Malware Analysis Report

2024-12-07 20:38

Sample ID 241115-z2vsqssekq
Target expensive crack.zip
SHA256 012d2fcae6942de8aa569557c3b95ba0434f66e7ae2bfe35b0a800d3e99a4cfc
Tags
adwind persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

012d2fcae6942de8aa569557c3b95ba0434f66e7ae2bfe35b0a800d3e99a4cfc

Threat Level: Known bad

The file expensive crack.zip was found to be: Known bad.

Malicious Activity Summary

adwind persistence trojan

AdWind

Class file contains resources related to AdWind

Adwind family

Adds Run key to start application

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 21:13

Signatures

Adwind family

adwind

Class file contains resources related to AdWind

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 21:13

Reported

2024-11-15 21:44

Platform

win10ltsc2021-20241023-en

Max time kernel

1793s

Max time network

1798s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\expensive crack.zip"

Signatures

AdWind

trojan adwind

Adwind family

adwind

Class file contains resources related to AdWind

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705296182.tmp" C:\Windows\system32\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\expensive crack.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar expapasta.jar

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705296182.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705296182.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705296182.tmp" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.36.55:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.69.228:443 checkappexec.microsoft.com tcp
US 13.89.179.11:443 tcp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp

Files

C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd

MD5 01b8ed92434e95a011e8e8dacba2fd68
SHA1 d1f538dfbab7a19c792b8325b2e9cbcc3cd9937d
SHA256 59a12fd47b56fa697512484117f37bd4a69b733c44614c13153e955581eb6799
SHA512 ce14085421d4902b300370896048a3e901508def1bdd5158a7df286cbc9de32163e3ef67afe416a5879816915ec75badf6604adaf19218b6343467c9391d1f9a

C:\Users\Admin\Desktop\expensive 3.2 crack\expapasta.jar

MD5 0d086bd973376fccd4a544a2413a8669
SHA1 7e7f37a586c0cc0cf76d9ac89d4aa3accac73b63
SHA256 56e11160890d361c8175760ac8ad16dc46d8e35dc18caf3d3e64b8fbd83ba6bd
SHA512 8b8b2eeea1dbc7a1722ed099ac113a50a80ba8b2a260e6a342ce527086bbf2b18d72705a5e9fb0593a1d964ea01c66f246bbfea821aa90dfa85fec3d90d5f1f0

memory/2556-8-0x000001958EFD0000-0x000001958F240000-memory.dmp

memory/2556-26-0x000001958D730000-0x000001958D731000-memory.dmp

memory/2556-34-0x000001958D730000-0x000001958D731000-memory.dmp

memory/2556-43-0x000001958D730000-0x000001958D731000-memory.dmp

memory/2556-49-0x000001958D730000-0x000001958D731000-memory.dmp

memory/2556-50-0x000001958EFD0000-0x000001958F240000-memory.dmp

memory/2556-52-0x000001958D730000-0x000001958D731000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-15 21:13

Reported

2024-11-15 21:48

Platform

win10ltsc2021-20241023-en

Max time kernel

1784s

Max time network

1801s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\expapasta.jar"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705516756.tmp" C:\Windows\system32\reg.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\expapasta.jar"

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705516756.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705516756.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705516756.tmp" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp

