Analysis Overview
SHA256
012d2fcae6942de8aa569557c3b95ba0434f66e7ae2bfe35b0a800d3e99a4cfc
Threat Level: Known bad
The file expensive crack.zip was found to be: Known bad.
Malicious Activity Summary
AdWind
Class file contains resources related to AdWind
Adwind family
Adds Run key to start application
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 21:13
Signatures
Adwind family
Class file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 21:13
Reported
2024-11-15 21:44
Platform
win10ltsc2021-20241023-en
Max time kernel
1793s
Max time network
1798s
Command Line
Signatures
AdWind
Adwind family
Class file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705296182.tmp" | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\expensive crack.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar expapasta.jar
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705296182.tmp
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705296182.tmp" /f"
C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705296182.tmp" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.69.228:443 | checkappexec.microsoft.com | tcp |
| US | 13.89.179.11:443 | tcp | |
| US | 8.8.8.8:53 | 228.69.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd
| MD5 | 01b8ed92434e95a011e8e8dacba2fd68 |
| SHA1 | d1f538dfbab7a19c792b8325b2e9cbcc3cd9937d |
| SHA256 | 59a12fd47b56fa697512484117f37bd4a69b733c44614c13153e955581eb6799 |
| SHA512 | ce14085421d4902b300370896048a3e901508def1bdd5158a7df286cbc9de32163e3ef67afe416a5879816915ec75badf6604adaf19218b6343467c9391d1f9a |
C:\Users\Admin\Desktop\expensive 3.2 crack\expapasta.jar
| MD5 | 0d086bd973376fccd4a544a2413a8669 |
| SHA1 | 7e7f37a586c0cc0cf76d9ac89d4aa3accac73b63 |
| SHA256 | 56e11160890d361c8175760ac8ad16dc46d8e35dc18caf3d3e64b8fbd83ba6bd |
| SHA512 | 8b8b2eeea1dbc7a1722ed099ac113a50a80ba8b2a260e6a342ce527086bbf2b18d72705a5e9fb0593a1d964ea01c66f246bbfea821aa90dfa85fec3d90d5f1f0 |
memory/2556-8-0x000001958EFD0000-0x000001958F240000-memory.dmp
memory/2556-26-0x000001958D730000-0x000001958D731000-memory.dmp
memory/2556-34-0x000001958D730000-0x000001958D731000-memory.dmp
memory/2556-43-0x000001958D730000-0x000001958D731000-memory.dmp
memory/2556-49-0x000001958D730000-0x000001958D731000-memory.dmp
memory/2556-50-0x000001958EFD0000-0x000001958F240000-memory.dmp
memory/2556-52-0x000001958D730000-0x000001958D731000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-15 21:13
Reported
2024-11-15 21:48
Platform
win10ltsc2021-20241023-en
Max time kernel
1784s
Max time network
1801s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705516756.tmp" | C:\Windows\system32\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1548 wrote to memory of 1912 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\attrib.exe |
| PID 1548 wrote to memory of 1912 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\attrib.exe |
| PID 1548 wrote to memory of 3856 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 1548 wrote to memory of 3856 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3856 wrote to memory of 4292 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 3856 wrote to memory of 4292 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\reg.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\expapasta.jar"
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705516756.tmp
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705516756.tmp" /f"
C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705516756.tmp" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
Files
memory/1548-2-0x000001C994390000-0x000001C994600000-memory.dmp
memory/1548-15-0x000001C994600000-0x000001C994610000-memory.dmp
memory/1548-17-0x000001C994610000-0x000001C994620000-memory.dmp
memory/1548-20-0x000001C994620000-0x000001C994630000-memory.dmp
memory/1548-21-0x000001C994630000-0x000001C994640000-memory.dmp
