.at tcp
US 8.8.8.8:53 70.165.227.193.in-addr.arpa udp
US 8.8.8.8:53 180.70.96.82.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 www.travelnext.nl udp
US 162.159.134.42:443 www.travelnext.nl tcp
US 8.8.8.8:53 cpl.yonsei.ac.kr udp
KR 165.132.228.113:80 cpl.yonsei.ac.kr tcp
US 8.8.8.8:53 42.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 producao.etudoshop.com.br udp
US 8.8.8.8:53 www.myroms.org udp
US 165.230.169.162:443 www.myroms.org tcp
US 8.8.8.8:53 113.228.132.165.in-addr.arpa udp
US 8.8.8.8:53 162.169.230.165.in-addr.arpa udp
US 8.8.8.8:53 artist.ba udp
BA 185.150.195.66:80 artist.ba tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
BA 185.150.195.66:443 artist.ba tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 66.195.150.185.in-addr.arpa udp
GB 88.221.135.105:80 r11.o.lencr.org tcp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.modelclub.gr udp
GR 93.174.123.3:443 www.modelclub.gr tcp
US 8.8.8.8:53 3.123.174.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\zord43eb819b4c\uwsbe88ed4f7ab09.bat

MD5 e92d70e1ff552a1be3e6b4d2cfa69222
SHA1 fa977168863879dd0a85643ec13ff7ba3674efcb
SHA256 2ff2289fc4ff649262eb5381efdba6404017fe22f3439ab38b792604791f30ca
SHA512 cd0e31fecb48ad1f7f5f21889e3aa954956d60924cae193212924fa5359b525ecb357887e68c8b14a271fcedc8712fd8bee2a60f8168e75337107a4428c7ed11

C:\Users\Admin\AppData\Local\Temp\zord43eb819b4c\vvq54ea826a4ed76.bat

MD5 fdf516b83d6a311bce7b761c665f94c0
SHA1 29a0012ef680994d5d7775f387f61c6b0edb0741
SHA256 f120b3a4f92aae1a90cdda5561393f498cb88fc5359aa42bb1d0589be54bb7aa
SHA512 6dbd9aa46d436c45d65dac5219c9afbcffbc6217d26be99e7ca8e427fbbfd749fdeaa0f55f2c9dca8efe3de90353959b5ab8b828704e1c6f575d48275452675a

C:\Users\Admin\AppData\Local\Temp\zord43eb819b4c\yzndac47f584d413.bat

MD5 501f1c94ea0e3deea76a8f09a3a72ca0
SHA1 e100077bb242db3a13c64068765bad5ef06fff42
SHA256 9d4e7d4674bee214285317b8ef458a0c9ce5fd727bb788b4f9f102cb9296fb10
SHA512 c324b948427b0a2c538c4a1e0d051699d03ee7c013804a3dc65da0e8b36c9438adb2cc8af082c1a1d36d3c81853062253724236cc78104a89943ef33047c2bba

C:\Users\Admin\AppData\Local\Temp\config\configure

MD5 05a3623b1033931188b391385af0a8bb
SHA1 cec5e7d3716d846642cf2a67f11a6ec0f303f050
SHA256 fbe4db01eebf06dc14cef013bf6a2b154bb575aa0436ca6ad593b672d29c0553
SHA512 60cc3f7db9851e1b18a9e7e109eac962f841fa26092c1bf459857e062f237d6fdb0bda176e76355094dc86bc301eb739f8f085aa3ed3b53ff04d60744ba9dcd0

C:\Users\Admin\ystb8e497defaa\config\script.txt

MD5 7789e3e782fe4d1baefb3a39fcbba03b
SHA1 7c8f1204eddc6997cc3ce4f9bfff477b6716ac19
SHA256 ecf36498860fcc69a2dd2a1164f5973cbfd48fd8d9708cb3e4c99b52d806936f
SHA512 fe77c4678cc6f828e3fe4a5204d248d7a5d122da088b224ba7d26b3ac9547c131120a02ba662d0d453cea98f43feae6f008cf6279b1914e84aab0f61f8614c81

C:\Users\Admin\ystb8e497defaa\config\update.txt

MD5 78962aa5a060a2aef9141bd2d2700af2
SHA1 1646eb7823628d12e6ae6d52c3f572d66290254c
SHA256 b93f2aa97da9190e64e057caae3174191a0423f6693d312437a238f9a1e23547
SHA512 87e2038876368cee92ed0d96369f18d53c70548986218aa4add83bde6e4ba40296203d18d6944279fcab9e97aa2235b7f1e6e1ccdb43bc6d458648abb6f536ab

C:\Users\Admin\ystb8e497defaa\config\configure

MD5 21e8d6646133f408760c33c3f2feae8e
SHA1 9bf3c571c14e5675194d81bea3fb2f722ae4d510
SHA256 5765395e5ee777a887ee47b25307489e9d797cb0098d9c89714a4a6fef928f99
SHA512 f1eeaf284c7b098113847a0826d19c0df0ecad01d54d06cec308ba5127a3c944a16dd3c20406ff665d6b149e5c3d5aec01ca641bdabee9c781481b2a0e627844

C:\Users\Admin\ystb8e497defaa\config\name.drv

MD5 14ca742ce07e7da21ab8d516bef834ec
SHA1 0b733ef4b03795bff0e26f2e700c342e98fb2eb5
SHA256 48a6241f1d63ffc444caf1435c31f45a56a3b06f40abbd0860f994e130986b94
SHA512 01ce64e58d43cf8a1a5e4737aecefab3b541c812ebd376a1efb98e07a9bfe0289859809d3c6e6ab7249837344f7023ebb8a2fc4f1fc571ec308cc1cd3a22fd22

C:\Users\Admin\AppData\Local\Temp\config\exitd.vxd

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\zord43eb819b4c\vnuaa26f0b46d99c3ac9a6.bat

MD5 e1c169b258aa2c16d98ef913a81c4f9e
SHA1 1550c52ccb07b29053eb6d21891715f6477b933e
SHA256 bd39c65864bc5ab5c4794f4bd9dc4de8429eb5716936c2636089f0ce3e46df4f
SHA512 92598eaf9eef45d5d955fa446b70d367ef2a7e1e20bf77334e14fff7cdffc68f27c09cc24576cda727a84ee42bc2fddb152ebd23ebca1622cc61ab5f3f99eb66

C:\Users\Admin\ystb8e497defaa\8ad9d3971085d03c0dbfedc2bf6da4083c44b3c9e76073137eda1e1e910a57f9N.exe

MD5 58658fea7719f3d9563b641b4af6141d
SHA1 5d1dbbfbdfe9f18ea989cb0ebb433c5cbc7d4eb8
SHA256 1d9486f8c6876f1621a4f9dbba26e8650380463c977682ba86e9312ff2795cb0
SHA512 efa820d008a850e54b507bf2d0782a0c2607d1a2925971d17486a1a67da5b851518cdf686ebb5d9d3915e772e3d72c8f332ab3abc52ff86e8bf5633d63ce6a7a

C:\Users\Admin\AppData\Local\Temp\zord43eb819b4c\ouy9982769b63eee4.bat

MD5 7f14a67f0df75f74409b607668fbcea8
SHA1 a0254e0b8f774c1688a3f0e3a8c3159f1faebbd3
SHA256 788d0900bd0ed7619323900c618ca94d2b00a74724caf2c5da751ebaba9e5ee7
SHA512 3e255769de660f9e10e29e7d1ddd1c76689df0ee55761d4674ab564b693321f10885b0bc7b70530cf95f9315f8737d6f91ceab8213317ec827a6e9719b277219