Files

memory/1548-2-0x000001C994390000-0x000001C994600000-memory.dmp

memory/1548-15-0x000001C994600000-0x000001C994610000-memory.dmp

memory/1548-17-0x000001C994610000-0x000001C994620000-memory.dmp

memory/1548-20-0x000001C994620000-0x000001C994630000-memory.dmp

memory/1548-21-0x000001C994630000-0x000001C994640000-memory.dmp

memory/1548-23-0x000001C994640000-0x000001C994650000-memory.dmp

memory/1548-24-0x000001C992A80000-0x000001C992A81000-memory.dmp

memory/1548-26-0x000001C994650000-0x000001C994660000-memory.dmp

memory/1548-28-0x000001C994660000-0x000001C994670000-memory.dmp

memory/1548-31-0x000001C994670000-0x000001C994680000-memory.dmp

memory/1548-36-0x000001C994390000-0x000001C994600000-memory.dmp

memory/1548-37-0x000001C994680000-0x000001C994690000-memory.dmp

memory/1548-38-0x000001C994690000-0x000001C9946A0000-memory.dmp

memory/1548-39-0x000001C992A80000-0x000001C992A81000-memory.dmp

memory/1548-42-0x000001C9946A0000-0x000001C9946B0000-memory.dmp

memory/1548-41-0x000001C994600000-0x000001C994610000-memory.dmp

memory/1548-46-0x000001C9946B0000-0x000001C9946C0000-memory.dmp

memory/1548-45-0x000001C994610000-0x000001C994620000-memory.dmp

memory/1548-48-0x000001C994620000-0x000001C994630000-memory.dmp

memory/1548-49-0x000001C9946C0000-0x000001C9946D0000-memory.dmp

memory/1548-53-0x000001C994630000-0x000001C994640000-memory.dmp

memory/1548-54-0x000001C9946D0000-0x000001C9946E0000-memory.dmp

memory/1548-56-0x000001C994640000-0x000001C994650000-memory.dmp

memory/1548-57-0x000001C9946E0000-0x000001C9946F0000-memory.dmp

memory/1548-58-0x000001C992A80000-0x000001C992A81000-memory.dmp

memory/1548-60-0x000001C994650000-0x000001C994660000-memory.dmp

memory/1548-61-0x000001C9946F0000-0x000001C994700000-memory.dmp

memory/1548-63-0x000001C994660000-0x000001C994670000-memory.dmp

memory/1548-64-0x000001C994700000-0x000001C994710000-memory.dmp

memory/1548-68-0x000001C994710000-0x000001C994720000-memory.dmp

memory/1548-67-0x000001C994670000-0x000001C994680000-memory.dmp

memory/1548-71-0x000001C994680000-0x000001C994690000-memory.dmp

memory/1548-72-0x000001C994720000-0x000001C994730000-memory.dmp

memory/1548-75-0x000001C994730000-0x000001C994740000-memory.dmp

memory/1548-74-0x000001C994690000-0x000001C9946A0000-memory.dmp

memory/1548-79-0x000001C994740000-0x000001C994750000-memory.dmp

memory/1548-78-0x000001C9946A0000-0x000001C9946B0000-memory.dmp

memory/1548-81-0x000001C9946B0000-0x000001C9946C0000-memory.dmp

memory/1548-82-0x000001C994750000-0x000001C994760000-memory.dmp

memory/1548-83-0x000001C992A80000-0x000001C992A81000-memory.dmp

memory/1548-85-0x000001C9946C0000-0x000001C9946D0000-memory.dmp

memory/1548-86-0x000001C994760000-0x000001C994770000-memory.dmp

memory/1548-89-0x000001C9946D0000-0x000001C9946E0000-memory.dmp

memory/1548-90-0x000001C994770000-0x000001C994780000-memory.dmp

memory/1548-93-0x000001C994780000-0x000001C994790000-memory.dmp

memory/1548-92-0x000001C9946E0000-0x000001C9946F0000-memory.dmp

memory/1548-95-0x000001C9946F0000-0x000001C994700000-memory.dmp

memory/1548-96-0x000001C994790000-0x000001C9947A0000-memory.dmp

memory/1548-100-0x000001C9947A0000-0x000001C9947B0000-memory.dmp

memory/1548-99-0x000001C994700000-0x000001C994710000-memory.dmp

memory/1548-102-0x000001C994710000-0x000001C994720000-memory.dmp

memory/1548-104-0x000001C994720000-0x000001C994730000-memory.dmp

memory/1548-105-0x000001C9947B0000-0x000001C9947C0000-memory.dmp

memory/1548-108-0x000001C994730000-0x000001C994740000-memory.dmp

memory/1548-109-0x000001C9947C0000-0x000001C9947D0000-memory.dmp

memory/1548-111-0x000001C994740000-0x000001C994750000-memory.dmp

memory/1548-112-0x000001C9947D0000-0x000001C9947E0000-memory.dmp

memory/1548-114-0x000001C994750000-0x000001C994760000-memory.dmp

memory/1548-117-0x000001C994760000-0x000001C994770000-memory.dmp

memory/1548-118-0x000001C9947E0000-0x000001C9947F0000-memory.dmp

memory/1548-121-0x000001C9947F0000-0x000001C994800000-memory.dmp

memory/1548-120-0x000001C994770000-0x000001C994780000-memory.dmp

