Analysis Overview
SHA256
260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651df
Threat Level: Known bad
The file 260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe was found to be: Known bad.
Malicious Activity Summary
Phorphiex, Phorpiex
xmrig
Xmrig family
Phorphiex payload
Phorphiex family
Suspicious use of NtCreateUserProcessOtherParentProcess
XMRig Miner payload
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Deletes itself
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 04:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 04:00
Reported
2024-11-17 04:02
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2020 created 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\1410531124.exe | C:\Windows\Explorer.EXE |
| PID 2020 created 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\1410531124.exe | C:\Windows\Explorer.EXE |
| PID 932 created 3424 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 932 created 3424 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 932 created 3424 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1567831992.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\1156717982.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 932 set thread context of 4752 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 932 set thread context of 3316 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\1156717982.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\1156717982.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1156717982.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3342028962.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2985919836.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\331248294.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8443.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{2821D4BF-4BB0-4804-8BAE-E7DABCE9E75A} | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
"C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe"
C:\Users\Admin\AppData\Local\Temp\8443.exe
"C:\Users\Admin\AppData\Local\Temp\8443.exe"
C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe
tools\NativeUpdater.exe 260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe 260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe.tmp --nativeLauncherVersion 788 --nativeLauncherVersion 788
C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe --nativeLauncherVersion 788 --nativeLauncherVersion 788
C:\Users\Admin\AppData\Local\Temp\1156717982.exe
C:\Users\Admin\AppData\Local\Temp\1156717982.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\AppData\Local\Temp\1567831992.exe
C:\Users\Admin\AppData\Local\Temp\1567831992.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\2985919836.exe
C:\Users\Admin\AppData\Local\Temp\2985919836.exe
C:\Users\Admin\AppData\Local\Temp\331248294.exe
C:\Users\Admin\AppData\Local\Temp\331248294.exe
C:\Users\Admin\AppData\Local\Temp\3342028962.exe
C:\Users\Admin\AppData\Local\Temp\3342028962.exe
C:\Users\Admin\AppData\Local\Temp\1410531124.exe
C:\Users\Admin\AppData\Local\Temp\1410531124.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
"C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe" --type=gpu-process --field-trial-handle=2104,9334290126743004157,10435758065319351464,131072 --enable-features=CastMediaRouteProvider --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --lang=en-US --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2112 /prefetch:2
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{45BA127D-10A8-46EA-8AB7-56EA9078943C}
C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
"C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,9334290126743004157,10435758065319351464,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --lang=en-US --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --mojo-platform-channel-handle=2572 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
"C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2104,9334290126743004157,10435758065319351464,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2724 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