memory/1548-23-0x000001C994640000-0x000001C994650000-memory.dmp
memory/1548-24-0x000001C992A80000-0x000001C992A81000-memory.dmp
memory/1548-26-0x000001C994650000-0x000001C994660000-memory.dmp
memory/1548-28-0x000001C994660000-0x000001C994670000-memory.dmp
memory/1548-31-0x000001C994670000-0x000001C994680000-memory.dmp
memory/1548-36-0x000001C994390000-0x000001C994600000-memory.dmp
memory/1548-37-0x000001C994680000-0x000001C994690000-memory.dmp
memory/1548-38-0x000001C994690000-0x000001C9946A0000-memory.dmp
memory/1548-39-0x000001C992A80000-0x000001C992A81000-memory.dmp
memory/1548-42-0x000001C9946A0000-0x000001C9946B0000-memory.dmp
memory/1548-41-0x000001C994600000-0x000001C994610000-memory.dmp
memory/1548-46-0x000001C9946B0000-0x000001C9946C0000-memory.dmp
memory/1548-45-0x000001C994610000-0x000001C994620000-memory.dmp
memory/1548-48-0x000001C994620000-0x000001C994630000-memory.dmp
memory/1548-49-0x000001C9946C0000-0x000001C9946D0000-memory.dmp
memory/1548-53-0x000001C994630000-0x000001C994640000-memory.dmp
memory/1548-54-0x000001C9946D0000-0x000001C9946E0000-memory.dmp
memory/1548-56-0x000001C994640000-0x000001C994650000-memory.dmp
memory/1548-57-0x000001C9946E0000-0x000001C9946F0000-memory.dmp
memory/1548-58-0x000001C992A80000-0x000001C992A81000-memory.dmp
memory/1548-60-0x000001C994650000-0x000001C994660000-memory.dmp
memory/1548-61-0x000001C9946F0000-0x000001C994700000-memory.dmp
memory/1548-63-0x000001C994660000-0x000001C994670000-memory.dmp
memory/1548-64-0x000001C994700000-0x000001C994710000-memory.dmp
memory/1548-68-0x000001C994710000-0x000001C994720000-memory.dmp
memory/1548-67-0x000001C994670000-0x000001C994680000-memory.dmp
memory/1548-71-0x000001C994680000-0x000001C994690000-memory.dmp
memory/1548-72-0x000001C994720000-0x000001C994730000-memory.dmp
memory/1548-75-0x000001C994730000-0x000001C994740000-memory.dmp
memory/1548-74-0x000001C994690000-0x000001C9946A0000-memory.dmp
memory/1548-79-0x000001C994740000-0x000001C994750000-memory.dmp
memory/1548-78-0x000001C9946A0000-0x000001C9946B0000-memory.dmp
memory/1548-81-0x000001C9946B0000-0x000001C9946C0000-memory.dmp
memory/1548-82-0x000001C994750000-0x000001C994760000-memory.dmp
memory/1548-83-0x000001C992A80000-0x000001C992A81000-memory.dmp
memory/1548-85-0x000001C9946C0000-0x000001C9946D0000-memory.dmp
memory/1548-86-0x000001C994760000-0x000001C994770000-memory.dmp
memory/1548-89-0x000001C9946D0000-0x000001C9946E0000-memory.dmp
memory/1548-90-0x000001C994770000-0x000001C994780000-memory.dmp
memory/1548-93-0x000001C994780000-0x000001C994790000-memory.dmp
memory/1548-92-0x000001C9946E0000-0x000001C9946F0000-memory.dmp
memory/1548-95-0x000001C9946F0000-0x000001C994700000-memory.dmp
memory/1548-96-0x000001C994790000-0x000001C9947A0000-memory.dmp
memory/1548-100-0x000001C9947A0000-0x000001C9947B0000-memory.dmp
memory/1548-99-0x000001C994700000-0x000001C994710000-memory.dmp
memory/1548-102-0x000001C994710000-0x000001C994720000-memory.dmp
memory/1548-104-0x000001C994720000-0x000001C994730000-memory.dmp
memory/1548-105-0x000001C9947B0000-0x000001C9947C0000-memory.dmp
memory/1548-108-0x000001C994730000-0x000001C994740000-memory.dmp
memory/1548-109-0x000001C9947C0000-0x000001C9947D0000-memory.dmp
memory/1548-111-0x000001C994740000-0x000001C994750000-memory.dmp
memory/1548-112-0x000001C9947D0000-0x000001C9947E0000-memory.dmp
memory/1548-114-0x000001C994750000-0x000001C994760000-memory.dmp
memory/1548-117-0x000001C994760000-0x000001C994770000-memory.dmp
memory/1548-118-0x000001C9947E0000-0x000001C9947F0000-memory.dmp
memory/1548-121-0x000001C9947F0000-0x000001C994800000-memory.dmp
memory/1548-120-0x000001C994770000-0x000001C994780000-memory.dmp
memory/1548-124-0x000001C994780000-0x000001C994790000-memory.dmp
memory/1548-125-0x000001C994800000-0x000001C994810000-memory.dmp
memory/1548-128-0x000001C994790000-0x000001C9947A0000-memory.dmp
memory/1548-129-0x000001C994810000-0x000001C994820000-memory.dmp