memory/1548-124-0x000001C994780000-0x000001C994790000-memory.dmp

memory/1548-125-0x000001C994800000-0x000001C994810000-memory.dmp

memory/1548-128-0x000001C994790000-0x000001C9947A0000-memory.dmp

memory/1548-129-0x000001C994810000-0x000001C994820000-memory.dmp

memory/1548-130-0x000001C9947A0000-0x000001C9947B0000-memory.dmp

memory/1548-133-0x000001C9947B0000-0x000001C9947C0000-memory.dmp

memory/1548-136-0x000001C994820000-0x000001C994830000-memory.dmp

memory/1548-135-0x000001C9947C0000-0x000001C9947D0000-memory.dmp

memory/1548-139-0x000001C9947D0000-0x000001C9947E0000-memory.dmp

memory/1548-140-0x000001C994830000-0x000001C994840000-memory.dmp

memory/1548-143-0x000001C994840000-0x000001C994850000-memory.dmp

memory/1548-145-0x000001C9947E0000-0x000001C9947F0000-memory.dmp

memory/1548-146-0x000001C994850000-0x000001C994860000-memory.dmp

memory/1548-149-0x000001C994860000-0x000001C994870000-memory.dmp

memory/1548-148-0x000001C9947F0000-0x000001C994800000-memory.dmp

memory/1548-151-0x000001C994800000-0x000001C994810000-memory.dmp

memory/1548-152-0x000001C994810000-0x000001C994820000-memory.dmp

memory/1548-155-0x000001C994870000-0x000001C994880000-memory.dmp

memory/1548-156-0x000001C992A80000-0x000001C992A81000-memory.dmp

memory/1548-161-0x000001C994880000-0x000001C994890000-memory.dmp

memory/1548-160-0x000001C994820000-0x000001C994830000-memory.dmp

memory/1548-164-0x000001C994830000-0x000001C994840000-memory.dmp

memory/1548-165-0x000001C994840000-0x000001C994850000-memory.dmp

memory/1548-166-0x000001C994890000-0x000001C9948A0000-memory.dmp

memory/1548-167-0x000001C992A80000-0x000001C992A81000-memory.dmp

memory/1548-168-0x000001C994850000-0x000001C994860000-memory.dmp

memory/1548-170-0x000001C994860000-0x000001C994870000-memory.dmp

memory/1548-171-0x000001C9948A0000-0x000001C9948B0000-memory.dmp

memory/1548-173-0x000001C994870000-0x000001C994880000-memory.dmp

memory/1548-176-0x000001C9948B0000-0x000001C9948C0000-memory.dmp

memory/1548-178-0x000001C994880000-0x000001C994890000-memory.dmp

memory/1548-179-0x000001C9948C0000-0x000001C9948D0000-memory.dmp

memory/1548-181-0x000001C994890000-0x000001C9948A0000-memory.dmp

memory/1548-182-0x000001C9948A0000-0x000001C9948B0000-memory.dmp

memory/1548-185-0x000001C9948D0000-0x000001C9948E0000-memory.dmp

memory/1548-187-0x000001C9948B0000-0x000001C9948C0000-memory.dmp

memory/1548-188-0x000001C9948C0000-0x000001C9948D0000-memory.dmp

memory/1548-192-0x000001C9948D0000-0x000001C9948E0000-memory.dmp

memory/1548-202-0x000001C9948E0000-0x000001C9948F0000-memory.dmp

memory/1548-205-0x000001C9948E0000-0x000001C9948F0000-memory.dmp

memory/1548-211-0x000001C992A80000-0x000001C992A81000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-15 21:13

Reported

2024-11-15 21:48

Platform

win11-20241007-en

Max time kernel

1784s

Max time network

1803s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\expapasta.jar"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705523500.tmp" C:\Windows\system32\reg.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\expapasta.jar"

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705523500.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705523500.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705523500.tmp" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp

Files

memory/2512-2-0x0000015A82710000-0x0000015A82980000-memory.dmp

memory/2512-15-0x0000015A82980000-0x0000015A82990000-memory.dmp

memory/2512-19-0x0000015A829A0000-0x0000015A829B0000-memory.dmp

memory/2512-18-0x0000015A82990000-0x0000015A829A0000-memory.dmp

memory/2512-21-0x0000015A829B0000-0x0000015A829C0000-memory.dmp

memory/2512-23-0x0000015A829C0000-0x0000015A829D0000-memory.dmp

memory/2512-25-0x0000015A829D0000-0x0000015A829E0000-memory.dmp

memory/2512-28-0x0000015A829E0000-0x0000015A829F0000-memory.dmp

memory/2512-29-0x0000015A829F0000-0x0000015A82A00000-memory.dmp

memory/2512-31-0x0000015A80EC0000-0x0000015A80EC1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705523500.tmp