"C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --field-trial-handle=2104,9334290126743004157,10435758065319351464,131072 --enable-features=CastMediaRouteProvider --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt" --log-severity=info --launcherui --workdir="C:\Users\Admin\AppData\Roaming\.minecraft" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | launchermeta.mojang.com | udp |
| US | 13.107.246.64:443 | launchermeta.mojang.com | tcp |
| US | 8.8.8.8:53 | piston-meta.mojang.com | udp |
| US | 13.107.246.64:443 | piston-meta.mojang.com | tcp |
| US | 8.8.8.8:53 | piston-data.mojang.com | udp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| N/A | 127.0.0.1:65439 | tcp | |
| N/A | 127.0.0.1:65441 | tcp | |
| N/A | 127.0.0.1:65444 | tcp | |
| N/A | 127.0.0.1:65447 | tcp | |
| N/A | 127.0.0.1:65463 | tcp | |
| N/A | 127.0.0.1:65466 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| US | 13.107.246.64:443 | piston-data.mojang.com | tcp |
| N/A | 127.0.0.1:65510 | tcp | |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.xboxab.com | udp |
| US | 13.107.5.91:443 | www.xboxab.com | tcp |
| US | 8.8.8.8:53 | sentry.io | udp |
| US | 8.8.8.8:53 | launchermeta.mojang.com | udp |
| US | 35.186.247.156:443 | sentry.io | tcp |
| US | 13.107.246.64:443 | launchermeta.mojang.com | tcp |
| US | 8.8.8.8:53 | piston-meta.mojang.com | udp |
| US | 13.107.246.64:443 | piston-meta.mojang.com | tcp |
| US | 8.8.8.8:53 | 82.235.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.247.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | title.mgt.xboxlive.com | udp |
| IE | 13.69.141.149:443 | title.mgt.xboxlive.com | tcp |
| US | 8.8.8.8:53 | device.auth.xboxlive.com | udp |
| US | 40.122.167.99:443 | device.auth.xboxlive.com | tcp |
| US | 8.8.8.8:53 | 149.141.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.122.40.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| MX | 189.167.22.36:40500 | udp | |
| PK | 124.109.48.132:40500 | tcp | |
| US | 8.8.8.8:53 | 36.22.167.189.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.48.109.124.in-addr.arpa | udp |
| US | 8.8.8.8:53 | launchercontent.mojang.com | udp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 8.8.8.8:53 | launchercontent.mojang.com | udp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| US | 13.107.246.64:443 | launchercontent.mojang.com | tcp |
| N/A | 127.0.0.1:49470 | tcp | |
| N/A | 127.0.0.1:49479 | tcp | |
| N/A | 127.0.0.1:49481 | tcp | |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| KZ | 91.246.92.22:40500 | udp | |
| N/A | 127.0.0.1:49486 | tcp | |
| N/A | 127.0.0.1:49495 | tcp | |
| N/A | 127.0.0.1:49502 | tcp | |
| YE | 178.130.118.237:40500 | tcp | |
| US | 8.8.8.8:53 | 22.92.246.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vortex.data.microsoft.com | udp |
| US | 20.189.173.23:443 | vortex.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| VE | 190.77.159.119:40500 | udp | |
| US | 8.8.8.8:53 | 119.159.77.190.in-addr.arpa | udp |
| N/A | 127.0.0.1:49548 | tcp | |
| CN | 117.146.200.209:40500 | udp | |
| US | 8.8.8.8:53 | 209.200.146.117.in-addr.arpa | udp |
| N/A | 127.0.0.1:49601 | tcp | |
| SY | 77.44.162.69:40500 | udp | |
| US | 8.8.8.8:53 | 69.162.44.77.in-addr.arpa | udp |
| SY | 77.44.198.123:40500 | udp | |
| US | 8.8.8.8:53 | 123.198.44.77.in-addr.arpa | udp |
| TR | 85.103.235.188:40500 | udp | |
| US | 8.8.8.8:53 | 188.235.103.85.in-addr.arpa | udp |
| AO | 154.71.224.9:40500 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KZ | 5.76.2.36:40500 | udp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.2.76.5.in-addr.arpa | udp |
| UZ | 90.156.163.10:40500 | udp | |
| US | 8.8.8.8:53 | 10.163.156.90.in-addr.arpa | udp |
| MX | 189.164.170.136:40500 | udp | |
| US | 8.8.8.8:53 | 136.170.164.189.in-addr.arpa | udp |
| KZ | 95.59.171.222:40500 | udp | |
| US | 8.8.8.8:53 | 222.171.59.95.in-addr.arpa | udp |
| IR | 78.38.29.237:40500 | udp | |
| US | 8.8.8.8:53 | 237.29.38.78.in-addr.arpa | udp |
| MX | 189.141.139.39:40500 | tcp | |
| US | 8.8.8.8:53 | 39.139.141.189.in-addr.arpa | udp |