memory/1548-130-0x000001C9947A0000-0x000001C9947B0000-memory.dmp
memory/1548-133-0x000001C9947B0000-0x000001C9947C0000-memory.dmp
memory/1548-136-0x000001C994820000-0x000001C994830000-memory.dmp
memory/1548-135-0x000001C9947C0000-0x000001C9947D0000-memory.dmp
memory/1548-139-0x000001C9947D0000-0x000001C9947E0000-memory.dmp
memory/1548-140-0x000001C994830000-0x000001C994840000-memory.dmp
memory/1548-143-0x000001C994840000-0x000001C994850000-memory.dmp
memory/1548-145-0x000001C9947E0000-0x000001C9947F0000-memory.dmp
memory/1548-146-0x000001C994850000-0x000001C994860000-memory.dmp
memory/1548-149-0x000001C994860000-0x000001C994870000-memory.dmp
memory/1548-148-0x000001C9947F0000-0x000001C994800000-memory.dmp
memory/1548-151-0x000001C994800000-0x000001C994810000-memory.dmp
memory/1548-152-0x000001C994810000-0x000001C994820000-memory.dmp
memory/1548-155-0x000001C994870000-0x000001C994880000-memory.dmp
memory/1548-156-0x000001C992A80000-0x000001C992A81000-memory.dmp
memory/1548-161-0x000001C994880000-0x000001C994890000-memory.dmp
memory/1548-160-0x000001C994820000-0x000001C994830000-memory.dmp
memory/1548-164-0x000001C994830000-0x000001C994840000-memory.dmp
memory/1548-165-0x000001C994840000-0x000001C994850000-memory.dmp
memory/1548-166-0x000001C994890000-0x000001C9948A0000-memory.dmp
memory/1548-167-0x000001C992A80000-0x000001C992A81000-memory.dmp
memory/1548-168-0x000001C994850000-0x000001C994860000-memory.dmp
memory/1548-170-0x000001C994860000-0x000001C994870000-memory.dmp
memory/1548-171-0x000001C9948A0000-0x000001C9948B0000-memory.dmp
memory/1548-173-0x000001C994870000-0x000001C994880000-memory.dmp
memory/1548-176-0x000001C9948B0000-0x000001C9948C0000-memory.dmp
memory/1548-178-0x000001C994880000-0x000001C994890000-memory.dmp
memory/1548-179-0x000001C9948C0000-0x000001C9948D0000-memory.dmp
memory/1548-181-0x000001C994890000-0x000001C9948A0000-memory.dmp
memory/1548-182-0x000001C9948A0000-0x000001C9948B0000-memory.dmp
memory/1548-185-0x000001C9948D0000-0x000001C9948E0000-memory.dmp
memory/1548-187-0x000001C9948B0000-0x000001C9948C0000-memory.dmp
memory/1548-188-0x000001C9948C0000-0x000001C9948D0000-memory.dmp
memory/1548-192-0x000001C9948D0000-0x000001C9948E0000-memory.dmp
memory/1548-202-0x000001C9948E0000-0x000001C9948F0000-memory.dmp
memory/1548-205-0x000001C9948E0000-0x000001C9948F0000-memory.dmp
memory/1548-211-0x000001C992A80000-0x000001C992A81000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-15 21:13
Reported
2024-11-15 21:48
Platform
win11-20241007-en
Max time kernel
1784s
Max time network
1803s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705523500.tmp" | C:\Windows\system32\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 644 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\attrib.exe |
| PID 2512 wrote to memory of 644 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\attrib.exe |
| PID 2512 wrote to memory of 5092 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 2512 wrote to memory of 5092 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 5092 wrote to memory of 3892 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 5092 wrote to memory of 3892 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\reg.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\expapasta.jar"
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705523500.tmp
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705523500.tmp" /f"
C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705523500.tmp" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
Files
memory/2512-2-0x0000015A82710000-0x0000015A82980000-memory.dmp
memory/2512-15-0x0000015A82980000-0x0000015A82990000-memory.dmp
memory/2512-19-0x0000015A829A0000-0x0000015A829B0000-memory.dmp
memory/2512-18-0x0000015A82990000-0x0000015A829A0000-memory.dmp
memory/2512-21-0x0000015A829B0000-0x0000015A829C0000-memory.dmp
memory/2512-23-0x0000015A829C0000-0x0000015A829D0000-memory.dmp