MD5 0d086bd973376fccd4a544a2413a8669
SHA1 7e7f37a586c0cc0cf76d9ac89d4aa3accac73b63
SHA256 56e11160890d361c8175760ac8ad16dc46d8e35dc18caf3d3e64b8fbd83ba6bd
SHA512 8b8b2eeea1dbc7a1722ed099ac113a50a80ba8b2a260e6a342ce527086bbf2b18d72705a5e9fb0593a1d964ea01c66f246bbfea821aa90dfa85fec3d90d5f1f0

memory/2512-36-0x0000015A82A00000-0x0000015A82A10000-memory.dmp

memory/2512-40-0x0000015A82A10000-0x0000015A82A20000-memory.dmp

memory/2512-39-0x0000015A82710000-0x0000015A82980000-memory.dmp

memory/2512-43-0x0000015A82A20000-0x0000015A82A30000-memory.dmp

memory/2512-42-0x0000015A82980000-0x0000015A82990000-memory.dmp

memory/2512-44-0x0000015A80EC0000-0x0000015A80EC1000-memory.dmp

memory/2512-47-0x0000015A82A30000-0x0000015A82A40000-memory.dmp

memory/2512-46-0x0000015A82990000-0x0000015A829A0000-memory.dmp

memory/2512-50-0x0000015A829A0000-0x0000015A829B0000-memory.dmp

memory/2512-51-0x0000015A82A40000-0x0000015A82A50000-memory.dmp

memory/2512-54-0x0000015A82A50000-0x0000015A82A60000-memory.dmp

memory/2512-53-0x0000015A829B0000-0x0000015A829C0000-memory.dmp

memory/2512-58-0x0000015A829C0000-0x0000015A829D0000-memory.dmp

memory/2512-59-0x0000015A82A60000-0x0000015A82A70000-memory.dmp

memory/2512-61-0x0000015A829D0000-0x0000015A829E0000-memory.dmp

memory/2512-62-0x0000015A82A70000-0x0000015A82A80000-memory.dmp

memory/2512-63-0x0000015A80EC0000-0x0000015A80EC1000-memory.dmp

memory/2512-65-0x0000015A829E0000-0x0000015A829F0000-memory.dmp

memory/2512-66-0x0000015A82A80000-0x0000015A82A90000-memory.dmp

memory/2512-68-0x0000015A829F0000-0x0000015A82A00000-memory.dmp

memory/2512-69-0x0000015A82A90000-0x0000015A82AA0000-memory.dmp

memory/2512-72-0x0000015A82A00000-0x0000015A82A10000-memory.dmp

memory/2512-73-0x0000015A82AA0000-0x0000015A82AB0000-memory.dmp

memory/2512-76-0x0000015A82A10000-0x0000015A82A20000-memory.dmp

memory/2512-77-0x0000015A82AB0000-0x0000015A82AC0000-memory.dmp

memory/2512-79-0x0000015A82A20000-0x0000015A82A30000-memory.dmp

memory/2512-80-0x0000015A82AC0000-0x0000015A82AD0000-memory.dmp

memory/2512-83-0x0000015A82A30000-0x0000015A82A40000-memory.dmp

memory/2512-84-0x0000015A82AD0000-0x0000015A82AE0000-memory.dmp

memory/2512-86-0x0000015A82A40000-0x0000015A82A50000-memory.dmp

memory/2512-88-0x0000015A82A50000-0x0000015A82A60000-memory.dmp

memory/2512-89-0x0000015A82AE0000-0x0000015A82AF0000-memory.dmp

memory/2512-92-0x0000015A82AF0000-0x0000015A82B00000-memory.dmp

memory/2512-91-0x0000015A82A60000-0x0000015A82A70000-memory.dmp

memory/2512-94-0x0000015A82A70000-0x0000015A82A80000-memory.dmp

memory/2512-95-0x0000015A82B00000-0x0000015A82B10000-memory.dmp

memory/2512-98-0x0000015A82A80000-0x0000015A82A90000-memory.dmp

memory/2512-99-0x0000015A82B10000-0x0000015A82B20000-memory.dmp

memory/2512-101-0x0000015A82A90000-0x0000015A82AA0000-memory.dmp

memory/2512-102-0x0000015A82B20000-0x0000015A82B30000-memory.dmp

memory/2512-104-0x0000015A82AA0000-0x0000015A82AB0000-memory.dmp

memory/2512-105-0x0000015A82B30000-0x0000015A82B40000-memory.dmp

memory/2512-107-0x0000015A82AB0000-0x0000015A82AC0000-memory.dmp

memory/2512-109-0x0000015A82AC0000-0x0000015A82AD0000-memory.dmp

memory/2512-110-0x0000015A82B40000-0x0000015A82B50000-memory.dmp

memory/2512-114-0x0000015A82B50000-0x0000015A82B60000-memory.dmp

memory/2512-113-0x0000015A82AD0000-0x0000015A82AE0000-memory.dmp

memory/2512-116-0x0000015A82B60000-0x0000015A82B70000-memory.dmp

memory/2512-118-0x0000015A82AE0000-0x0000015A82AF0000-memory.dmp

memory/2512-121-0x0000015A82AF0000-0x0000015A82B00000-memory.dmp

memory/2512-122-0x0000015A82B70000-0x0000015A82B80000-memory.dmp

memory/2512-125-0x0000015A82B80000-0x0000015A82B90000-memory.dmp

memory/2512-124-0x0000015A82B00000-0x0000015A82B10000-memory.dmp

memory/2512-129-0x0000015A82B90000-0x0000015A82BA0000-memory.dmp