| IR | 2.187.89.214:40500 | udp | |
| US | 8.8.8.8:53 | 214.89.187.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\8443.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
C:\Users\Admin\AppData\Local\Temp\tools\NativeUpdater.exe
| MD5 | 69f6d2214bfcafa9236c1747b398a1af |
| SHA1 | c3bbb7986ab728493a05c57dcb7f1a383258f3c9 |
| SHA256 | f13212b3462edbd5cd14d81b5397bf2f0281cc221c5464f4875c0ab0b84fe884 |
| SHA512 | 59d55fa5a8d0518bf645001742e5ec0bbb0af6ca9203ed46ca9cc453e5be883de11e978bdfd68677a5f3653ee7a97cc1eeb8633fd4c5ece95790d166d1b22cd8 |
C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe.tmp
| MD5 | e8c86a94df2f0a4c5edfa59cfc420329 |
| SHA1 | 4212cb446a2dce87225ca20ba45e10befb084062 |
| SHA256 | 60c59edec70f5cd7d1cf880e7a1475de6f73932dc23ae913f9c7dfeaf52489e1 |
| SHA512 | 273298886ff9466a28caae48e59d701fc1519ba39196ff5abac8c52b0d00e21be00e852ff453ed659fcf2c7cc980c138bf162a4dc8453d84fc542df451880e2e |
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_log.txt
| MD5 | ba2d3eb86e9c3edb2890002b5b16dbba |
| SHA1 | e27c1bf63aa1f960b76a04a1a65e06d38aa75991 |
| SHA256 | 04132ec794493bb74e1dd48b04790835061709ea40a10b2f3e8ef09faa62ae03 |
| SHA512 | 88aca3d1ce35228996d0c968d359635bb44e8a9a37f4db2d374b2c0366ade6b56ccfe071d62644f53fc626190a4eb7ad02d95701c7a6c789850ed675aceb2c17 |
C:\Users\Admin\AppData\Local\Temp\1156717982.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H6N4U6J0\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
C:\Users\Admin\AppData\Local\Temp\1567831992.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/3476-44-0x00000000002C0000-0x00000000002C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2985919836.exe
| MD5 | 6946486673f91392724e944be9ca9249 |
| SHA1 | e74009983ced1fa683cda30b52ae889bc2ca6395 |
| SHA256 | 885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd |
| SHA512 | e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9 |
C:\Users\Admin\AppData\Local\Temp\331248294.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
C:\Users\Admin\AppData\Local\Temp\3342028962.exe
| MD5 | 0c37ee292fec32dba0420e6c94224e28 |
| SHA1 | 012cbdddaddab319a4b3ae2968b42950e929c46b |
| SHA256 | 981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1 |
| SHA512 | 2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b |
C:\Users\Admin\AppData\Local\Temp\1410531124.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
memory/3392-361-0x00000178E7000000-0x00000178E7022000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_esuzbxt3.n2w.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\game\chrome_elf.dll
| MD5 | 4c8f4689e087a9843a79d6ec923f00df |
| SHA1 | e6e37e19a04a55944bdfba6f9359bbe0ea8402fc |
| SHA256 | 8753acc450280e1c5ef5a09dac46d1fd873f1e66d771affc4b4afbfa3d59e3c4 |
| SHA512 | 30b205bb4b391b23a7bb15248daa42af3ec34225d169a0d70325ea7e1422d298ea3376962e689311074346dd7aec3579789748e3aaa17b04ab72de6c0a0fc5e0 |
memory/2020-387-0x00007FF7D58E0000-0x00007FF7D5E77000-memory.dmp
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_settings.json
| MD5 | 270ade77b4358d215f30e625a2b172f6 |
| SHA1 | c407dcca0525ba0bb9d9c5d63ac78f7aa03ae03a |
| SHA256 | 7afa6b9dacfb8d546c8f9c386601999232fa9aa6bcc9879503ab2433e053c3c5 |
| SHA512 | af56d5ec7d603284db4fe340f5f5fc00c48b0e3d065660cb3d40088e6c4c35675cb7eaa6504803a11120d49e40d7aeb0f5321aacef79e5b074369722056bcd62 |
C:\Users\Admin\AppData\Local\Temp\game\cef_extensions.pak
| MD5 | c294094045246da46492204f2920d74f |
| SHA1 | 229367ac0be0a2da9d6338cba6f45c07f790140c |
| SHA256 | 8e8882c3d420231e1ddd1329e259cd8dc38fe392727aa74cfa4df57125d4cfb3 |
| SHA512 | 03543e3c436a8b42b3f5bb942de468b4898172720ddef5597535b81347581ae0c89bf91e6bef3b91c796ca5bd393a865b2fa53ba70b2fda6578c640b14ab92cd |
C:\Users\Admin\AppData\Local\Temp\game\cef_200_percent.pak
| MD5 | 50a6d9ab74ebfaeda5baa28997149977 |
| SHA1 | 1ad557cecf3d54a5fbe471ceab189d344fef347c |
| SHA256 | c8f7697bdb4aa19722b975dd2126baf8c2edb5c0a58e2d64a6fefa4cbb8335ec |
| SHA512 | 31647191b432f82ff24a41a16abb77512bed2f3105791079d795304452e2bff89f618202023fd133cdc79f80d02647093edebca9e43c19cbd4d2bed4c8d35180 |