memory/2512-25-0x0000015A829D0000-0x0000015A829E0000-memory.dmp
memory/2512-28-0x0000015A829E0000-0x0000015A829F0000-memory.dmp
memory/2512-29-0x0000015A829F0000-0x0000015A82A00000-memory.dmp
memory/2512-31-0x0000015A80EC0000-0x0000015A80EC1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705523500.tmp
| MD5 | 0d086bd973376fccd4a544a2413a8669 |
| SHA1 | 7e7f37a586c0cc0cf76d9ac89d4aa3accac73b63 |
| SHA256 | 56e11160890d361c8175760ac8ad16dc46d8e35dc18caf3d3e64b8fbd83ba6bd |
| SHA512 | 8b8b2eeea1dbc7a1722ed099ac113a50a80ba8b2a260e6a342ce527086bbf2b18d72705a5e9fb0593a1d964ea01c66f246bbfea821aa90dfa85fec3d90d5f1f0 |
memory/2512-36-0x0000015A82A00000-0x0000015A82A10000-memory.dmp
memory/2512-40-0x0000015A82A10000-0x0000015A82A20000-memory.dmp
memory/2512-39-0x0000015A82710000-0x0000015A82980000-memory.dmp
memory/2512-43-0x0000015A82A20000-0x0000015A82A30000-memory.dmp
memory/2512-42-0x0000015A82980000-0x0000015A82990000-memory.dmp
memory/2512-44-0x0000015A80EC0000-0x0000015A80EC1000-memory.dmp
memory/2512-47-0x0000015A82A30000-0x0000015A82A40000-memory.dmp
memory/2512-46-0x0000015A82990000-0x0000015A829A0000-memory.dmp
memory/2512-50-0x0000015A829A0000-0x0000015A829B0000-memory.dmp
memory/2512-51-0x0000015A82A40000-0x0000015A82A50000-memory.dmp
memory/2512-54-0x0000015A82A50000-0x0000015A82A60000-memory.dmp
memory/2512-53-0x0000015A829B0000-0x0000015A829C0000-memory.dmp
memory/2512-58-0x0000015A829C0000-0x0000015A829D0000-memory.dmp
memory/2512-59-0x0000015A82A60000-0x0000015A82A70000-memory.dmp
memory/2512-61-0x0000015A829D0000-0x0000015A829E0000-memory.dmp
memory/2512-62-0x0000015A82A70000-0x0000015A82A80000-memory.dmp
memory/2512-63-0x0000015A80EC0000-0x0000015A80EC1000-memory.dmp
memory/2512-65-0x0000015A829E0000-0x0000015A829F0000-memory.dmp
memory/2512-66-0x0000015A82A80000-0x0000015A82A90000-memory.dmp
memory/2512-68-0x0000015A829F0000-0x0000015A82A00000-memory.dmp
memory/2512-69-0x0000015A82A90000-0x0000015A82AA0000-memory.dmp
memory/2512-72-0x0000015A82A00000-0x0000015A82A10000-memory.dmp
memory/2512-73-0x0000015A82AA0000-0x0000015A82AB0000-memory.dmp
memory/2512-76-0x0000015A82A10000-0x0000015A82A20000-memory.dmp
memory/2512-77-0x0000015A82AB0000-0x0000015A82AC0000-memory.dmp
memory/2512-79-0x0000015A82A20000-0x0000015A82A30000-memory.dmp
memory/2512-80-0x0000015A82AC0000-0x0000015A82AD0000-memory.dmp
memory/2512-83-0x0000015A82A30000-0x0000015A82A40000-memory.dmp
memory/2512-84-0x0000015A82AD0000-0x0000015A82AE0000-memory.dmp
memory/2512-86-0x0000015A82A40000-0x0000015A82A50000-memory.dmp
memory/2512-88-0x0000015A82A50000-0x0000015A82A60000-memory.dmp
memory/2512-89-0x0000015A82AE0000-0x0000015A82AF0000-memory.dmp
memory/2512-92-0x0000015A82AF0000-0x0000015A82B00000-memory.dmp
memory/2512-91-0x0000015A82A60000-0x0000015A82A70000-memory.dmp
memory/2512-94-0x0000015A82A70000-0x0000015A82A80000-memory.dmp
memory/2512-95-0x0000015A82B00000-0x0000015A82B10000-memory.dmp
memory/2512-98-0x0000015A82A80000-0x0000015A82A90000-memory.dmp
memory/2512-99-0x0000015A82B10000-0x0000015A82B20000-memory.dmp
memory/2512-101-0x0000015A82A90000-0x0000015A82AA0000-memory.dmp
memory/2512-102-0x0000015A82B20000-0x0000015A82B30000-memory.dmp
memory/2512-104-0x0000015A82AA0000-0x0000015A82AB0000-memory.dmp
memory/2512-105-0x0000015A82B30000-0x0000015A82B40000-memory.dmp
memory/2512-107-0x0000015A82AB0000-0x0000015A82AC0000-memory.dmp
memory/2512-109-0x0000015A82AC0000-0x0000015A82AD0000-memory.dmp
memory/2512-110-0x0000015A82B40000-0x0000015A82B50000-memory.dmp
memory/2512-114-0x0000015A82B50000-0x0000015A82B60000-memory.dmp
memory/2512-113-0x0000015A82AD0000-0x0000015A82AE0000-memory.dmp
memory/2512-116-0x0000015A82B60000-0x0000015A82B70000-memory.dmp
memory/2512-118-0x0000015A82AE0000-0x0000015A82AF0000-memory.dmp
memory/2512-121-0x0000015A82AF0000-0x0000015A82B00000-memory.dmp
memory/2512-122-0x0000015A82B70000-0x0000015A82B80000-memory.dmp
memory/2512-125-0x0000015A82B80000-0x0000015A82B90000-memory.dmp
memory/2512-124-0x0000015A82B00000-0x0000015A82B10000-memory.dmp
memory/2512-129-0x0000015A82B90000-0x0000015A82BA0000-memory.dmp
memory/2512-128-0x0000015A82B10000-0x0000015A82B20000-memory.dmp
memory/2512-132-0x0000015A82BA0000-0x0000015A82BB0000-memory.dmp
memory/2512-131-0x0000015A82B20000-0x0000015A82B30000-memory.dmp
memory/2512-135-0x0000015A82B30000-0x0000015A82B40000-memory.dmp
memory/2512-136-0x0000015A82BB0000-0x0000015A82BC0000-memory.dmp
memory/2512-138-0x0000015A82B40000-0x0000015A82B50000-memory.dmp
memory/2512-140-0x0000015A82B50000-0x0000015A82B60000-memory.dmp
memory/2512-142-0x0000015A82B60000-0x0000015A82B70000-memory.dmp
memory/2512-144-0x0000015A82BC0000-0x0000015A82BD0000-memory.dmp
memory/2512-146-0x0000015A82B70000-0x0000015A82B80000-memory.dmp
memory/2512-147-0x0000015A82BD0000-0x0000015A82BE0000-memory.dmp
memory/2512-151-0x0000015A82BE0000-0x0000015A82BF0000-memory.dmp
memory/2512-150-0x0000015A82B80000-0x0000015A82B90000-memory.dmp
memory/2512-153-0x0000015A82B90000-0x0000015A82BA0000-memory.dmp
memory/2512-154-0x0000015A82BF0000-0x0000015A82C00000-memory.dmp
memory/2512-156-0x0000015A82BA0000-0x0000015A82BB0000-memory.dmp
memory/2512-159-0x0000015A82BB0000-0x0000015A82BC0000-memory.dmp
memory/2512-160-0x0000015A82C00000-0x0000015A82C10000-memory.dmp
memory/2512-161-0x0000015A80EC0000-0x0000015A80EC1000-memory.dmp
memory/2512-164-0x0000015A82C10000-0x0000015A82C20000-memory.dmp
memory/2512-167-0x0000015A82BC0000-0x0000015A82BD0000-memory.dmp
memory/2512-168-0x0000015A82C20000-0x0000015A82C30000-memory.dmp
memory/2512-170-0x0000015A82BD0000-0x0000015A82BE0000-memory.dmp
memory/2512-173-0x0000015A82BE0000-0x0000015A82BF0000-memory.dmp
memory/2512-174-0x0000015A82BF0000-0x0000015A82C00000-memory.dmp
memory/2512-175-0x0000015A82C30000-0x0000015A82C40000-memory.dmp
memory/2512-178-0x0000015A82C00000-0x0000015A82C10000-memory.dmp
memory/2512-179-0x0000015A82C40000-0x0000015A82C50000-memory.dmp
memory/2512-181-0x0000015A82C10000-0x0000015A82C20000-memory.dmp
memory/2512-182-0x0000015A82C20000-0x0000015A82C30000-memory.dmp
memory/2512-184-0x0000015A82C50000-0x0000015A82C60000-memory.dmp
memory/2512-187-0x0000015A82C30000-0x0000015A82C40000-memory.dmp
memory/2512-188-0x0000015A82C40000-0x0000015A82C50000-memory.dmp
memory/2512-193-0x0000015A82C50000-0x0000015A82C60000-memory.dmp
memory/2512-196-0x0000015A82C60000-0x0000015A82C70000-memory.dmp
memory/2512-201-0x0000015A82C60000-0x0000015A82C70000-memory.dmp
memory/2512-217-0x0000015A80EC0000-0x0000015A80EC1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-15 21:13
Reported
2024-11-15 21:48
Platform
win10v2004-20241007-en
Max time kernel
430s
Max time network
1149s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2724 wrote to memory of 4392 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2724 wrote to memory of 4392 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\start.cmd"
C:\Windows\system32\chcp.com
chcp 65001
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-15 21:13
Reported
2024-11-15 21:49
Platform
win10ltsc2021-20241023-en
Max time kernel
1363s
Max time network
1426s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 4704 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2020 wrote to memory of 4704 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\start.cmd"
C:\Windows\system32\chcp.com
chcp 65001
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 21:13
Reported
2024-11-15 21:43
Platform
win10v2004-20241007-en
Max time kernel
1788s
Max time network
1798s
Command Line
Signatures
AdWind
Adwind family
Class file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705251392.tmp" | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\expensive crack.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar expapasta.jar
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705251392.tmp
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705251392.tmp" /f"
C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705251392.tmp" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd
| MD5 | 01b8ed92434e95a011e8e8dacba2fd68 |
| SHA1 | d1f538dfbab7a19c792b8325b2e9cbcc3cd9937d |
| SHA256 | 59a12fd47b56fa697512484117f37bd4a69b733c44614c13153e955581eb6799 |
| SHA512 | ce14085421d4902b300370896048a3e901508def1bdd5158a7df286cbc9de32163e3ef67afe416a5879816915ec75badf6604adaf19218b6343467c9391d1f9a |
C:\Users\Admin\Desktop\expensive 3.2 crack\expapasta.jar
| MD5 | 0d086bd973376fccd4a544a2413a8669 |
| SHA1 | 7e7f37a586c0cc0cf76d9ac89d4aa3accac73b63 |
| SHA256 | 56e11160890d361c8175760ac8ad16dc46d8e35dc18caf3d3e64b8fbd83ba6bd |
| SHA512 | 8b8b2eeea1dbc7a1722ed099ac113a50a80ba8b2a260e6a342ce527086bbf2b18d72705a5e9fb0593a1d964ea01c66f246bbfea821aa90dfa85fec3d90d5f1f0 |
memory/4364-8-0x00000258CB100000-0x00000258CB370000-memory.dmp
memory/4364-27-0x00000258CB0E0000-0x00000258CB0E1000-memory.dmp
memory/4364-37-0x00000258CB0E0000-0x00000258CB0E1000-memory.dmp
memory/4364-47-0x00000258CB0E0000-0x00000258CB0E1000-memory.dmp
memory/4364-64-0x00000258CB0E0000-0x00000258CB0E1000-memory.dmp
memory/4364-65-0x00000258CB100000-0x00000258CB370000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-15 21:13
Reported
2024-11-15 21:45
Platform
win11-20241007-en
Max time kernel
1789s
Max time network
1798s
Command Line
Signatures
AdWind
Adwind family
Class file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705340316.tmp" | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\expensive crack.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar expapasta.jar
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705340316.tmp
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705340316.tmp" /f"
C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705340316.tmp" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd
| MD5 | 01b8ed92434e95a011e8e8dacba2fd68 |
| SHA1 | d1f538dfbab7a19c792b8325b2e9cbcc3cd9937d |
| SHA256 | 59a12fd47b56fa697512484117f37bd4a69b733c44614c13153e955581eb6799 |
| SHA512 | ce14085421d4902b300370896048a3e901508def1bdd5158a7df286cbc9de32163e3ef67afe416a5879816915ec75badf6604adaf19218b6343467c9391d1f9a |
C:\Users\Admin\Desktop\expensive 3.2 crack\expapasta.jar
| MD5 | 0d086bd973376fccd4a544a2413a8669 |
| SHA1 | 7e7f37a586c0cc0cf76d9ac89d4aa3accac73b63 |
| SHA256 | 56e11160890d361c8175760ac8ad16dc46d8e35dc18caf3d3e64b8fbd83ba6bd |
| SHA512 | 8b8b2eeea1dbc7a1722ed099ac113a50a80ba8b2a260e6a342ce527086bbf2b18d72705a5e9fb0593a1d964ea01c66f246bbfea821aa90dfa85fec3d90d5f1f0 |
memory/4692-10-0x0000026B07F10000-0x0000026B08180000-memory.dmp
memory/4692-32-0x0000026B066D0000-0x0000026B066D1000-memory.dmp
memory/4692-39-0x0000026B066D0000-0x0000026B066D1000-memory.dmp
memory/4692-48-0x0000026B066D0000-0x0000026B066D1000-memory.dmp
memory/4692-52-0x0000026B066D0000-0x0000026B066D1000-memory.dmp
memory/4692-53-0x0000026B07F10000-0x0000026B08180000-memory.dmp
memory/4692-56-0x0000026B066D0000-0x0000026B066D1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-15 21:13
Reported
2024-11-15 21:47
Platform
win10v2004-20241007-en
Max time kernel
1786s
Max time network
1797s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705446384.tmp" | C:\Windows\system32\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2276 wrote to memory of 848 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\attrib.exe |
| PID 2276 wrote to memory of 848 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\attrib.exe |
| PID 2276 wrote to memory of 1652 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 2276 wrote to memory of 1652 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 1652 wrote to memory of 2556 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\reg.exe |
| PID 1652 wrote to memory of 2556 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\reg.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\expapasta.jar"
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705446384.tmp
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705446384.tmp" /f"
C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705446384.tmp" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | budget-compiled.gl.at.ply.gg | udp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
| US | 147.185.221.22:61672 | budget-compiled.gl.at.ply.gg | tcp |
Files
memory/2276-2-0x000002C664A90000-0x000002C664D00000-memory.dmp
memory/2276-14-0x000002C663240000-0x000002C663241000-memory.dmp
memory/2276-17-0x000002C664D00000-0x000002C664D10000-memory.dmp
memory/2276-18-0x000002C664D10000-0x000002C664D20000-memory.dmp
memory/2276-20-0x000002C664D20000-0x000002C664D30000-memory.dmp
memory/2276-24-0x000002C664D40000-0x000002C664D50000-memory.dmp
memory/2276-23-0x000002C664D30000-0x000002C664D40000-memory.dmp
memory/2276-26-0x000002C664D50000-0x000002C664D60000-memory.dmp
memory/2276-28-0x000002C664D60000-0x000002C664D70000-memory.dmp
memory/2276-30-0x000002C664A90000-0x000002C664D00000-memory.dmp
memory/2276-31-0x000002C664D70000-0x000002C664D80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705446384.tmp
| MD5 | 0d086bd973376fccd4a544a2413a8669 |
| SHA1 | 7e7f37a586c0cc0cf76d9ac89d4aa3accac73b63 |
| SHA256 | 56e11160890d361c8175760ac8ad16dc46d8e35dc18caf3d3e64b8fbd83ba6bd |
| SHA512 | 8b8b2eeea1dbc7a1722ed099ac113a50a80ba8b2a260e6a342ce527086bbf2b18d72705a5e9fb0593a1d964ea01c66f246bbfea821aa90dfa85fec3d90d5f1f0 |
memory/2276-36-0x000002C664D80000-0x000002C664D90000-memory.dmp
memory/2276-39-0x000002C664D90000-0x000002C664DA0000-memory.dmp
memory/2276-42-0x000002C664D10000-0x000002C664D20000-memory.dmp
memory/2276-41-0x000002C664D00000-0x000002C664D10000-memory.dmp
memory/2276-43-0x000002C664DA0000-0x000002C664DB0000-memory.dmp
memory/2276-47-0x000002C664DB0000-0x000002C664DC0000-memory.dmp
memory/2276-48-0x000002C663240000-0x000002C663241000-memory.dmp
memory/2276-51-0x000002C664D20000-0x000002C664D30000-memory.dmp
memory/2276-52-0x000002C664DC0000-0x000002C664DD0000-memory.dmp
memory/2276-55-0x000002C664D30000-0x000002C664D40000-memory.dmp
memory/2276-56-0x000002C664DD0000-0x000002C664DE0000-memory.dmp
memory/2276-59-0x000002C664DE0000-0x000002C664DF0000-memory.dmp
memory/2276-58-0x000002C664D40000-0x000002C664D50000-memory.dmp
memory/2276-64-0x000002C664DF0000-0x000002C664E00000-memory.dmp
memory/2276-63-0x000002C664D50000-0x000002C664D60000-memory.dmp
memory/2276-66-0x000002C664D60000-0x000002C664D70000-memory.dmp
memory/2276-67-0x000002C664E00000-0x000002C664E10000-memory.dmp
memory/2276-68-0x000002C663240000-0x000002C663241000-memory.dmp
memory/2276-71-0x000002C664D70000-0x000002C664D80000-memory.dmp
memory/2276-72-0x000002C664E10000-0x000002C664E20000-memory.dmp
memory/2276-74-0x000002C664D80000-0x000002C664D90000-memory.dmp
memory/2276-75-0x000002C664E20000-0x000002C664E30000-memory.dmp
memory/2276-79-0x000002C664E30000-0x000002C664E40000-memory.dmp
memory/2276-78-0x000002C664D90000-0x000002C664DA0000-memory.dmp
memory/2276-81-0x000002C664DA0000-0x000002C664DB0000-memory.dmp
memory/2276-82-0x000002C664E40000-0x000002C664E50000-memory.dmp
memory/2276-86-0x000002C664E50000-0x000002C664E60000-memory.dmp
memory/2276-85-0x000002C664DB0000-0x000002C664DC0000-memory.dmp
memory/2276-88-0x000002C664DC0000-0x000002C664DD0000-memory.dmp
memory/2276-89-0x000002C664E60000-0x000002C664E70000-memory.dmp
memory/2276-91-0x000002C664DD0000-0x000002C664DE0000-memory.dmp
memory/2276-95-0x000002C664E70000-0x000002C664E80000-memory.dmp
memory/2276-94-0x000002C664DE0000-0x000002C664DF0000-memory.dmp
memory/2276-97-0x000002C664DF0000-0x000002C664E00000-memory.dmp
memory/2276-98-0x000002C664E80000-0x000002C664E90000-memory.dmp
memory/2276-100-0x000002C664E00000-0x000002C664E10000-memory.dmp
memory/2276-101-0x000002C664E90000-0x000002C664EA0000-memory.dmp
memory/2276-103-0x000002C664E10000-0x000002C664E20000-memory.dmp
memory/2276-104-0x000002C664EA0000-0x000002C664EB0000-memory.dmp
memory/2276-106-0x000002C664E20000-0x000002C664E30000-memory.dmp
memory/2276-107-0x000002C664EB0000-0x000002C664EC0000-memory.dmp
memory/2276-109-0x000002C664E30000-0x000002C664E40000-memory.dmp
memory/2276-113-0x000002C664EC0000-0x000002C664ED0000-memory.dmp
memory/2276-112-0x000002C664E40000-0x000002C664E50000-memory.dmp
memory/2276-116-0x000002C664E50000-0x000002C664E60000-memory.dmp
memory/2276-117-0x000002C664ED0000-0x000002C664EE0000-memory.dmp
memory/2276-120-0x000002C664EE0000-0x000002C664EF0000-memory.dmp
memory/2276-119-0x000002C664E60000-0x000002C664E70000-memory.dmp
memory/2276-123-0x000002C664E70000-0x000002C664E80000-memory.dmp
memory/2276-124-0x000002C664EF0000-0x000002C664F00000-memory.dmp
memory/2276-127-0x000002C664E80000-0x000002C664E90000-memory.dmp
memory/2276-128-0x000002C664F00000-0x000002C664F10000-memory.dmp
memory/2276-131-0x000002C664E90000-0x000002C664EA0000-memory.dmp
memory/2276-132-0x000002C664F10000-0x000002C664F20000-memory.dmp
memory/2276-134-0x000002C664EA0000-0x000002C664EB0000-memory.dmp
memory/2276-135-0x000002C664F20000-0x000002C664F30000-memory.dmp
memory/2276-137-0x000002C664EB0000-0x000002C664EC0000-memory.dmp
memory/2276-141-0x000002C664EC0000-0x000002C664ED0000-memory.dmp
memory/2276-142-0x000002C664F30000-0x000002C664F40000-memory.dmp
memory/2276-143-0x000002C664ED0000-0x000002C664EE0000-memory.dmp
memory/2276-146-0x000002C664EE0000-0x000002C664EF0000-memory.dmp
memory/2276-147-0x000002C664F40000-0x000002C664F50000-memory.dmp
memory/2276-151-0x000002C664F50000-0x000002C664F60000-memory.dmp
memory/2276-150-0x000002C664EF0000-0x000002C664F00000-memory.dmp
memory/2276-153-0x000002C664F00000-0x000002C664F10000-memory.dmp
memory/2276-154-0x000002C664F60000-0x000002C664F70000-memory.dmp
memory/2276-157-0x000002C664F70000-0x000002C664F80000-memory.dmp
memory/2276-156-0x000002C664F10000-0x000002C664F20000-memory.dmp
memory/2276-159-0x000002C664F20000-0x000002C664F30000-memory.dmp
memory/2276-162-0x000002C664F80000-0x000002C664F90000-memory.dmp
memory/2276-165-0x000002C664F30000-0x000002C664F40000-memory.dmp
memory/2276-167-0x000002C664F90000-0x000002C664FA0000-memory.dmp
memory/2276-170-0x000002C664F40000-0x000002C664F50000-memory.dmp
memory/2276-171-0x000002C664FA0000-0x000002C664FB0000-memory.dmp
memory/2276-173-0x000002C664F50000-0x000002C664F60000-memory.dmp
memory/2276-174-0x000002C664FB0000-0x000002C664FC0000-memory.dmp
memory/2276-176-0x000002C664F60000-0x000002C664F70000-memory.dmp
memory/2276-179-0x000002C664F70000-0x000002C664F80000-memory.dmp
memory/2276-181-0x000002C664F80000-0x000002C664F90000-memory.dmp
memory/2276-183-0x000002C664FC0000-0x000002C664FD0000-memory.dmp
memory/2276-185-0x000002C664FD0000-0x000002C664FE0000-memory.dmp
memory/2276-187-0x000002C664F90000-0x000002C664FA0000-memory.dmp
memory/2276-188-0x000002C664FA0000-0x000002C664FB0000-memory.dmp
memory/2276-189-0x000002C664FB0000-0x000002C664FC0000-memory.dmp
memory/2276-192-0x000002C664FC0000-0x000002C664FD0000-memory.dmp
memory/2276-193-0x000002C664FD0000-0x000002C664FE0000-memory.dmp
memory/2276-198-0x000002C664FE0000-0x000002C664FF0000-memory.dmp
memory/2276-205-0x000002C664FE0000-0x000002C664FF0000-memory.dmp
memory/2276-213-0x000002C663240000-0x000002C663241000-memory.dmp
memory/2276-222-0x000002C663240000-0x000002C663241000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-15 21:13
Reported
2024-11-15 21:49
Platform
win11-20241007-en
Max time kernel
432s
Max time network
1154s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1388 wrote to memory of 3012 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 1388 wrote to memory of 3012 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\start.cmd"
C:\Windows\system32\chcp.com
chcp 65001