memory/2512-128-0x0000015A82B10000-0x0000015A82B20000-memory.dmp

memory/2512-132-0x0000015A82BA0000-0x0000015A82BB0000-memory.dmp

memory/2512-131-0x0000015A82B20000-0x0000015A82B30000-memory.dmp

memory/2512-135-0x0000015A82B30000-0x0000015A82B40000-memory.dmp

memory/2512-136-0x0000015A82BB0000-0x0000015A82BC0000-memory.dmp

memory/2512-138-0x0000015A82B40000-0x0000015A82B50000-memory.dmp

memory/2512-140-0x0000015A82B50000-0x0000015A82B60000-memory.dmp

memory/2512-142-0x0000015A82B60000-0x0000015A82B70000-memory.dmp

memory/2512-144-0x0000015A82BC0000-0x0000015A82BD0000-memory.dmp

memory/2512-146-0x0000015A82B70000-0x0000015A82B80000-memory.dmp

memory/2512-147-0x0000015A82BD0000-0x0000015A82BE0000-memory.dmp

memory/2512-151-0x0000015A82BE0000-0x0000015A82BF0000-memory.dmp

memory/2512-150-0x0000015A82B80000-0x0000015A82B90000-memory.dmp

memory/2512-153-0x0000015A82B90000-0x0000015A82BA0000-memory.dmp

memory/2512-154-0x0000015A82BF0000-0x0000015A82C00000-memory.dmp

memory/2512-156-0x0000015A82BA0000-0x0000015A82BB0000-memory.dmp

memory/2512-159-0x0000015A82BB0000-0x0000015A82BC0000-memory.dmp

memory/2512-160-0x0000015A82C00000-0x0000015A82C10000-memory.dmp

memory/2512-161-0x0000015A80EC0000-0x0000015A80EC1000-memory.dmp

memory/2512-164-0x0000015A82C10000-0x0000015A82C20000-memory.dmp

memory/2512-167-0x0000015A82BC0000-0x0000015A82BD0000-memory.dmp

memory/2512-168-0x0000015A82C20000-0x0000015A82C30000-memory.dmp

memory/2512-170-0x0000015A82BD0000-0x0000015A82BE0000-memory.dmp

memory/2512-173-0x0000015A82BE0000-0x0000015A82BF0000-memory.dmp

memory/2512-174-0x0000015A82BF0000-0x0000015A82C00000-memory.dmp

memory/2512-175-0x0000015A82C30000-0x0000015A82C40000-memory.dmp

memory/2512-178-0x0000015A82C00000-0x0000015A82C10000-memory.dmp

memory/2512-179-0x0000015A82C40000-0x0000015A82C50000-memory.dmp

memory/2512-181-0x0000015A82C10000-0x0000015A82C20000-memory.dmp

memory/2512-182-0x0000015A82C20000-0x0000015A82C30000-memory.dmp

memory/2512-184-0x0000015A82C50000-0x0000015A82C60000-memory.dmp

memory/2512-187-0x0000015A82C30000-0x0000015A82C40000-memory.dmp

memory/2512-188-0x0000015A82C40000-0x0000015A82C50000-memory.dmp

memory/2512-193-0x0000015A82C50000-0x0000015A82C60000-memory.dmp

memory/2512-196-0x0000015A82C60000-0x0000015A82C70000-memory.dmp

memory/2512-201-0x0000015A82C60000-0x0000015A82C70000-memory.dmp

memory/2512-217-0x0000015A80EC0000-0x0000015A80EC1000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-15 21:13

Reported

2024-11-15 21:48

Platform

win10v2004-20241007-en

Max time kernel

430s

Max time network

1149s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\start.cmd"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2724 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\start.cmd"

C:\Windows\system32\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-15 21:13

Reported

2024-11-15 21:49

Platform

win10ltsc2021-20241023-en

Max time kernel

1363s

Max time network

1426s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\start.cmd"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2020 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\start.cmd"

C:\Windows\system32\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 21:13

Reported

2024-11-15 21:43

Platform

win10v2004-20241007-en

Max time kernel

1788s

Max time network

1798s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\expensive crack.zip"

Signatures

AdWind

trojan adwind

Adwind family

adwind

Class file contains resources related to AdWind

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705251392.tmp" C:\Windows\system32\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\expensive crack.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar expapasta.jar

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705251392.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705251392.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705251392.tmp" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp

Files

C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd

MD5 01b8ed92434e95a011e8e8dacba2fd68
SHA1 d1f538dfbab7a19c792b8325b2e9cbcc3cd9937d
SHA256 59a12fd47b56fa697512484117f37bd4a69b733c44614c13153e955581eb6799
SHA512 ce14085421d4902b300370896048a3e901508def1bdd5158a7df286cbc9de32163e3ef67afe416a5879816915ec75badf6604adaf19218b6343467c9391d1f9a

C:\Users\Admin\Desktop\expensive 3.2 crack\expapasta.jar

MD5 0d086bd973376fccd4a544a2413a8669
SHA1 7e7f37a586c0cc0cf76d9ac89d4aa3accac73b63
SHA256 56e11160890d361c8175760ac8ad16dc46d8e35dc18caf3d3e64b8fbd83ba6bd
SHA512 8b8b2eeea1dbc7a1722ed099ac113a50a80ba8b2a260e6a342ce527086bbf2b18d72705a5e9fb0593a1d964ea01c66f246bbfea821aa90dfa85fec3d90d5f1f0

memory/4364-8-0x00000258CB100000-0x00000258CB370000-memory.dmp

memory/4364-27-0x00000258CB0E0000-0x00000258CB0E1000-memory.dmp

memory/4364-37-0x00000258CB0E0000-0x00000258CB0E1000-memory.dmp

memory/4364-47-0x00000258CB0E0000-0x00000258CB0E1000-memory.dmp

memory/4364-64-0x00000258CB0E0000-0x00000258CB0E1000-memory.dmp

memory/4364-65-0x00000258CB100000-0x00000258CB370000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-15 21:13

Reported

2024-11-15 21:45

Platform

win11-20241007-en

Max time kernel

1789s

Max time network

1798s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\expensive crack.zip"

Signatures

AdWind

trojan adwind

Adwind family

adwind

Class file contains resources related to AdWind

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705340316.tmp" C:\Windows\system32\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\expensive crack.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar expapasta.jar

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705340316.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705340316.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705340316.tmp" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp

Files

C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd

MD5 01b8ed92434e95a011e8e8dacba2fd68
SHA1 d1f538dfbab7a19c792b8325b2e9cbcc3cd9937d
SHA256 59a12fd47b56fa697512484117f37bd4a69b733c44614c13153e955581eb6799
SHA512 ce14085421d4902b300370896048a3e901508def1bdd5158a7df286cbc9de32163e3ef67afe416a5879816915ec75badf6604adaf19218b6343467c9391d1f9a

C:\Users\Admin\Desktop\expensive 3.2 crack\expapasta.jar

MD5 0d086bd973376fccd4a544a2413a8669
SHA1 7e7f37a586c0cc0cf76d9ac89d4aa3accac73b63
SHA256 56e11160890d361c8175760ac8ad16dc46d8e35dc18caf3d3e64b8fbd83ba6bd
SHA512 8b8b2eeea1dbc7a1722ed099ac113a50a80ba8b2a260e6a342ce527086bbf2b18d72705a5e9fb0593a1d964ea01c66f246bbfea821aa90dfa85fec3d90d5f1f0

memory/4692-10-0x0000026B07F10000-0x0000026B08180000-memory.dmp

memory/4692-32-0x0000026B066D0000-0x0000026B066D1000-memory.dmp

memory/4692-39-0x0000026B066D0000-0x0000026B066D1000-memory.dmp

memory/4692-48-0x0000026B066D0000-0x0000026B066D1000-memory.dmp

memory/4692-52-0x0000026B066D0000-0x0000026B066D1000-memory.dmp

memory/4692-53-0x0000026B07F10000-0x0000026B08180000-memory.dmp

memory/4692-56-0x0000026B066D0000-0x0000026B066D1000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-15 21:13

Reported

2024-11-15 21:47

Platform

win10v2004-20241007-en

Max time kernel

1786s

Max time network

1797s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\expapasta.jar"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705446384.tmp" C:\Windows\system32\reg.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\expapasta.jar"

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705446384.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705446384.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705446384.tmp" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp

Files

memory/2276-2-0x000002C664A90000-0x000002C664D00000-memory.dmp

memory/2276-14-0x000002C663240000-0x000002C663241000-memory.dmp

memory/2276-17-0x000002C664D00000-0x000002C664D10000-memory.dmp

memory/2276-18-0x000002C664D10000-0x000002C664D20000-memory.dmp

memory/2276-20-0x000002C664D20000-0x000002C664D30000-memory.dmp

memory/2276-24-0x000002C664D40000-0x000002C664D50000-memory.dmp

memory/2276-23-0x000002C664D30000-0x000002C664D40000-memory.dmp

memory/2276-26-0x000002C664D50000-0x000002C664D60000-memory.dmp

memory/2276-28-0x000002C664D60000-0x000002C664D70000-memory.dmp

memory/2276-30-0x000002C664A90000-0x000002C664D00000-memory.dmp

memory/2276-31-0x000002C664D70000-0x000002C664D80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705446384.tmp

MD5 0d086bd973376fccd4a544a2413a8669
SHA1 7e7f37a586c0cc0cf76d9ac89d4aa3accac73b63
SHA256 56e11160890d361c8175760ac8ad16dc46d8e35dc18caf3d3e64b8fbd83ba6bd
SHA512 8b8b2eeea1dbc7a1722ed099ac113a50a80ba8b2a260e6a342ce527086bbf2b18d72705a5e9fb0593a1d964ea01c66f246bbfea821aa90dfa85fec3d90d5f1f0

memory/2276-36-0x000002C664D80000-0x000002C664D90000-memory.dmp

memory/2276-39-0x000002C664D90000-0x000002C664DA0000-memory.dmp

memory/2276-42-0x000002C664D10000-0x000002C664D20000-memory.dmp

memory/2276-41-0x000002C664D00000-0x000002C664D10000-memory.dmp

memory/2276-43-0x000002C664DA0000-0x000002C664DB0000-memory.dmp

memory/2276-47-0x000002C664DB0000-0x000002C664DC0000-memory.dmp

memory/2276-48-0x000002C663240000-0x000002C663241000-memory.dmp

memory/2276-51-0x000002C664D20000-0x000002C664D30000-memory.dmp

memory/2276-52-0x000002C664DC0000-0x000002C664DD0000-memory.dmp

memory/2276-55-0x000002C664D30000-0x000002C664D40000-memory.dmp

memory/2276-56-0x000002C664DD0000-0x000002C664DE0000-memory.dmp

memory/2276-59-0x000002C664DE0000-0x000002C664DF0000-memory.dmp

memory/2276-58-0x000002C664D40000-0x000002C664D50000-memory.dmp

memory/2276-64-0x000002C664DF0000-0x000002C664E00000-memory.dmp

memory/2276-63-0x000002C664D50000-0x000002C664D60000-memory.dmp

memory/2276-66-0x000002C664D60000-0x000002C664D70000-memory.dmp

memory/2276-67-0x000002C664E00000-0x000002C664E10000-memory.dmp

memory/2276-68-0x000002C663240000-0x000002C663241000-memory.dmp

memory/2276-71-0x000002C664D70000-0x000002C664D80000-memory.dmp

memory/2276-72-0x000002C664E10000-0x000002C664E20000-memory.dmp

memory/2276-74-0x000002C664D80000-0x000002C664D90000-memory.dmp

memory/2276-75-0x000002C664E20000-0x000002C664E30000-memory.dmp

memory/2276-79-0x000002C664E30000-0x000002C664E40000-memory.dmp

memory/2276-78-0x000002C664D90000-0x000002C664DA0000-memory.dmp

memory/2276-81-0x000002C664DA0000-0x000002C664DB0000-memory.dmp

memory/2276-82-0x000002C664E40000-0x000002C664E50000-memory.dmp

memory/2276-86-0x000002C664E50000-0x000002C664E60000-memory.dmp

memory/2276-85-0x000002C664DB0000-0x000002C664DC0000-memory.dmp

memory/2276-88-0x000002C664DC0000-0x000002C664DD0000-memory.dmp

memory/2276-89-0x000002C664E60000-0x000002C664E70000-memory.dmp

memory/2276-91-0x000002C664DD0000-0x000002C664DE0000-memory.dmp

memory/2276-95-0x000002C664E70000-0x000002C664E80000-memory.dmp

memory/2276-94-0x000002C664DE0000-0x000002C664DF0000-memory.dmp

memory/2276-97-0x000002C664DF0000-0x000002C664E00000-memory.dmp

memory/2276-98-0x000002C664E80000-0x000002C664E90000-memory.dmp

memory/2276-100-0x000002C664E00000-0x000002C664E10000-memory.dmp

memory/2276-101-0x000002C664E90000-0x000002C664EA0000-memory.dmp

memory/2276-103-0x000002C664E10000-0x000002C664E20000-memory.dmp

memory/2276-104-0x000002C664EA0000-0x000002C664EB0000-memory.dmp

memory/2276-106-0x000002C664E20000-0x000002C664E30000-memory.dmp

memory/2276-107-0x000002C664EB0000-0x000002C664EC0000-memory.dmp

memory/2276-109-0x000002C664E30000-0x000002C664E40000-memory.dmp

memory/2276-113-0x000002C664EC0000-0x000002C664ED0000-memory.dmp

memory/2276-112-0x000002C664E40000-0x000002C664E50000-memory.dmp

memory/2276-116-0x000002C664E50000-0x000002C664E60000-memory.dmp

memory/2276-117-0x000002C664ED0000-0x000002C664EE0000-memory.dmp

memory/2276-120-0x000002C664EE0000-0x000002C664EF0000-memory.dmp

memory/2276-119-0x000002C664E60000-0x000002C664E70000-memory.dmp

memory/2276-123-0x000002C664E70000-0x000002C664E80000-memory.dmp

memory/2276-124-0x000002C664EF0000-0x000002C664F00000-memory.dmp

memory/2276-127-0x000002C664E80000-0x000002C664E90000-memory.dmp

memory/2276-128-0x000002C664F00000-0x000002C664F10000-memory.dmp

memory/2276-131-0x000002C664E90000-0x000002C664EA0000-memory.dmp

memory/2276-132-0x000002C664F10000-0x000002C664F20000-memory.dmp

memory/2276-134-0x000002C664EA0000-0x000002C664EB0000-memory.dmp

memory/2276-135-0x000002C664F20000-0x000002C664F30000-memory.dmp

memory/2276-137-0x000002C664EB0000-0x000002C664EC0000-memory.dmp

memory/2276-141-0x000002C664EC0000-0x000002C664ED0000-memory.dmp

memory/2276-142-0x000002C664F30000-0x000002C664F40000-memory.dmp

memory/2276-143-0x000002C664ED0000-0x000002C664EE0000-memory.dmp

memory/2276-146-0x000002C664EE0000-0x000002C664EF0000-memory.dmp

memory/2276-147-0x000002C664F40000-0x000002C664F50000-memory.dmp

memory/2276-151-0x000002C664F50000-0x000002C664F60000-memory.dmp

memory/2276-150-0x000002C664EF0000-0x000002C664F00000-memory.dmp

memory/2276-153-0x000002C664F00000-0x000002C664F10000-memory.dmp

memory/2276-154-0x000002C664F60000-0x000002C664F70000-memory.dmp

memory/2276-157-0x000002C664F70000-0x000002C664F80000-memory.dmp

memory/2276-156-0x000002C664F10000-0x000002C664F20000-memory.dmp

memory/2276-159-0x000002C664F20000-0x000002C664F30000-memory.dmp

memory/2276-162-0x000002C664F80000-0x000002C664F90000-memory.dmp

memory/2276-165-0x000002C664F30000-0x000002C664F40000-memory.dmp

memory/2276-167-0x000002C664F90000-0x000002C664FA0000-memory.dmp

memory/2276-170-0x000002C664F40000-0x000002C664F50000-memory.dmp

memory/2276-171-0x000002C664FA0000-0x000002C664FB0000-memory.dmp

memory/2276-173-0x000002C664F50000-0x000002C664F60000-memory.dmp

memory/2276-174-0x000002C664FB0000-0x000002C664FC0000-memory.dmp

memory/2276-176-0x000002C664F60000-0x000002C664F70000-memory.dmp

memory/2276-179-0x000002C664F70000-0x000002C664F80000-memory.dmp

memory/2276-181-0x000002C664F80000-0x000002C664F90000-memory.dmp

memory/2276-183-0x000002C664FC0000-0x000002C664FD0000-memory.dmp

memory/2276-185-0x000002C664FD0000-0x000002C664FE0000-memory.dmp

memory/2276-187-0x000002C664F90000-0x000002C664FA0000-memory.dmp

memory/2276-188-0x000002C664FA0000-0x000002C664FB0000-memory.dmp

memory/2276-189-0x000002C664FB0000-0x000002C664FC0000-memory.dmp

memory/2276-192-0x000002C664FC0000-0x000002C664FD0000-memory.dmp

memory/2276-193-0x000002C664FD0000-0x000002C664FE0000-memory.dmp

memory/2276-198-0x000002C664FE0000-0x000002C664FF0000-memory.dmp

memory/2276-205-0x000002C664FE0000-0x000002C664FF0000-memory.dmp

memory/2276-213-0x000002C663240000-0x000002C663241000-memory.dmp

memory/2276-222-0x000002C663240000-0x000002C663241000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-15 21:13

Reported

2024-11-15 21:49

Platform

win11-20241007-en

Max time kernel

432s

Max time network

1154s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\start.cmd"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1388 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\start.cmd"

C:\Windows\system32\chcp.com

chcp 65001

Network

Files

N/A