C:\Users\Admin\AppData\Local\Temp\game\cef_100_percent.pak
| MD5 | 4cec40309dc9e4bf0f0cc915aeb6c9ac |
| SHA1 | 2da1b18943265f473f6b87b63132dbb2398ff487 |
| SHA256 | 6267cb52b0ca5593cf402139e736eb4f1d6bc3f2eab4c6deb99934711050ef4f |
| SHA512 | e684d4d735762e87c8556c164379f97f59b8b4077e2f4c49ae43610ca2a3994ad45839cf6edef4e741a4f1fb345413e4246fb5901dd52bd98c9a2f60866817c7 |
C:\Users\Admin\AppData\Local\Temp\game\cef.pak
| MD5 | fa6c54291dcc13acc9dbec30923fe503 |
| SHA1 | 8f157cc1ab1c18bf47305543b149604797cd6587 |
| SHA256 | 455dd904ba68305f45682ae9c776a87cb2cb67bbe2d20e13cf97a812b68cf5f4 |
| SHA512 | 135773297e6481f66d53a6a6bb887e0e0ba17ded9f76e2cef2db48a095a4c301eda84feb46f2a44425f4d34accd72765ee324d30a0692aa0c6d2c513166d51de |
C:\Users\Admin\AppData\Local\Temp\game\locales\en-US.pak
| MD5 | 16a6914c9637812257e28b2cc4e6d809 |
| SHA1 | 82212a642c90b51b8f67e517ee8782da841b658f |
| SHA256 | 8fe734f556d97e7c07d02e839a16565f7db88ca7091ca3903a9b153a68aaaf72 |
| SHA512 | 6efbab68c8b036fd73951295a5f65718003deea46db838f6f263133452e09be45ce006246850facbb1922766f42c2ce1796722cecfcc8495921a7bcd9402a446 |
C:\Users\Admin\AppData\Local\Temp\game\icudtl.dat
| MD5 | 9732e28c054db1e042cd306a7bc9227a |
| SHA1 | 6bab2e77925515888808c1ef729c5bb1323100dd |
| SHA256 | 27993e2079711d5f0f04a72f48fee88b269604c8e3fbdf50a7f7bb3f5bfc8d8e |
| SHA512 | 3eb67ab896a56dab4a2d6eea98f251affd6864c5f5b24f22b61b6acc1df4460d86f0a448f1983aac019e79ff930286c3510891be9d48ef07a93ff975a0e55335 |
C:\Users\Admin\AppData\Roaming\.minecraft\launcher_cef_log.txt
| MD5 | 499f26e380be5515b3b9f10798847928 |
| SHA1 | d0a61386882dcc2b142ceb6c179ffad657505ad8 |
| SHA256 | 81d66a0592415249940cd50c93ff3100398e2e14de11b6166e3c6796e45c1d07 |
| SHA512 | c4e69faf5947f8473e84bcef2b23fc6e3ca98158a339f5f13269430a28f402e62d91a7dd069c2c5e909df835aa74c3aefb12cb55b0ed365e06c377a789dfcb09 |
C:\Users\Admin\AppData\Local\Temp\game\libEGL.dll
| MD5 | e646266652e470489b912c39d4bbfacf |
| SHA1 | fb5af43ba527f0b03f6e5db0dba870df7acecf77 |
| SHA256 | e2b31cbbbd97c2d098a44acd5e1c84e092f4bf4c535fe6ebc3703a78387c03a9 |
| SHA512 | fe5ca9d6dc63ca6982702072aa34ada2d43c3c781e1fac09e324b17b3ed05bb8d203c3c08c0fe4aaf8985781933a8a3f2cd8e4928b0fe567c46a8da46f481b3f |
C:\Users\Admin\AppData\Local\Temp\game\libGLESv2.dll
| MD5 | 79d62a3663c1963c90ed84045e0450ac |
| SHA1 | cd3b444ec31e78c7bef960f91548de1e1f2ae487 |
| SHA256 | 896cd68e51fb5c4937717e350b911d5dd18dc285f466fb712ccb0578fff1365e |
| SHA512 | 2da35a7db00ad3c22de448abfe3eb4425088b51db0f093dcfb0e934edee40567ebc8cd1bf0768bb1a43a397a49ce5d388edf2427fcc09eb48033b8baea918520 |
C:\Users\Admin\AppData\Local\Temp\game\v8_context_snapshot.bin
| MD5 | cdeec3342ce88d4de5426032a6bf6a53 |
| SHA1 | b36ec3c3b20a7a06ff282d696f12b51904b073a4 |
| SHA256 | ca88a3c7034da1de52d35823fba0fe80ba5376ab70cdc1841e6aaf25c1f5dd6e |
| SHA512 | 54874cd76589124b750fdae90be75e1acf374566d56352c15dbbee98c095aad0e56db142952a808b08e4817bf5f8e176ffdc4ff79110d8661ee4f7ede16b2ea9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fee026663fcb662152188784794028ee |
| SHA1 | 3c02a26a9cb16648fad85c6477b68ced3cb0cb45 |
| SHA256 | dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b |
| SHA512 | 7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0c77ce1db08e7f1b2bc9896a13b4f7a5 |
| SHA1 | 3de7b852f908b16834f9484bce8eebd4d7389ec1 |
| SHA256 | dcb3cb7065cee59e6f4e62405ef4c5418a04a35a1ac04db0b846851bc7ec967f |
| SHA512 | 5244fa2ce993c07dfbbeac86360c2e49e86c0957a016624251e917223b0d1c0afd5fefdf17b397b298c194b5699c8696dd7e59f379d6eae98665be361f077b29 |
memory/932-473-0x00007FF7CC1C0000-0x00007FF7CC757000-memory.dmp
memory/3316-474-0x000002BF6C420000-0x000002BF6C440000-memory.dmp
memory/4752-483-0x00007FF777E50000-0x00007FF777E79000-memory.dmp
memory/3316-484-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp
memory/4752-485-0x00007FF777E50000-0x00007FF777E79000-memory.dmp
memory/3316-486-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp
memory/3316-489-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp
memory/3316-491-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp
memory/3316-493-0x00007FF64B7B0000-0x00007FF64BF9F000-memory.dmp
C:\Users\Admin\tbtnds.dat
| MD5 | 50a157348f7a4b04292990ef4d97b5e0 |
| SHA1 | b394acd628cf332c6a97267932849d2eb218917b |
| SHA256 | 4fa120e9a6923eef699252a2677bb5b9be1b73f62aa38a7017dfd832e93603ef |
| SHA512 | 18b82e8cd48f2869a6e77cd18caa17a4ed12cc263cac650f1fbb0f1086e583798f79ffdf0e12e010760a155e0188cd3d32cbd556b4dce51c4c2f6414f4b9e0cb |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 04:00
Reported
2024-11-17 04:02
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B3B5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2258014184.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228512951.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\728633531.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1235021751.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B3B5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B3B5.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
| N/A | N/A | C:\Windows\sysnldcvmr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\2258014184.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\2258014184.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\2258014184.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\B3B5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2258014184.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228512951.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\228512951.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe
"C:\Users\Admin\AppData\Local\Temp\260f4bd4d9f08e29026f540d60aa1d54f1d1b8965141dae3defa112b688651dfN.exe"
C:\Users\Admin\AppData\Local\Temp\B3B5.exe
"C:\Users\Admin\AppData\Local\Temp\B3B5.exe"
C:\Users\Admin\AppData\Local\Temp\2258014184.exe
C:\Users\Admin\AppData\Local\Temp\2258014184.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\AppData\Local\Temp\228512951.exe
C:\Users\Admin\AppData\Local\Temp\228512951.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\728633531.exe
C:\Users\Admin\AppData\Local\Temp\728633531.exe
C:\Users\Admin\AppData\Local\Temp\1235021751.exe
C:\Users\Admin\AppData\Local\Temp\1235021751.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | launchermeta.mojang.com | udp |
| US | 13.107.246.64:443 | launchermeta.mojang.com | tcp |
| US | 8.8.8.8:53 | sentry.io | udp |
| US | 35.186.247.156:443 | sentry.io | tcp |
| N/A | 127.0.0.1:49196 | tcp | |
| N/A | 127.0.0.1:49198 | tcp | |
| N/A | 127.0.0.1:49202 | tcp | |
| N/A | 127.0.0.1:49204 | tcp | |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 35.186.247.156:443 | sentry.io | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| KZ | 37.99.54.230:40500 | tcp | |
| UZ | 90.156.162.101:40500 | udp | |
| UZ | 195.158.22.210:40500 | udp | |
| KZ | 5.251.95.166:40500 | udp | |
| RO | 37.120.247.6:40500 | udp | |
| IR | 151.232.179.149:40500 | udp | |
| RU | 94.190.92.110:40500 | udp | |
| IR | 46.248.34.105:40500 | tcp | |
| IR | 2.179.68.21:40500 | udp | |
| KZ | 213.211.105.70:40500 | udp | |
| US | 38.224.37.24:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 92.244.232.104:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| YE | 178.130.103.42:40500 | udp | |
| UZ | 146.120.17.117:40500 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 46.167.149.255:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 80.191.218.209:40500 | udp |
Files
\Users\Admin\AppData\Local\Temp\B3B5.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
\Users\Admin\AppData\Local\Temp\2258014184.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
\Users\Admin\AppData\Local\Temp\228512951.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/1748-46-0x000000013F690000-0x000000013F696000-memory.dmp
\Users\Admin\AppData\Local\Temp\728633531.exe
| MD5 | 6946486673f91392724e944be9ca9249 |
| SHA1 | e74009983ced1fa683cda30b52ae889bc2ca6395 |
| SHA256 | 885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd |
| SHA512 | e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9 |
\Users\Admin\AppData\Local\Temp\1235021751.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |