Malware Analysis Report

2025-01-18 21:07

Sample ID 241122-d6bprstne1
Target Batch_7.zip
SHA256 17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd
Tags
defense_evasion discovery execution impact persistence ransomware spyware stealer evasion upx crypvault pony collection credential_access rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Threat Level: Known bad

The file Batch_7.zip was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution impact persistence ransomware spyware stealer evasion upx crypvault pony collection credential_access rat trojan

Modifies WinLogon for persistence

Modifies firewall policy service

Pony family

Pony,Fareit

Modifies security service

CrypVault

UAC bypass

Windows security bypass

Crypvault family

Process spawned unexpected child process

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Deletes shadow copies

Renames multiple (4015) files with added filename extension

Adds policy Run key to start application

Blocklisted process makes network request

Disables RegEdit via registry modification

Drops file in Drivers directory

Disables Task Manager via registry modification

Loads dropped DLL

Drops startup file

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Unsecured Credentials: Credentials In Files

Windows security modification

Indicator Removal: File Deletion

Enumerates connected drives

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Adds Run key to start application

Blocklisted process makes network request

Looks up external IP address via web service

Requests dangerous framework permissions

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

UPX packed file

Sets desktop wallpaper using registry

Drops file in System32 directory

Enumerates processes with tasklist

Drops file in Windows directory

Drops file in Program Files directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Command and Scripting Interpreter: JavaScript

Program crash

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer Phishing Filter

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

System policy modification

Opens file in notepad (likely ransom note)

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: RenamesItself

Kills process with taskkill

outlook_win_path

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-22 03:36

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

126s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" C:\ProgramData\svchosd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" C:\ProgramData\svchosd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\I: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\N: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\L: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\R: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\X: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\S: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\T: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\U: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\J: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\R: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\V: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\K: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Q: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\S: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\K: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\L: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\P: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\T: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\W: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\V: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\X: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Y: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\N: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\P: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Y: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\O: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Q: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\W: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\I: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\O: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\U: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\J: C:\WINDOWS\system32\vssadmin.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\svchosd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2108 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3580 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3580 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 4248 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 4248 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1500 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3208 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3208 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2268 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1100 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1100 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 452 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 452 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3188 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3188 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 4616 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 4616 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 4456 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 4456 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2384 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3716 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3716 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2744 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3596 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3596 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 3444 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2124 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe

"C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

C:\ProgramData\svchosd.exe

"C:\ProgramData\svchosd.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 5.8.63.54:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp

Files

memory/3444-0-0x0000000002240000-0x0000000002281000-memory.dmp

memory/3444-2-0x0000000002240000-0x0000000002281000-memory.dmp

memory/3444-1-0x0000000000400000-0x0000000000453000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

16s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\downloader.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 1168 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1168 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\downloader.js

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 locksmithspringfield.us udp
US 15.197.148.33:80 locksmithspringfield.us tcp
US 8.8.8.8:53 thecottagespsychotherapycenter.com udp
US 8.8.8.8:53 kashfianlaw.com udp
US 104.16.108.239:80 kashfianlaw.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 33.148.197.15.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 239.108.16.104.in-addr.arpa udp
US 8.8.8.8:53 www.kashfianlaw.com udp
US 104.16.112.239:443 www.kashfianlaw.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 239.112.16.104.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd

MD5 d96f59d97099a6248989e828d766dd5b
SHA1 9322d296171970ce8a280a4c562f41b5f3689de0
SHA256 e534769d416412d6ea8e91faf108bd8f52838e854145eab052483c37b4add1e3
SHA512 562c52a4dab31d9fc8983823561d181ddd0d0999baf3cbe8841afd3919ae020df573f41bd58fe6ecd090d47a1a1d2bad6abd68955e329cd541974c12d4ceca8c

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20241010-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe

"C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\ExtraTools.bat "C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe""

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\ErOne.vbs"

C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe

chrst.exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\ExtraTools.bat

MD5 8f07fa594d84c6e234b336def0b47cdc
SHA1 34b88980635c3f2367af03caedc01d50b5e4624a
SHA256 dd79d7a80a9087e1fced76ade08394843eab01a8ce263dc2306f46435b451f77
SHA512 c33fd26b5399771f4bf9877d717bb730a8101b9f6bd24847084c50b066db7f6e43d56cbf44792eedc94d117c50a988f5d4a46127a34a2115c50fbb4a67ed2047

C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\ErOne.vbs

MD5 a764fe63c6cc48c851f0d2a8ba73c2b7
SHA1 e16351bd38ebcac7e182905767f9b36e078fb5d5
SHA256 8c4d90a5343cea107fad96e842404522aadfc416e7cf84adc58fe2ba72bbc919
SHA512 b0a93898c66c2ff97f9d8cb1f75364a6c4a0ad5cf3158815f94ffb900796065c8e0d384b392d59bf2b01419adb8c65d2dc846ddebaaea971d64c3300edc63571

C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\firefox32.exe

MD5 866604f3adb9207e29505012215f203f
SHA1 718b342c3bc42f3e73c4014c2b105c4d467b0ba6
SHA256 978ed9b9c86653e8f10feb9e7f93eb32f2dadeec42ccce498403e96b7bb3e3c9
SHA512 cdcdd94e2a4c550a819a28085fe543ed944da298da1409ed111380fbde89f6976a4c7d040750307579b007b4551aa86182d453408436bd7aef35423c49b60f79

C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe

MD5 c657daf595b5d535ccc757ad837eebe8
SHA1 894e953e86e54a830a14fac94e57569d184a9c09
SHA256 a02565ec78fa1221433e720bd57b044938345b8c65a73143bd9ff73529767526
SHA512 21a26bc146dd2a915c17b268b13edc565e9a582d11c1714d89741f4156a880dfe35415d4920a6326d164519f4b28b6371ef9c7bfdb5e19080448bd77b4a20a4b

memory/2404-44-0x00000000743CE000-0x00000000743CF000-memory.dmp

memory/2404-45-0x0000000001030000-0x0000000001058000-memory.dmp

memory/2404-46-0x00000000743CE000-0x00000000743CF000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\xgoexxnq.exe" C:\Windows\SysWOW64\ctfmon.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ctfmon.exe N/A

Disables Task Manager via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmon.exe N/A
N/A N/A C:\Windows\SysWOW64\ctfmon.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe C:\Windows\SysWOW64\ctfmon.exe
PID 1272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe C:\Windows\SysWOW64\ctfmon.exe
PID 1272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe C:\Windows\SysWOW64\ctfmon.exe
PID 1272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe C:\Windows\SysWOW64\ctfmon.exe
PID 1272 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2320 wrote to memory of 2488 N/A C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe
PID 2320 wrote to memory of 2488 N/A C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe
PID 2320 wrote to memory of 2488 N/A C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe
PID 2320 wrote to memory of 2488 N/A C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe
PID 2488 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2488 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2488 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2488 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2488 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe C:\Windows\SysWOW64\ctfmon.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe

"C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe"

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe

C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E8" "00000000000003B8"

Network

Country Destination Domain Proto
US 8.8.8.8:53 397110121001i83455512377.com udp

Files

memory/2320-6-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/2320-4-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/2320-3-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/1272-1-0x0000000000240000-0x0000000000256000-memory.dmp

memory/1272-0-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1272-2-0x0000000000400000-0x0000000000416000-memory.dmp

\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe

MD5 f45f47edced7fac5a99c45ab4b8c2d54
SHA1 9060189dd95635c5f75d7f91c9bd345200e83028
SHA256 0529cdbc893fee664d3ac540b1e41e184797e0770808254058fc21de0a10b6c8
SHA512 ecf1ae299d0525f86b8c398d06b429164a10d6552caf08710567680ba670bc0c918bfff1807214b33a177202cbe8eeeeffa1396b91e697aed4da91fe81f523d3

memory/2676-20-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/2488-18-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2488-17-0x00000000002C0000-0x00000000002D6000-memory.dmp

memory/2488-22-0x00000000002C0000-0x00000000002D6000-memory.dmp

memory/2676-23-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/2676-24-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/2676-28-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe"

Signatures

CrypVault

ransomware crypvault

Crypvault family

crypvault

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe

Deletes shadow copies

ransomware defense_evasion impact execution

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Edge = "C:\\Windows\\SYSTEM32\\Microsoft Edge\\Microsoft Edge.lnk" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\tasklist.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Edge = "C:\\Windows\\SYSTEM32\\Microsoft Edge\\Microsoft Edge.lnk" C:\Windows\SysWOW64\tasklist.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\explorer.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta C:\Windows\SysWOW64\svchost.exe N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\svchost.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Microsoft Edge\AudioSes.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AccountsRt.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\ActiveSyncProvider.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AppVClientPS.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AppXDeploymentClient.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\asferror.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.lnk C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AcSpecfc.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AdaptiveCards.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AdmTmpl.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\adprovider.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\adrclient.dll C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.lnk C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft Edge\accessibilitycpl.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AppxSip.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AuthFWSnapin.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.scr C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.scr C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\acledit.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\ApiSetHost.AppExecutionAlias.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\authfwcfg.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\bcryptprimitives.dll C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\Microsoft Edge C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AppIdPolicyEngineApi.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AppointmentActivation.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AppointmentApis.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\aspnet_counters.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AudioEng.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\altspace.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AuditPolicyGPInterop.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AuthBrokerUI.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AuthExt.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AzSqlExt.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\BcastDVRBroker.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\accessibilitycpl.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\ActivationClient.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AcXtrnal.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\advapi32.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\atlthunk.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\bcd.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\avrt.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\BackgroundMediaPolicy.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AcGenral.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\acwow64.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\appmgr.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\AppVTerminator.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Microsoft Edge\audiodev.dll C:\Windows\SysWOW64\explorer.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 4868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 4868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 4868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 4868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 4868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 4868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 4868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 4868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 4868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 4868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 4872 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Windows\SysWOW64\explorer.exe
PID 4872 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Windows\SysWOW64\explorer.exe
PID 4872 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Windows\SysWOW64\explorer.exe
PID 2212 wrote to memory of 4272 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\tasklist.exe
PID 2212 wrote to memory of 4272 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\tasklist.exe
PID 2212 wrote to memory of 4272 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\tasklist.exe
PID 4272 wrote to memory of 1180 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 4272 wrote to memory of 1180 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 4272 wrote to memory of 1180 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 1180 wrote to memory of 3768 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 1180 wrote to memory of 3768 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 1180 wrote to memory of 3768 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 4272 wrote to memory of 5068 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 4272 wrote to memory of 5068 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 4272 wrote to memory of 5068 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 3768 wrote to memory of 468 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3768 wrote to memory of 468 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3768 wrote to memory of 468 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3768 wrote to memory of 3328 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 3768 wrote to memory of 3328 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 3768 wrote to memory of 3328 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

"C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe"

C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SYSTEM32\explorer.exe

C:\Windows\SysWOW64\tasklist.exe

C:\Windows\SYSTEM32\tasklist.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SYSTEM32\explorer.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SYSTEM32\svchost.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SYSTEM32\explorer.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic process call create "vssadmin.exe delete shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\mshta.exe

mshta.exe C:\Users\Admin\Desktop\VAULT.hta

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 hollandfintech.net udp
US 8.8.8.8:53 hollandfintech.net udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 hollandfintech.net udp
US 8.8.8.8:53 hollandfintech.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4868-0-0x0000000002380000-0x0000000002385000-memory.dmp

memory/4872-1-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/4872-2-0x0000000000400000-0x000000000040F1F7-memory.dmp

memory/4872-3-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2212-4-0x0000000000D60000-0x0000000001193000-memory.dmp

memory/2212-9-0x0000000000D60000-0x0000000001193000-memory.dmp

memory/4872-8-0x0000000000400000-0x000000000040F1F7-memory.dmp

memory/2212-36-0x0000000000D60000-0x0000000001193000-memory.dmp

memory/4272-60-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

memory/4272-59-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.scr

MD5 1105f1e5cd13fc30fde877432e27457d
SHA1 108f03f9c98c63506dd8b9f6581f37ae5c18de23
SHA256 dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d
SHA512 49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373

memory/4272-61-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

memory/1180-64-0x0000000000D60000-0x0000000001193000-memory.dmp

memory/1180-65-0x0000000000D60000-0x0000000001193000-memory.dmp

memory/1180-66-0x0000000000D60000-0x0000000001193000-memory.dmp

memory/3768-70-0x0000000000380000-0x000000000038E000-memory.dmp

memory/3768-69-0x0000000000380000-0x000000000038E000-memory.dmp

memory/3768-71-0x0000000000B10000-0x0000000000B3E000-memory.dmp

memory/5068-79-0x0000000000D60000-0x0000000001193000-memory.dmp

memory/5068-77-0x0000000000D60000-0x0000000001193000-memory.dmp

memory/5068-78-0x0000000000D60000-0x0000000001193000-memory.dmp

C:\VAULT.KEY

MD5 f9bee0e2dfdc5e1ce9db7f225359cc8b
SHA1 406c3e316ae41811956c9e33598b75df077783c9
SHA256 5d3bdead8922de41c9fd7d054b0c071964ff247e076100d3261120c21adc38e6
SHA512 56b96ae0b6811bfda79e699381305c142f53d70612af0333af0ec5c5e90dd2b8139205362560e297bed251e20ea3e54719e2c46a5946fa8a37fca6d7f1e448e1

C:\Users\Admin\AppData\Roaming\CONFIRMATION.KEY

MD5 1ef8b68ffe960997d4509f24b11fb022
SHA1 6d25c6ec8f63f9811420eaa3555159bdd40a2502
SHA256 7f4813e5f1b84200cb3df1d26779f43ff73d64b4e6a3c70a0f6db9111b4c13d0
SHA512 5c14137a63abfeaba978bb274a79878057f2263a1729d3922a8eff8cf1d70392a35d49ca0ec6e66627afc4fe9842d94cfed9e74cb8cf08a4361560b85d8d64c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta

MD5 ca834cc56015bce8e010e356c69dc9f5
SHA1 b55ea373d3f5d583c33803d80059db5ddccf7038
SHA256 1b5feb1b9bf79a857330fc891a65824953ad5d72ce38b4fb41755475775c65bd
SHA512 66c6370c538567286641e2ca3438d28572a78b4d2a15912f9d55cc65f9c7491d16e3f277c9f1385ee6773ef400e1a47e7abe5208aa4d7f75b8db5c816e6531a8

C:\VAULT.KEY

MD5 02e8ec67bb9adec4d96f65024e61d3f4
SHA1 841b6c629abd1f755214467d6a0f24ff0a8565fd
SHA256 a026f2ae89be80d92621dbbe73d89f4ed5ce05c4a2f324a2a4ee26ccc31e3846
SHA512 a0f62cb227e572cc8ca8e195fdeacf4f1d552349aeb90f374ae5701d3bf43ecb845ddd9718cfcab20ddca6bf9f7baa3d7c46b1264b5fd4e406123e2e95a7a7ac

C:\VAULT.KEY

MD5 988f9920a47a009a5c3b4c8c304381fd
SHA1 81217bd02906dcdc0d941fd4ab7ac4af02d79a27
SHA256 214f912401ac13bad81c4dde7114e1ebf942c04c8d09ca4e3a492c2cd5c1d3d9
SHA512 5cb0a85241f09dbccd8ca0d33a4cd5dbc3e35816795e9d91b40da97a857a3b74c07ed030a8e2faf320a220d8342a57cfc036a9b15af058a0fa2590635d556097

C:\VAULT.KEY

MD5 3022b371d3588070cc7dc63c9c86c407
SHA1 0005037fcdac3401100a963442896ccba2872e36
SHA256 83ac01d1bace84bd1bba0c3e2a4343958a56747be17a46c29dd18b5d91aaf51b
SHA512 03a22cccddf68e60434e6766d486ff958e94d53ec832ab11155ae9723ba255e702c3ccd5a14793279898daf9f904814841ca7296fb9e2ef585d2943f122d0dcf

memory/3768-187-0x0000000002A30000-0x0000000002A42000-memory.dmp

C:\VAULT.KEY

MD5 da773f4a2943260a70dbb698c5cbbc77
SHA1 2f8a2d0c96a5240d8a7dc53f91e6f62753c4724d
SHA256 2ec2b34a6b5175c58d1faae6f70bafb8875bc11471da72ebd7673960c13cc3af
SHA512 eeb3999cbdde8be08713df55e40cf199022d46d53330be3cf98a4bf2ad8d392274973abbfa6a6ff7946a894f725cd9f891dd72b8d7c15a7e6b3ce91d29dbff11

memory/4272-190-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

memory/3768-191-0x0000000000380000-0x000000000038E000-memory.dmp

C:\VAULT.KEY

MD5 cb8dd6d4719072c2157510329a016436
SHA1 48d4b373b868b0a8aa44fa8aeea78d8a78369cb0
SHA256 b5cc58a3b66e3a800cd3c69cb5e8899d733f41cbac06d43c40affbe2ee3ea1cf
SHA512 5c2458b625aed1d12e9f5aad8cf082f9e94be4f4912f26b8b5e7f18cce6562c9f7b6989969c715ae825b0e9dd09fcd3002af6de50af4a01eaee8d4522c8ff090

C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.lnk

MD5 49694f63bb47cf24a0112f79e0e11685
SHA1 fe8b7c02aae6d4918ce2674b384bbab905cf3585
SHA256 2ba990cfed349932ab2a722feb2dd2043dd40415ace1d1aadd70a91f9b3f955d
SHA512 fcb8fd017a873d94efd95afb1cc86172a60b7dcb431167a6f8ea03d32b8ddefdb19f86bb8f369876fbebd687c151dd43da3b9b3021084d43f84b6ecd9bfe30bd

memory/3768-202-0x0000000000B10000-0x0000000000B3E000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20241010-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" C:\Windows\system32\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIA078.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f779ca0.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAE22.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB3C3.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f779c9d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9E82.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAD18.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAEB0.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\sys.job C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\f779ca0.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f779c9d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9F2E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIACE8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9FCB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA115.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB1FD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9DA6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAFF9.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 2536 wrote to memory of 2296 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 2296 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 2296 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 2296 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 2296 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 2296 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 2296 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2536 wrote to memory of 968 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe

"C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1C0546BAB281714E431757DE0FBB5EFC

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A306E9C94C5217883499C26E9F43D022 M Global\MSI0000

Network

Country Destination Domain Proto
US 8.8.8.8:53 collect.installeranalytics.com udp
US 3.214.180.211:80 collect.installeranalytics.com tcp

Files

\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

MD5 3531cf7755b16d38d5e9e3c43280e7d2
SHA1 19981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA256 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA512 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi

MD5 27bc9540828c59e1ca1997cf04f6c467
SHA1 bfa6d1ce9d4df8beba2bedf59f86a698de0215f3
SHA256 05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a
SHA512 a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

\Windows\Installer\MSI9DA6.tmp

MD5 d552dd4108b5665d306b4a8bd6083dde
SHA1 dae55ccba7adb6690b27fa9623eeeed7a57f8da1
SHA256 a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5
SHA512 e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{3CFEFCD3-DFDD-481F-AE0A-E201682ADEF4}.session

MD5 fecf27a5bbf0da7817c86e55aa264f21
SHA1 65a8e83ee19d1f1725d276336deeb2241960bb15
SHA256 ac618fb9a7780b1cf5fdaf311f4970065c6bcc0a871b3836dbde2fbd902ff3a9
SHA512 74cc4577fb408f041b80825b54c45fa7928a33772857dc7c549961349a8cb58bf8d16288f88f3d4eb2f91e19afb965621b440e40c36b3fc9f02d08071a8b4a51

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{3CFEFCD3-DFDD-481F-AE0A-E201682ADEF4}.session

MD5 b75376f0e4fa057eba0df455331ae0da
SHA1 04d34f68dfcef51322abd13acb2ae8b0a028bb7b
SHA256 066d7226bd174f3521907d8ebdeda2b916062c41f94ee90b8dbb9fd09bef11b9
SHA512 5fd30cc3bdd2f4f16d16e3d0347b8bd1ddefbb420e27b87e148f47e2b12b0a8654857acd43eac28e0346444ef67450eea71997b314685cce3ad334f66e87ae8d

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{3CFEFCD3-DFDD-481F-AE0A-E201682ADEF4}.session

MD5 a55a3f4459e11c5e46275f03ba0ef4fb
SHA1 30ea186a531bf472eae03f633e9f8f57914c7b06
SHA256 33c32bee5584b80f64b52496e34ebaa867c22ee06cc286eaf09b32c56a88383f
SHA512 ab605500201adb4e233944f9a36b47cc215335965ee7f01482eb27ec774d57c6c173f42b0a8a99016b5938d7b025dcd28876ecb6ea83a32d6b6912aae24b3396

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{3CFEFCD3-DFDD-481F-AE0A-E201682ADEF4}.session

MD5 1e0290dc4c165cbdf17903f3e8df13f8
SHA1 1814868b8fe1af03a3aba700cf769b1e633adfdd
SHA256 dc132376ecbf3438dc25d79fbc3d94f67037618b0ea2d120c87eaa3f928ae1af
SHA512 a3242e8fad1f9ed082bed3d8b5f37cccedb98b79f857443a419030d39f20f7a5dbc8e0d9a7d0167e1c3dfe111ab8c309e42ffcdd51d13c2496e7becb11f09948

\Windows\Installer\MSI9F2E.tmp

MD5 4083cb0f45a747d8e8ab0d3e060616f2
SHA1 dcec8efa7a15fa432af2ea0445c4b346fef2a4d6
SHA256 252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a
SHA512 26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

MD5 e29f7a880c84850aa98c1e72f2804601
SHA1 4930f4c5a076917d368ed150c36651432d8593e2
SHA256 f67c350e851157207865a30d39d9ff40ab0f07f425db71c805542bbd25ba03fa
SHA512 7bf9c8b4f937d37cd1be2434804ad56356ee0368fe411617167f02f61c7539c6bf3d99658213c81007bb1c026c783720733d6af6d7b02cfad2b5e03274032cc2

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

MD5 8dfd3b687ff9b325715f2aca66414db3
SHA1 92e494367207e65cf833c29ebf713fb6b22bf590
SHA256 9afb63342f1306215ee619e07a81787f3fa7e976ebdbb5043c0344ee332751e9
SHA512 53c8cb5432b1851e604b939c490c47c4556a4bd69048957ca5907ed8b51851b93222836485e2d37e295d81a4c9aec819b0352eb5146338e757fb9988a0033786

\Windows\Installer\MSIAD18.tmp

MD5 3cab78d0dc84883be2335788d387601e
SHA1 14745df9595f190008c7e5c190660361f998d824
SHA256 604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd
SHA512 df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

\Windows\Installer\MSIAE22.tmp

MD5 7e6b88f7bb59ec4573711255f60656b5
SHA1 5e7a159825a2d2cb263a161e247e9db93454d4f6
SHA256 59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f
SHA512 294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c

C:\Windows\Installer\MSIAEB0.tmp

MD5 aa82345a8f360804ea1d8d935f0377aa
SHA1 c09cf3b1666d9192fa524c801bb2e3542c0840e2
SHA256 9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437
SHA512 c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\fatalerror.exe

MD5 e579c5b3c386262e3dd4150eb2b13898
SHA1 5ab7b37956511ea618bf8552abc88f8e652827d3
SHA256 e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2
SHA512 9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav

MD5 bab1293f4cf987216af8051acddaf97f
SHA1 00abe5cfb050b4276c3dd2426e883cd9e1cde683
SHA256 bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344
SHA512 3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49

C:\Config.Msi\f779ca1.rbs

MD5 f5ab7aaf6b2b97e8fb50b57ef5493425
SHA1 ff01d6366912d599ea14279136fddc0125b4bbe1
SHA256 e742055f58b998110e5dd16d9bf9fb41ece084e09000c1f6ebc615bc0a40880a
SHA512 f389084751ae54aef57e9ea12ec8506017c207fb685e7e268dafbab359eb45322947d4f07e02487d39bf779a75a4df96d9d47a75565eb162697fc74cf7fa9d25

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

MD5 68c7a5b701bf194b08e0df49a3379d76
SHA1 dc6d0fc79c3441b2f9f9982ed11c1cbafcebfa0f
SHA256 638791461bc2a9857d467683677fff275b9dc2cb73247f963877992ef569b406
SHA512 0f08cb84f8a52639e97c52d870af893088561d12b81ad4d5bc6e3264f7029a28f3051559c0063b8eb063943d19370fd23c06061afee47beadf239f8b9a4e6b33

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240903-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,,C:\\Program Files (x86)\\Windows NT\\MIJOvBeC.exe" C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Program Files (x86)\\Windows NT\\MIJOvBeC.exe" C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DWTtAeLq.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DWTtAeLq.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DWTtAeLq.exe C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DWTtAeLq.exe C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\LdMVtZgE = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\MhzeIHWr.exe" C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\LdMVtZgE = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\MhzeIHWr.exe" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirtyDecrypt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dirty\\DirtyDecrypt.exe\" /hide" C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\MIJOvBeC.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\MIJOvBeC.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File created C:\Program Files (x86)\Dirty\DirtyDecrypt.exe C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
File opened for modification C:\Program Files (x86)\Dirty\DirtyDecrypt.exe C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe

"C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"

C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe

"C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe"

C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe

"C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 viweabkkfe.com udp
NL 85.17.31.82:80 viweabkkfe.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
NL 85.17.31.82:80 viweabkkfe.com tcp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 sjytgtnkdl.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 vjuxtixi.com udp
US 8.8.8.8:53 ntrshvquunyzxevkucs.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
DE 169.50.13.61:80 ntrshvquunyzxevkucs.com tcp
DE 169.50.13.61:80 ntrshvquunyzxevkucs.com tcp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 okenhqzgxngnkbwouvfm.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 wxluitpliymeoirc.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 wxluitpliymeoirc.com tcp
DE 169.50.13.61:80 wxluitpliymeoirc.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 kcubcfuhwwn.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
NL 85.17.31.82:80 viweabkkfe.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
NL 85.17.31.82:80 viweabkkfe.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 viweabkkfe.com udp
DE 178.162.203.211:80 viweabkkfe.com tcp
DE 178.162.203.211:80 viweabkkfe.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 sjytgtnkdl.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 wxluitpliymeoirc.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 wxluitpliymeoirc.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 wxluitpliymeoirc.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 nuepdkau.com udp

Files

C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe

MD5 d224637a6b6e3001753d9922e749d00d
SHA1 bacb2313289e00a1933b7984dd1cbef01c8019ee
SHA256 9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263
SHA512 08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0

C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe

MD5 1d27a7210f54a047264f23c7506e9506
SHA1 4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527
SHA256 431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9
SHA512 077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700

memory/2088-25-0x00000000004A0000-0x00000000004B4000-memory.dmp

memory/2508-31-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Desktop\TestExpand.xlsx

MD5 78b526de070a85b6cf6410d013d2a1a6
SHA1 6403f4013d1c5e636452274fa02436fc64f83e7e
SHA256 9a6a19655dc4ab926544e1f1da8750f4119ca615ac73e2c4da9ef4186e6a9e2a
SHA512 e1418a6fe5acbcdda7fddf41835e6d9973ddfbf8c2b36204b53a8733ba1078b63aae28d314eb51b90e0a43896b803ca4920bc4ea6bf8bc18b0650e2cbf32226e

C:\Users\Admin\Desktop\ConvertToExport.jpeg

MD5 5cd869d25ed9b70cad0fcd729dbe93a8
SHA1 18927946eaf87e45ec906c7b0f739205fffa0074
SHA256 555f93ff05472882f6f72d44bbbe46f36e323a2fb2d9b7abe6b06010385cfbe4
SHA512 fe7827c6bbf76874041cd818645b8af930e23aea55d426f3c436fc521ae93ec6ad32cb99d5f25f5b042732a0280fc0c481e02c305e2a5bde94372fa248ac9b56

C:\Users\Admin\Documents\UnpublishRead.docx

MD5 7fb0e9946503165c130615db7a4f28fe
SHA1 f87b0a82e019088a0f69662f16cdf0e77d9ba1e4
SHA256 f3cac6ec3b761436663adaefad6b4b73c6a1a40b5a2d364973b25b43c27a2bef
SHA512 9b33b0563972c92c3e6a6722dd71b55ffebe95130d1cebdf3df0a00a014e5b41dc657c71fc38d6142ae9b379ef8dc8634977bceb9a2f4e0fcb4e0c674bc400f2

C:\Users\Admin\Documents\ApproveFormat.rtf

MD5 55931f508169e2e57ea9e1fe0c0e87d1
SHA1 612f3b45efe3162130307d7fe3dfafb8f3bcfd8e
SHA256 ac71d5d33cf3cafc5ffc57265118fd5d3cbc5b895681245c16faf49f14ce9a56
SHA512 1a94083a6fd1116a9b65b56fcfe3ae7b46f2f5caa8a35ee33630e46c6a0ec48c8add3ac6ffe2b4709cbba19c8287040d7fc63b7229fa558c715be58961e67b80

C:\Users\Admin\Documents\DebugClear.doc

MD5 baf2faff2c457dff4872bb6bb421004a
SHA1 5aa26906097a18d62c69daba985cd0f72ffe3b31
SHA256 8494ac3bbb2c179bc191e4e73145eb8b2b79e156e2e331546dae155a808827e3
SHA512 434367c313dd1e27384858cea0e39d6534f5a94e2b81406575c5b308f4d70e692221a43acb4e31166a4683f3bbffc4359bdebf6f818d686187d449e54a6ce559

C:\Users\Admin\Documents\DebugLimit.docm

MD5 9da8b164f22bdb22f184142e1cfe1cb6
SHA1 f480bb1eda037e838df784609fd0ac3bc77565a2
SHA256 3f13673feca10f32155cce12590601de9b14bc7d4e2f911e8e5af994690acc6b
SHA512 5b7f4607dc315d47d8cbb44d70082773071cbcb267ca51a40817be8607ccf1a415b37e3467eab7e23078d3612e3e33222b5e723da49df57e95f65aa47f5db0d1

C:\Users\Admin\Documents\NewPop.doc

MD5 7f8895f63bbfd4693eb3a190e941e4c9
SHA1 b5ca49754a588b86583e262a75ef7fa23108df29
SHA256 f92dd76f5e53816cbf1070444520cb5198f5b47c600bd4a03d20ccf11bd3f2df
SHA512 61c924f26c54898fbdb3ca9aa6c3ad0d6bae610386f3bbc2dee833554359d42c0452d6382618915eae65a69e138a7903082c960404438efabb8165374fdb0f0b

C:\Users\Admin\Documents\StepFormat.doc

MD5 bc2a99d4fed8fce68e5ee04c2ef762d8
SHA1 da216639ef63fe5f02320024d1895f38b860e631
SHA256 d333a98377a8eb3ed57cf88d616959a394d83ac53dd866ec8bd54ed10aa02ddb
SHA512 a17c87e81acc75c5ebfc2feea61f8d6518adccef8db10cf9567bfd5fb63d153b5300f6edde601c1fcb8250ac1023a3231e567605e36f63173a077a3513a70f61

C:\Users\Admin\Downloads\ConvertFromStep.zip

MD5 4d76b46a325f5b9b905f90e3a348a936
SHA1 48522542ec191d967d2d172fac14ebea4a53182d
SHA256 0bd416bb32df60b7c2dc20863512c76cd9cd5c59a0f5d489807e3d819cadfa91
SHA512 f2c206a6d9b6c116ed008e9b0f4ba5ee75fa7919701cec2720d36736c8206d58ca056cc0ffe7b6566dd0b56f28cba36bdb717036871a19607dd683731dc6d706

C:\Users\Admin\Downloads\EnableSet.doc

MD5 a7b3504b51d9c9ad922cfb68fab066ec
SHA1 6f571660f7af85584201dfbc5b937d2e73d1d5ea
SHA256 7cd40cf425416f45a9c764b71eb548b7e9e0470a1e18f220997e0a1bcd62251c
SHA512 5d828c68ee4709ae70f9f3a7a2b7acfe2058a485dff88c8475bac4f14d091f32a5ec931714ce0e718bc83ff5c1ab86ea6134fd668a9e80f75eb3113cf8bc3e8c

C:\Users\Admin\Downloads\WaitBackup.rtf

MD5 e5941e096adc9dee7df216a2571da334
SHA1 022917d9e0e2640c9b1105ffd16afb5435f41b50
SHA256 0b6b2f585a1005570caa4ceccc71ce8940310cb77629a83ca8ed236a04c1aef4
SHA512 033b2c21e7b63e352e48c35b4c46788e7cad0dd022be0fc792ee440df2ce0b7df0f3bb06bc54173e4981a801309c837c459853252cd96ab8fd0fb2ed88687446

C:\Users\Admin\Music\AssertGet.xls

MD5 f3aa0c84cb7d2aefc20c49f0d59184a0
SHA1 d29dd7dd912c00e5f05a9cc4f04920814f3c4f96
SHA256 8b1192569bef499da82ff8fd0deab26d7188d6c0c1c7a6859f2affbdca635cca
SHA512 98e27369f4aa3430e1a69d841917ff42b7132ea0f583e16500bd86dfd76b3528d7d43ac31951bb4bdb35bdd6bbddeefe1f615819d058c50fe62d03c30107da46

memory/2508-154-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Downloads\CopyClose.xlsm

MD5 5d812c5cd71a5138ccc14b90db5d19bb
SHA1 fb53724c8c9e87300c60e64248ef77ee2d0348bb
SHA256 d57bea2ff1395e34662bf68b951a7d8cd1abd742f24f17e2e5358040d3b66f56
SHA512 8fb745044652ed242407c974bdca86646695fe44c88f533520c75ff8b81a08493dffbd4e02f13481f903f2961cc54641ba0abae23a75e0d411d70104f7432c62

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20241023-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe"

Signatures

CrypVault

ransomware crypvault

Crypvault family

crypvault

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe

Deletes shadow copies

ransomware defense_evasion impact execution

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta C:\Windows\SysWOW64\svchost.exe N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\svchost.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IE4Data = "C:\\Windows\\SysWOW64\\IE4Data\\IE4Data.lnk" C:\Windows\SysWOW64\tasklist.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IE4Data = "C:\\Windows\\SysWOW64\\IE4Data\\IE4Data.lnk" C:\Windows\SysWOW64\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IE4Data\adsldp.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-libraryloader-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\IE4Data.scr C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IE4Data\IE4Data.lnk C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\adsmsext.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-fibers-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-processthreads-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-datetime-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-interlocked-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-localregistry-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IE4Data C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\ActionCenter.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\advapi32.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\aecache.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-console-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\IE4Data.lnk C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-handle-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-misc-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-string-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IE4Data\IE4Data.scr C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IE4Data\ActionCenter.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\amxread.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-file-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\IE4Data\api-ms-win-core-file-l1-2-0.dll C:\Windows\SysWOW64\explorer.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2412 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2040 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Windows\SysWOW64\explorer.exe
PID 2040 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Windows\SysWOW64\explorer.exe
PID 2628 wrote to memory of 2940 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\tasklist.exe
PID 2628 wrote to memory of 2940 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\tasklist.exe
PID 2628 wrote to memory of 2940 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\tasklist.exe
PID 2628 wrote to memory of 2940 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\tasklist.exe
PID 2940 wrote to memory of 2268 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2268 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2268 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2268 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2268 wrote to memory of 2432 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2268 wrote to memory of 2432 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2268 wrote to memory of 2432 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2268 wrote to memory of 2432 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2940 wrote to memory of 2892 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2892 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2892 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2892 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2432 wrote to memory of 2812 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2432 wrote to memory of 2812 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2432 wrote to memory of 2812 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2432 wrote to memory of 2812 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2432 wrote to memory of 1620 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 2432 wrote to memory of 1620 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 2432 wrote to memory of 1620 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 2432 wrote to memory of 1620 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 2940 wrote to memory of 2488 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2488 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2488 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 2488 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2488 wrote to memory of 336 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2488 wrote to memory of 336 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2488 wrote to memory of 336 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2488 wrote to memory of 336 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2940 wrote to memory of 892 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 892 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 892 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2940 wrote to memory of 892 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 336 wrote to memory of 1776 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 336 wrote to memory of 1776 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 336 wrote to memory of 1776 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 336 wrote to memory of 1776 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 336 wrote to memory of 2388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 336 wrote to memory of 2388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 336 wrote to memory of 2388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 336 wrote to memory of 2388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\WerFault.exe

Uses Volume Shadow Copy service COM API

ransomware

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

"C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe"

C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\tasklist.exe

C:\Windows\SysWOW64\tasklist.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic process call create "vssadmin.exe delete shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\mshta.exe

mshta.exe C:\Users\Admin\Desktop\VAULT.hta

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\mshta.exe

mshta.exe C:\Users\Admin\Desktop\VAULT.hta

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 348

Network

Country Destination Domain Proto
US 8.8.8.8:53 hollandfintech.net udp

Files

memory/2040-3-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2040-5-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2040-17-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2040-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2040-13-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2040-11-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2040-9-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2040-7-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2040-14-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2040-18-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2040-19-0x0000000000400000-0x000000000040F1F7-memory.dmp

memory/2040-1-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2628-29-0x00000000000F0000-0x0000000000371000-memory.dmp

memory/2628-22-0x00000000000F0000-0x0000000000371000-memory.dmp

memory/2628-23-0x00000000000F0000-0x0000000000371000-memory.dmp

memory/2412-0-0x0000000000310000-0x0000000000315000-memory.dmp

memory/2940-50-0x0000000000420000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\IE4Data\IE4Data.scr

MD5 1105f1e5cd13fc30fde877432e27457d
SHA1 108f03f9c98c63506dd8b9f6581f37ae5c18de23
SHA256 dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d
SHA512 49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373

memory/2940-52-0x0000000000420000-0x0000000000436000-memory.dmp

memory/2940-51-0x0000000000420000-0x0000000000436000-memory.dmp

memory/2268-54-0x00000000005A0000-0x0000000000821000-memory.dmp

memory/2268-55-0x00000000005A0000-0x0000000000821000-memory.dmp

memory/2432-58-0x0000000000080000-0x00000000000AE000-memory.dmp

memory/2432-57-0x0000000000380000-0x0000000000388000-memory.dmp

memory/2892-91-0x00000000005A0000-0x0000000000821000-memory.dmp

memory/2892-90-0x00000000005A0000-0x0000000000821000-memory.dmp

C:\VAULT.KEY

MD5 a6a39c97364f8fc8b412f55a01c0083d
SHA1 a77d1e5da21e028c66af5f15bae308ebe7877d3e
SHA256 03cecda8a69893262e6f00d532167ded5732dec991bcd163ccaeadad62001348
SHA512 6faac60921acf43cfc3bcf4bbdc7d7d433e408ae70d1900c54983eda943440f1e485d68f6271d14c3a7e3af6d38bb8c9c02b7221fb564b8ac8f7ccdd7f63d353

memory/2432-150-0x0000000000350000-0x0000000000362000-memory.dmp

C:\VAULT.KEY

MD5 0451a438766083ffa91517ade99ee562
SHA1 70d104395a196c0e3f2a8dee109839d68ebb339d
SHA256 68decb91fe284f1216b079810d2273acddd0d7754cb22689fa0aecfd7dae3aa1
SHA512 240ebc181528d16323ca3398d539256241e72394afb4febd6df9dd3a7745af04ee1258e626043e90d58a7a9f5dfa4366dbedb5f75ad4c924abd65a7106ce1e79

C:\VAULT.KEY

MD5 e8d1dc697660fc828d75a73612f680f0
SHA1 eb5f51e52296f942c1e1065cb15dc06db9307263
SHA256 d203fa95c8fbec5abb1e41d845bee0f252e3c95eb7897d490b0c36806f104142
SHA512 82a650f326fa34e7902e8777a8f61ce7bbe1f4892f0bc9b61a663e99e4c033677f1e18d5a111e9ee636208cbf2563815787a9a0d5eb7d5c2d771bb49d2b203e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta

MD5 ca834cc56015bce8e010e356c69dc9f5
SHA1 b55ea373d3f5d583c33803d80059db5ddccf7038
SHA256 1b5feb1b9bf79a857330fc891a65824953ad5d72ce38b4fb41755475775c65bd
SHA512 66c6370c538567286641e2ca3438d28572a78b4d2a15912f9d55cc65f9c7491d16e3f277c9f1385ee6773ef400e1a47e7abe5208aa4d7f75b8db5c816e6531a8

C:\VAULT.KEY

MD5 2ec277aabfc39d7905efd15f5f3b904c
SHA1 de03298a7b4caf942dab6b2f78b17d288a8b03e9
SHA256 df136bc3d46f2975b2d9de603c550408b70e061fc05e66b24b093d66dc857714
SHA512 3977018a6aa83a0781ad1c2f2e938633fe1ecad3018e4f466436f1bc32412700954d91a959809438f5a813b31bd6587cc52fb7a15b02d621db29b4910d8b2028

memory/2940-153-0x0000000000420000-0x0000000000436000-memory.dmp

memory/2432-154-0x0000000000380000-0x0000000000388000-memory.dmp

memory/2432-166-0x0000000000080000-0x00000000000AE000-memory.dmp

C:\VAULT.KEY

MD5 ebd505de3b65505482f979dcf1979d9b
SHA1 393e308f0fc53e209c16703fc6aa9743a9cc2811
SHA256 d7bc912b4d63233f377b744ff6cd4885812dd6227fb17cbfe7a3e089ca4fc78f
SHA512 1c8555ba6adfe26bc06757df999c863d176d904cce089cb059aa56d96d8aa2ff92160c00c824c1dd6f6bc73574af56d92f7ea1888ef4ca1de8b57077057cec4c

memory/2488-175-0x0000000000980000-0x0000000000C01000-memory.dmp

memory/336-178-0x0000000000C60000-0x0000000000C68000-memory.dmp

memory/336-179-0x00000000000F0000-0x000000000011E000-memory.dmp

memory/2488-177-0x0000000000980000-0x0000000000C01000-memory.dmp

memory/892-187-0x0000000000980000-0x0000000000C01000-memory.dmp

memory/892-186-0x0000000000980000-0x0000000000C01000-memory.dmp

C:\Windows\SysWOW64\IE4Data\IE4Data.lnk

MD5 0dff388654ad9cf541763256dc0789a8
SHA1 b2a9296bbea70c57db307c41bb6b678e77aa3d73
SHA256 2a7857336eb95d83107b80b29299284121f94f8664535b5dab7609464864ba68
SHA512 c43893934a1c2ca060438a6f7cf3708013a70e52cfebe436ad5abe0ea4dfa4d30caa0b3782b900741b4e0026fffb61899bf57c7d9dc22b097c3fb8e18fbc2fa9

memory/336-199-0x0000000000C60000-0x0000000000C68000-memory.dmp

memory/336-198-0x00000000000F0000-0x000000000011E000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

130s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dumped_.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Dumped_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Dumped_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dumped_.exe

"C:\Users\Admin\AppData\Local\Temp\Dumped_.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dolores.cursopersona.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 dolores.cursopersona.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 dolores.cursopersona.com udp
US 8.8.8.8:53 dolores.cursopersona.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 dolores.cursopersona.com udp
US 8.8.8.8:53 dolores.cursopersona.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 dolores.cursopersona.com udp
US 8.8.8.8:53 dolores.cursopersona.com udp

Files

memory/3872-0-0x00000000008D0000-0x00000000008E2000-memory.dmp

memory/3872-4-0x00000000008D0000-0x00000000008E2000-memory.dmp

C:\ProgramData\cawjdzyliposrdr

MD5 af8c3a1898f41d3a338cdcff4f0587d9
SHA1 c665d6f2ea8b905667b51f07377aaf81e447f306
SHA256 21419d7a0aa72bc59bc6b33255b521d41857a66cc08def7f889c4b74ec94e60e
SHA512 1655e2ac73d089cc88a36b3302ed5312be2fae115d70da50c7a9d5bad7d1d34a63e45ab8562ecf64059adc8ab2b6f2ac4ecf9a4453a83703f912be9fffdd6f8c

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" C:\Windows\system32\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIBE24.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBF8E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\sys.job C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSIC187.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBC89.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBDE4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC02D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57bbed.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBCF8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBE92.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBF10.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBF9F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57bbed.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBFDE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC0DA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC2C1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBD95.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe

"C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C16F3427CDC6EA38E75CC0D770E37E25

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A18E76BC448C8C7AA40CF92A59828532 E Global\MSI0000

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 collect.installeranalytics.com udp
US 3.214.180.211:80 collect.installeranalytics.com tcp
US 8.8.8.8:53 211.180.214.3.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

MD5 3531cf7755b16d38d5e9e3c43280e7d2
SHA1 19981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA256 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA512 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi

MD5 27bc9540828c59e1ca1997cf04f6c467
SHA1 bfa6d1ce9d4df8beba2bedf59f86a698de0215f3
SHA256 05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a
SHA512 a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

C:\Windows\Installer\MSIBC89.tmp

MD5 4083cb0f45a747d8e8ab0d3e060616f2
SHA1 dcec8efa7a15fa432af2ea0445c4b346fef2a4d6
SHA256 252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a
SHA512 26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

C:\Windows\Installer\MSIBCF8.tmp

MD5 d552dd4108b5665d306b4a8bd6083dde
SHA1 dae55ccba7adb6690b27fa9623eeeed7a57f8da1
SHA256 a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5
SHA512 e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{E324ECA0-649A-46C1-8F15-87C2B2BECB25}.session

MD5 fa9ad6eac98e08fbf7c1b0ff9e38e150
SHA1 def38de93560b085acbf4007da9a5f904f8608ca
SHA256 064bcf17bafa525d38dbc95b125cacc27dac6d0f800f7d6758e94be4e8f188dd
SHA512 b83fb1601fe411df76404d883c899d7cc226b247b2d06aa7a350decb98b3fe60714c82f80b2aeee61a68127338246433ca5d72762eb0e888bfb2d8400cff2bed

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

MD5 6310ff5356335c0b80d22609648e67cd
SHA1 47ca24cd44f904bd65f293ac0bc497bc07efb66a
SHA256 9bc0a474899aa70d5b5353e9137a0c3e971f2d6f49da1e9d680197e61009a66e
SHA512 d22bcd2e39b99ab34acd10361c126af177e9989ec267ec69458f74a913bca9a99b63c291a22af689ab2f8aa261a3458078bd94265fc9abee9ce5b312c2fa4628

C:\Windows\Installer\MSIBF9F.tmp

MD5 3cab78d0dc84883be2335788d387601e
SHA1 14745df9595f190008c7e5c190660361f998d824
SHA256 604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd
SHA512 df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

C:\Windows\Installer\MSIBFDE.tmp

MD5 7e6b88f7bb59ec4573711255f60656b5
SHA1 5e7a159825a2d2cb263a161e247e9db93454d4f6
SHA256 59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f
SHA512 294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c

C:\Windows\Installer\MSIC02D.tmp

MD5 aa82345a8f360804ea1d8d935f0377aa
SHA1 c09cf3b1666d9192fa524c801bb2e3542c0840e2
SHA256 9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437
SHA512 c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\fatalerror.exe

MD5 e579c5b3c386262e3dd4150eb2b13898
SHA1 5ab7b37956511ea618bf8552abc88f8e652827d3
SHA256 e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2
SHA512 9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav

MD5 bab1293f4cf987216af8051acddaf97f
SHA1 00abe5cfb050b4276c3dd2426e883cd9e1cde683
SHA256 bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344
SHA512 3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49

C:\Config.Msi\e57bbf0.rbs

MD5 5e3275ec1639cdad4e8e53bec43c33a0
SHA1 8392fd1a965552dcc06f28443a3527abb3f727de
SHA256 277ffe00536c911965764b1862b13a35f05a95a2c74265dac6b1d90276168a79
SHA512 4d68ab9c83eb720d640956d09772ab9521fd5f5f2de3f9f3cf1d9e517842b4ea6fbd4cc0e527f8e7b791eebc68b51686175a88f4dd0434239fe576ee65b9ff9d

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

MD5 465ebf48d764cdfc125d36c0717369d6
SHA1 f0c4d2fd3ce5b7da8eb8ff46eb050f2bae54bb0b
SHA256 c0dbd09aef45b3dfc135370923b4912ca9908fd3ac08941118634ca7f5e47b89
SHA512 ff0db29507760737eb60f37109a55845da533ac67204a772329bc6f38d189df80c19a60ab857c838bf264ecaef9afbb9674decd5fdceff6bd8f58e64d7750089

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr = "C:\\Program Files (x86)\\decrypt_0000000000000020-000A0000.exe" C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A
File opened for modification C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A
File created C:\Program Files (x86)\OIMOPMPEMA.MBE C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A
File opened for modification C:\Program Files (x86)\OIMOPMPEMA.MBE C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe

"C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
US 8.8.8.8:53 deenislam.org udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 8.8.8.8:53 dedhamfoodpantry.org udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 178.46.92.34.in-addr.arpa udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 157.249.124.192.in-addr.arpa udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
HK 34.92.46.178:80 deenislam.org tcp

Files

memory/3108-3-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-4-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-5-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-6-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-7-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-8-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-9-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-10-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-11-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-12-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-13-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-14-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-15-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3108-16-0x0000000000400000-0x00000000004A0000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\msconfig.dat" C:\Windows\syswow64\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2968 set thread context of 2852 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ctfmon.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2968 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2852 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Windows\explorer.exe
PID 2852 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Windows\explorer.exe
PID 2852 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Windows\explorer.exe
PID 2852 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Windows\explorer.exe
PID 2712 wrote to memory of 1188 N/A C:\Windows\explorer.exe C:\Windows\Explorer.EXE
PID 1188 wrote to memory of 2816 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\svchost.exe
PID 1188 wrote to memory of 2816 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\svchost.exe
PID 1188 wrote to memory of 2816 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\svchost.exe
PID 1188 wrote to memory of 2816 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\svchost.exe
PID 1188 wrote to memory of 2816 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\svchost.exe
PID 2816 wrote to memory of 2876 N/A C:\Windows\syswow64\svchost.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2816 wrote to memory of 2876 N/A C:\Windows\syswow64\svchost.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2816 wrote to memory of 2876 N/A C:\Windows\syswow64\svchost.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2816 wrote to memory of 2876 N/A C:\Windows\syswow64\svchost.exe C:\Windows\SysWOW64\ctfmon.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

"C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe"

C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\syswow64\svchost.exe

"C:\Windows\syswow64\svchost.exe"

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fsbps.ru udp
US 8.8.8.8:53 cwnlz.ru udp

Files

memory/2968-0-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2968-1-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2968-14-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2852-18-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2852-19-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2852-16-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2968-15-0x0000000000490000-0x0000000000501000-memory.dmp

memory/2852-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2852-8-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2852-6-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2852-4-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2852-2-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2852-21-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2852-20-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2712-29-0x0000000000030000-0x0000000000040000-memory.dmp

memory/1188-25-0x00000000025C0000-0x00000000025C9000-memory.dmp

memory/2816-34-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2852-24-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2712-33-0x00000000FF1F0000-0x00000000FF4B0000-memory.dmp

memory/2816-30-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2816-37-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2712-48-0x00000000FF1F0000-0x00000000FF4B0000-memory.dmp

memory/2816-51-0x0000000000080000-0x0000000000089000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1504 set thread context of 2208 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 1504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 1504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 1504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 1504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 1504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 1504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 1504 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2208 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Windows\explorer.exe
PID 2208 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Windows\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

"C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe"

C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1504-0-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1504-1-0x0000000000730000-0x0000000000731000-memory.dmp

memory/2208-2-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2208-5-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2208-7-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1504-6-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2208-8-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2208-12-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1152-9-0x00007FF6B8110000-0x00007FF6B85AD000-memory.dmp

memory/2208-14-0x0000000000400000-0x0000000000415000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"

Signatures

Renames multiple (4015) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\drivers\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\drivers\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ReadMe.bmp.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ReadMe.html.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ReadMe.txt.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\fr-FR\ReadMe.html.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Enterprise\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateN\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateN\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomeBasicE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\Professional\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\Starter\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremiumE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremium\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\EnterpriseE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\ProfessionalE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\StarterE\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\Amd64\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\SysWOW64\WCN\de-DE\ReadMe.html.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasic\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremium\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\data\ReadMe.bmp.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterN\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\ProfessionalE\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremium\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\UltimateE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumE\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicN\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\UltimateN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\UltimateN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\EnterpriseN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Ultimate\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\Amd64\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\System32\catroot2\edb006C9.log.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\wbem\xml\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\EnterpriseE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremium\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\ProfessionalN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\UltimateE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremiumE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasic\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\UltimateE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\WCN\it-IT\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\StarterE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\UltimateN\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Rondo\\WallpapeR.bmp" C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FALL_01.MID.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14539_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PREVIEW.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryResume.dotx.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3B.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\WHOOSH.WAV.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.XML.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21334_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\THMBNAIL.PNG.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME11.CSS.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBRV.XML.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Earthy.css.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR21F.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Panther\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ba1cc5c862844f35\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cc39e164ed9f744a\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_en-us_77f885dc30a2b58b\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonypal_31bf3856ad364e35_6.1.7600.16385_none_cd66bc3541f90a26\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_ab6782291b0ca7be\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\Vss\Writers\System\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\watermark.bmp.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9cbb1d5656f57791\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_es-es_53d92c4ec2b28e59\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_code_b03f5f7f11d50a3a_6.1.7600.16385_none_09906177615c2112\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_8.0.7600.16385_none_1622b3b244141a27\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4106c47800c64a15\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a5ac6196f231571d\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b1837e63163037f\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.1.7600.16385_none_1f7373be61daf614\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1a07d4da952d4d02\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..cognition.es-es.ale_31bf3856ad364e35_6.1.7600.16385_es-es_3c034162a988d835\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ab03602b9d6cb924\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_d4c812c90da12283\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallPersonalization.sql.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a9893e83c110fe46\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_36242a66d0a3fac8\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f1bcbca1e780b68c\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_018b4fa043769680\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_netfx35linq-addinutil_31bf3856ad364e35_6.1.7601.17514_none_29443e96f9fb6564\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_e119eb1646de0342\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_00f087462bef45b7\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_netfx-regsvcs_exe_config_v1_31bf3856ad364e35_6.1.7600.16385_none_dd975ffb8de73e55\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7e7f3bd0c60c7e17\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_en-us_63cc1fc1c4366aaa\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_de-de_71d9774db1afe542\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7e0a31f5b1cdade5\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..s-directaccessentry_31bf3856ad364e35_6.1.7600.16385_none_52b3ba1508e42ec5\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cb425691a3c4dfa7\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-xpsreachviewer_31bf3856ad364e35_6.1.7600.16385_none_7b64ef799c494a30\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b1837e63163037f\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_prnca00z.inf_31bf3856ad364e35_6.1.7600.16385_none_ea189c313845a10e\Amd64\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SplashScreen.bmp.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..eraccount.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e185cfc7615ec6b0\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_064ef2a4b72f72b1\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0267af49be0713f6\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-o..sc-style-rectangles_31bf3856ad364e35_6.1.7600.16385_none_258f1924c482b7a1\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_cc7ce9d4d87afd2c\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8c1265b3f9ecd8c9\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8b1e0795efcd31f1\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\fr\Tracking_Schema.sql.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_795ac2ac69664653\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-snmp-mgmt-api_31bf3856ad364e35_6.1.7600.16385_none_47815118cd38388a\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-mlang_31bf3856ad364e35_6.1.7600.16385_none_bd28e772321016e1\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_d027e638f114b913\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_es-es_5e391147391d2f55\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Prefetch\AgGlGlobalHistory.db.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\Logs\CBS\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\inf\PERFLIB\0410\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\WPF\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_es-es_959ec7b53a342ec3\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cffa1c7732c576aa\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 fkksjobnn43.org udp

Files

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.bmp

MD5 58c3ce31b5687583c67761fa8a092f9d
SHA1 cc3dd0f11895648b264d8890827059f618f2797f
SHA256 e4b82a227f1af1d7ea08eebcbef5fc927b025683f5077d3be3635949576201e0
SHA512 5aa50cbe95922a2a2e4f3bc8e7fefaf8e4f4eb990986aa41e96bb077f422fe70e475227fcb2c915864108abe2ff0f5eae281eb177f58d590461249b1a4a573d0

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.html

MD5 3a46dac3f4c10dfe74a0e3601021a791
SHA1 9ffb319517542670eafc67cd71f898b43b71b452
SHA256 44f4032bc674a2f836d1be30979456aaae5d24afaca44faba4503b92702fbba0
SHA512 ccd4beb602ce5a851b8f36de82b44169afb81c83e719ba4cdecf86c2783d8b1f6939a9db9e538f9f422e112b46c6ae55870ee9b1815e8f7a8438944697e89d2a

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.txt

MD5 adbe4d91680b52c82987a920a1918431
SHA1 1871a4fd7983481a765b41d2dbfcf201a767221b
SHA256 5daf04f81052209f8b9fe65793e5be28b27243ce1c56178d088e8e835e6e9124
SHA512 bfdd9f632b519377bf2ba3fcc19442789acdf1b10faecbcd593d17cae1f61deb7796bf050cb2da3d23188db53a9660b6705ac15a051e6311a075eb9593d64e9e

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.jaff

MD5 6276d2ae1fe73625484a985404675d4f
SHA1 750083f4852a7ad210b222aabbdc0a99689b2db9
SHA256 e110f40bbd910d845dcd536479032b1fc2c0b17a1e5f59cf91a007dedaaeaefe
SHA512 759fbbae3e4bd9fd65d7b3fbc6e80eaccebbb485e2b1a1ef06df5039143bcdb8c6e8b8b8a92cda87a2919d13f654a637d89dc23fa1191454d76cc22106c1100c

C:\Windows\SysWOW64\com\ReadMe.html.jaff

MD5 9fa145848f3b692d3949e4e9ce0f225f
SHA1 834871ed87bb5521902119f5ef6030c71935c40b
SHA256 ca971f80b74b3ad2135bc8f7442e9248d47eb7ea87fc0a2f2eb54fc37e1ce561
SHA512 ae659082d957f981275dd2489be83dba3b44439a10c7d6402ea8c720b2d653dc8748983b48cee27c53e2a65259b29e5de04069345df4089a532b1117dbee6940

C:\Windows\SysWOW64\es-ES\ReadMe.txt.jaff

MD5 777d6b87840244da4b80e117bf84bf18
SHA1 7cfb42a9e3ef0eb8ffc2519724793ec0ca7d89d7
SHA256 09cf18f36bcf462a63ffd916db61923b296e0e3779113b3d4e8ae3457a073b83
SHA512 1a89831367edb3f6b693e9250062f3fe5368d97f6f0c263d6dc0a34da2ddd180594927a5c6d04b1b50f5850f94f3550d909260b27b7eb79c58bc06d0a8e165bf

C:\Windows\SysWOW64\ja-JP\ReadMe.bmp.jaff

MD5 577ec58e43331c65c8306f99333bb477
SHA1 7bcc67a40054e83f4a297d724c995e49d2a9888c
SHA256 541964f505d61b88a36ef20ada38f5f6c9b3b92de0268ecd53ac71ff4f01289b
SHA512 3ccf18c28a8a71bb0682bfc7596ae5750d1ac728f8aa5a040c7a74d964aca5d1fc6401679ce710f1843475645afe1665f59f17c4c2d641316ca2a50ded7e123e

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe.config.jaff

MD5 0c11e68f563439a620537d461db9f88a
SHA1 c23fb49ef0371348e51bfc8a47b090a36ad63a57
SHA256 1c13c0253b3638abd31000a8611e191bc6dea0aea1007b24a4f57df3926774db
SHA512 7ab90a26a763b2841385c598feb85f381eafba4be298d0e319ce371a492bb13cea5ba51bf3fbcd7d5208fdab0ecb0a7ae52489d2157098530f068eb06e096cec

C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe.config.jaff

MD5 bc4e63ff2afdbd01872355904760b453
SHA1 036672989c2869a19d1ee95d98f48a54a403a16b
SHA256 09f324a15bf0421549b6e4a7c9976f44a5fe9cd39e85006ce00d51ed564d25ec
SHA512 0806aad79c3337f1e29903618b5bf8706c78f6d9fb7702ddcc0ebc285fb4f588b45f966fc4c9e3ab38886a3c83c881a0c3a6b2a98bd35e6fdeb632f311c62cfc

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe.config.jaff

MD5 6d746b5a07a09516766f95a6d5326997
SHA1 6d9b5acd4d5f2913b6a95307bf2a97eb75bcbc93
SHA256 1ec20d1e92f94f5c29ea6e78dc17f88d98ba2b7ac90a22a5301eb799f723ebc6
SHA512 2cf550c70aede52cf66747d467bfe699bce4ffaea7af955a073dddb0c40d8b47b61ae48888608929866553e3634ee9b09bdad9e11f21f34928d447f63f5596dc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe.config.jaff

MD5 deeb38404b0292ece4558c1834babf49
SHA1 e51bb32061056541b168d2e78c40420c91d12df9
SHA256 c6f3c5177af39d649639a3eb297cd716a0fdad33d85c60033e6ab5e55fa4b40b
SHA512 d41718140379142f56a0c5e9a5ae4297d2e683765fff1ee264ea94949d3e12c45cdd55d1b4155464ae9fbc1cd0533f874a068771078caab680b9e2441ab776f4

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe.config.jaff

MD5 95d0e89b8c52b4edebc18d74c5b4c700
SHA1 6738bcea016ad85dcea28058c6714647ad010630
SHA256 fa887f20bd8086356e986f0058588211966b25434641dc14154dcc4f56b2ca88
SHA512 fead5a94f0bec822a50b8c734de76bb14f67b3ad12e69b56141404593c257acaba38c554e1f92f0787621cf81c1cf94123490f4b70fc114baecc67e85916ca33

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe.config.jaff

MD5 27a6c7c7822b8c34f8fbc34650f5bea5
SHA1 a232f0346514970a10bb2a68adb2e20122766050
SHA256 6e2e30552648175a3eb31cbf7adf9b07b263bdd8293e24d7652bae2c6d47ebe9
SHA512 c55ac6f0a0bd855776c25b4f23fef1921b6cd972e8c18031c92be9819b40678316b7818eb4257ebfa084d492f34dcd0b67cc4b297f50dc57ec1353eff8e49fa0

C:\Windows\inf\PERFLIB\0411\perfc.dat.jaff

MD5 7f0ff110485850b974164ee7bed8a025
SHA1 651d56a8ed88c0cbed34f41e744c8f4742c7cee5
SHA256 5ee90c4028a25caa65f4fe04126d25ceaa91b3d909e315a42bef7c581433063a
SHA512 bfe0a1854bc03c5ef2eabe2082d360376ecf39f5332af84e58e7a78a675d27fea197bd623fd5a5915b6a7e9bfd5b85a299fb1da99a7bcb116d2f5fd8a70cfb16

C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\DropSqlPersistenceProviderLogic.sql.jaff

MD5 1445c9119491e64969d721a31888b528
SHA1 8bd09f3f9da250f0628d11f3a2a630290d6d66a2
SHA256 5ea2972e8f548bc8b72b6188e6f463f6c7a279e10ec962cd574bd8bae3a3b802
SHA512 aad2f084e609a94185b3d0e549ebc2a6ceca2e7b28d960046326f2eeca893a38a8f9b7026730d25c72c119b048fcfbd785c9360010d3d133c776fa4a8cb0e380

C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\SqlPersistenceProviderLogic.sql.jaff

MD5 750d4dc7bde47ef76a441a14c2449d06
SHA1 d92d706061a9fc4f4edc5704091656dee3027e82
SHA256 b8f3ca26050817cc6079805c007874d09329f8ca95ee532e2df3e69825c7dff5
SHA512 58291afe47065c028eb0b3f151d50a609ac963ff5020bda27ff5e0d6f3eb7f68a32d98c98407790ea40b22a9eea085981718e67c5ed4ba6f7c457dd1f00ef17b

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif.jaff

MD5 ada413e008cdef885150bf038c1d0c5f
SHA1 8c5844866ed6b5c74f68acc9fa50f4f3f57391e7
SHA256 7505c62f8e32fea2240b5a383050211f6276feb95bdbd2d63da398b869dfdf40
SHA512 a483343a9e393f9df53a437e6f5fd1fd0e9e243bb5b7461e2879868978d62ebb3392079f1a9d7b50e25cf6b753ba4af8c9305191d488120b09478901d3f12abd

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.jaff

MD5 e19fe113a3de76c2d36171b1dde45b52
SHA1 6d23f5ad34ef87b3440b6c06e05365c14b42f9fc
SHA256 300115fe5e446400ef5f9fe0118599ccbf1e5496de87a24a62c8e25dd1b6e055
SHA512 0d6642a42619043418b1be88189471127a899256c1c7e5aefa69389cf23731ee108c86aee6e959d6882519a07b480c983cbd7833448c997d4b289f30b808de8d

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.jaff

MD5 7b2fffc2f0eaa5571da2acdb0f74c9c1
SHA1 a74f6da4e247b568ec50c4fefb079066f76a75b4
SHA256 702ae305be310bc75db0568e58fb3d0078ad959674162f72ce6cde391ed0e151
SHA512 bd17148b359c1462fcd4f68a2b7ee55ae4312353cdd2d95747280c76b3e0561dcd02e3419e40003d873600dc5d83f83a8b1ca235302146e50f12620b2c658d73

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif.jaff

MD5 c94fa6ca0646b1fa00c716d14113417f
SHA1 993ebd8d02d3f21547401253cdf0c3299148ec57
SHA256 21345ff35ed1dc6ebfef4ee3fc627f2060d95c8106b3d71c3bc78891754e2d44
SHA512 f1e11a2a47bec771e2ae7fd7b6c4e32bcb9d14a1abc23512ccf06a2d772c7dec6182192c82e5e9dc42093687d90317cde79960a7d017e66ea62dcd7aaffd9e47

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif.jaff

MD5 d5bd54f0288820e942c3527f047daa8b
SHA1 ccc376f9b14fd946830827281a0e9a42835de1a6
SHA256 f513b89a662f4f6bbed5fd5e80d3aedc82572731bdc336d5ddd5996ab093f5c7
SHA512 981ea6925a6b65d93db33d32726af3a6b1eaa02fc815c8b21f34f8a690bff1618e6969c8e83b5af58bc872c1f6a0757053a6072fd69d03ac94f541b0b6aeddd8

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log.jaff

MD5 b30b95e867f3600ed9e6bb6d9b75be4d
SHA1 c38d6f8def212204ec253dfd20b640b2ba4875b5
SHA256 eeb52552a9f27cf4adef97dca2a84a63172f10b419daa73bbfc3e31ebe300923
SHA512 1759a5d37844e2e016e5255f3dc0cbca3dd64006a3047b64cf7b4fca7c2bdb6aebc5578f0b1e458f78dd42d656555226a26dba1719ab8f8a6f54ef45d105a58d

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.jaff

MD5 ebb7ae0d55798dc571ade1045e00c041
SHA1 497972d7a57031cf429ea3646ea4758bd9f0d95c
SHA256 90715bff0c24bd1272f5593a76ab2e9f598eac0bf300a75a4b511aa3ab90a2f3
SHA512 e00b648f82b6d7dc94643e347f65412497878be5ca1eaa36de6df30538ed7eb1b99944f350b62d09e2765f3ab3e2aaec53d534132b7fbbf1d2c888e1cc2deb80

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.jaff

MD5 d80de0457d3db29f32ac63828ebcc4b8
SHA1 7f275665774e797b7f1db769e825ad1c5b35b898
SHA256 412b30c16ab674f0be5e316379fbe736bec8815d8c90b5795fad8e6970cf341b
SHA512 511d6e7ee92e9bacf7b929961c4a85d3be42069e353dd5f1ff1a095d9fcc5c6d866dad4bfe7816650b743c0b05b77de52a94dfe94d1689046961ae1fc0fa52aa

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.jaff

MD5 1edfe90774391d158546e29528c4698c
SHA1 b4f7bbe73d89a2119b04690cee5dfbb55366f32a
SHA256 699f5c89eb9a30e4540212a8409da5af0972df39bc9b05b582b017189fff448d
SHA512 1d6ea4ce631450fbe0c2f93c121b510361f57480c97451b647b2eafcd6c9260d5d16c3257bd18125d32a4e24999610a7cd3bd64f8c76cecbeefdd6ec4ceca7fd

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.jaff

MD5 aeec8563857d4e88ae292653fe3596c2
SHA1 045a66823cbf4c677681188854920de194d0f8e7
SHA256 ab2aa57e575dc552c7c3f7ef1453fcd372aaeb7fb13f9e6722b0b5bad27a7029
SHA512 13ba5f27c18bcf9956467d092addb2669d76dd17d27e7dc8c98532d468936031698f5708c1c2b9e10247529aa7c58d49ab2515415afe41041697b63ae42038a1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.jaff

MD5 3f01f7e5e7e38198b03b2586a5be8583
SHA1 f34a0062a380e4da911927a7582d6860ba4ffb07
SHA256 fde5dbd46b23a8b3e2688e255758f13d0722aea56f1d845b93c8c7af4969f272
SHA512 2fc9fe74e02ab092f54c4e41ebf0dc6f2f33bdb0b717891b00449d74d9c27ee5e7fde02419ba23790b5469dcb4a9eb5f71d11a20e944784aa3bb57142b9ecae3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.jaff

MD5 d546455a6e81e30e49496053f98695ef
SHA1 2e78022d097357c739813dabda1edbba43d7692f
SHA256 db2f33e28e503d727eb977335a7f9969a8dcfbd6ad9e1e75aecfdee37f8a0855
SHA512 67a883ac9340cfd04771f0f7bea5f8550b17144c8cd8ebd4806ba7ec090e36e20bf0fbc9a961ab9d12099c543d9ab26e2ca0dce8aacb9c97b17ce0a3a61a486a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jaff

MD5 47607045c2c43dfe9ec8815496c30778
SHA1 c2e376584f5d3e20764605a1d20102416cebb10b
SHA256 4cefcfc58247f51a19e6f19ec8f32024b54dff7e66d21a3139e11b970762e5b1
SHA512 27a679450e0d7f9c0120aa8e6ec3348c014b4da175b6baa1e775e3d7570b2f536539046a7b1b8b7f05613c171fa521e2f99986d874c8f4b504fe0cf8d2d143aa

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20241010-en

Max time kernel

123s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" C:\ProgramData\svchosd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" C:\ProgramData\svchosd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\T: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\I: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\U: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\V: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\O: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\L: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\W: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\W: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\S: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\I: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\K: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\O: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\T: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Y: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Q: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\X: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\L: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Q: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\U: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\V: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\J: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Y: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\J: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\N: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\R: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\N: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\P: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\K: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\P: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\R: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\S: C:\WINDOWS\system32\vssadmin.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\svchosd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1832 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1832 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1832 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2572 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2932 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2932 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2932 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2572 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2856 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2856 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2856 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2572 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2744 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2744 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2572 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2704 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2704 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2156 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2156 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2572 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2536 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2536 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2572 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1456 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1456 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2572 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2976 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2976 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2572 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe

"C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

C:\ProgramData\svchosd.exe

"C:\ProgramData\svchosd.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

Network

Country Destination Domain Proto
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp

Files

memory/2572-0-0x00000000002E0000-0x0000000000321000-memory.dmp

memory/2572-2-0x00000000002E0000-0x0000000000321000-memory.dmp

memory/2572-1-0x0000000000400000-0x0000000000453000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\tainknoa.exe" C:\Windows\SysWOW64\ctfmon.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ctfmon.exe N/A

Disables Task Manager via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe

"C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe"

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe

C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 397110121001i83455512377.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/3552-2-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3552-1-0x0000000002180000-0x0000000002196000-memory.dmp

memory/3552-0-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3760-3-0x000000007F650000-0x000000007F65F000-memory.dmp

memory/3552-4-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3760-6-0x000000007F650000-0x000000007F65F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe

MD5 f45f47edced7fac5a99c45ab4b8c2d54
SHA1 9060189dd95635c5f75d7f91c9bd345200e83028
SHA256 0529cdbc893fee664d3ac540b1e41e184797e0770808254058fc21de0a10b6c8
SHA512 ecf1ae299d0525f86b8c398d06b429164a10d6552caf08710567680ba670bc0c918bfff1807214b33a177202cbe8eeeeffa1396b91e697aed4da91fe81f523d3

memory/3760-11-0x000000007F650000-0x000000007F65F000-memory.dmp

memory/3260-14-0x0000000002060000-0x0000000002076000-memory.dmp

memory/3260-15-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2228-16-0x000000007FC50000-0x000000007FC5F000-memory.dmp

memory/2228-19-0x000000007FC50000-0x000000007FC5F000-memory.dmp

memory/2228-20-0x000000007FC50000-0x000000007FC5F000-memory.dmp

memory/2228-23-0x000000007FC50000-0x000000007FC5F000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240903-en

Max time kernel

132s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfgkuyuaoarifrk = "C:\\Windows\\ydyategyulafxiprjjmv.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfgkuyuaoarifrk = "C:\\ProgramData\\ydyategyulafxiprjjmv.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfgkuyuaoarifrk = "C:\\ProgramData\\ydyategyulafxiprjjmv.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfgkuyuaoarifrk = "C:\\Windows\\ydyategyulafxiprjjmv.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ydyategyulafxiprjjmv.exe C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A
File opened for modification C:\Windows\ydyategyulafxiprjjmv.exe C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe

"C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trybesmart.in udp

Files

C:\ProgramData\xedwccxvxjdrmpsrukbdmumycqumjwgq

MD5 720ffbd7c4e1e136bc524c0f3315be5a
SHA1 d97a4c5256f6936226dfc01a6f2681ead44f762e
SHA256 c5ee84be2172fe70689f3716ddd55d39e1d177a76e1ed4844df7feb2d7ad5064
SHA512 c40fff39128002ecf9fc9fbe1af645bbddf6264676aafd4a1f2db780271bd2c7f26e17dea299f5baf515a0524dd4aca59e476a1591c53120fb999cc74a36e8b4

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240903-en

Max time kernel

40s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DirectX.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" C:\Users\Admin\AppData\Roaming\DirectX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" C:\Users\Admin\AppData\Roaming\DirectX.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\DirectX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 2096 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 2096 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 2096 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 2096 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2756 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2756 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2756 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe

"C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe"

C:\Users\Admin\AppData\Roaming\DirectX.exe

"C:\Users\Admin\AppData\Roaming\DirectX.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c aaa.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im DUMP_00A10000-00A1D000.exe.ViR.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 tangotangocash.com udp

Files

memory/2096-0-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Roaming\DirectX.exe

MD5 6152709e741c4d5a5d793d35817b4c3d
SHA1 05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e
SHA256 2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2
SHA512 1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390

memory/2096-10-0x0000000003C40000-0x0000000003C59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aaa.bat

MD5 3e59a76bf84cb9d1a8585c17cda9b949
SHA1 60fdb9e6bf1154aad3a332ad5657a9d62a5be73a
SHA256 21060b57f9392d62259c274427c4bb6caf19b228716d691f44a26958b3620d5f
SHA512 01bd3726c30e304dd712d302a9081052b50a85a28c586458b691e748b1867e85fa679e58db304793a18f554b8a8c17af00bd38e795d3fdb6b0f5a873f80b5303

memory/2096-21-0x0000000000400000-0x0000000000419000-memory.dmp

memory/1404-24-0x0000000000400000-0x0000000000419000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240708-en

Max time kernel

130s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dumped_.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Dumped_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dumped_.exe

"C:\Users\Admin\AppData\Local\Temp\Dumped_.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dolores.cursopersona.com udp

Files

memory/2248-0-0x00000000010A0000-0x00000000010B2000-memory.dmp

memory/2248-4-0x00000000010A0000-0x00000000010B2000-memory.dmp

C:\ProgramData\fjpnrwuutgmtath

MD5 e69691901dc85b4281e7877318cc94b8
SHA1 fb172f65d983a17afb1297d34ba30409d7cf46d5
SHA256 0c568d09cbdb4645f277805f37997f73557bc09e9d84a89a5f2ca850b7ac5973
SHA512 5a1a240581e4fb4ed2192cdae8384f040cc7da892dac1116ba74cb108b2465d92800da0938b4645d19953699229d198cf48869d1bcc0a13d1e6daeaf1200e26b

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Program Files (x86)\\Mozilla Maintenance Service\\grMYZPfr.exe" C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhqPtOOK.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhqPtOOK.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhqPtOOK.exe C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhqPtOOK.exe C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FRnZFLWv = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\GszECgJr.exe" C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FRnZFLWv = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\GszECgJr.exe" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DirtyDecrypt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dirty\\DirtyDecrypt.exe\" /hide" C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mozilla Maintenance Service\grMYZPfr.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\grMYZPfr.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File created C:\Program Files (x86)\Dirty\DirtyDecrypt.exe C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
File opened for modification C:\Program Files (x86)\Dirty\DirtyDecrypt.exe C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe

"C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"

C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe

"C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe"

C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe

"C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 viweabkkfe.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 viweabkkfe.com udp
DE 178.162.203.226:80 viweabkkfe.com tcp
US 8.8.8.8:53 viweabkkfe.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 sjytgtnkdl.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 vjuxtixi.com udp
US 8.8.8.8:53 ntrshvquunyzxevkucs.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 ntrshvquunyzxevkucs.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
DE 169.50.13.61:80 ntrshvquunyzxevkucs.com tcp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 okenhqzgxngnkbwouvfm.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 wxluitpliymeoirc.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 wxluitpliymeoirc.com tcp
US 8.8.8.8:53 oismeark.com udp
DE 169.50.13.61:80 wxluitpliymeoirc.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 kcubcfuhwwn.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 61.13.50.169.in-addr.arpa udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
DE 178.162.203.211:80 viweabkkfe.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 178.162.203.211:80 viweabkkfe.com tcp
DE 178.162.203.211:80 viweabkkfe.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 211.203.162.178.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 viweabkkfe.com udp
NL 85.17.31.82:80 viweabkkfe.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
NL 85.17.31.82:80 viweabkkfe.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 sjytgtnkdl.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 oismeark.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 82.31.17.85.in-addr.arpa udp
NL 85.17.31.82:80 viweabkkfe.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
NL 85.17.31.82:80 viweabkkfe.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 xtvklujmo.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe

MD5 d224637a6b6e3001753d9922e749d00d
SHA1 bacb2313289e00a1933b7984dd1cbef01c8019ee
SHA256 9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263
SHA512 08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0

C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe

MD5 1d27a7210f54a047264f23c7506e9506
SHA1 4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527
SHA256 431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9
SHA512 077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700

memory/3168-27-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Desktop\ConvertFromInvoke.xlsx

MD5 53a08f84804005b603250b2bd3440dcb
SHA1 d070e5f6532c1fbc6a3b716794c7b7a6f8de9840
SHA256 e6761f7d29b5e56bacbee0b93a4d2bbb22413d08afa2f812fa935bb30732406a
SHA512 ed58439ccc05fa4f1318aea87b82d6370941a72633bc7dbf9e93fb2ad11c480f07fe0359da90277cbaeb783777b9114b9511d3eec920119809baf499c3d28fe9

C:\Users\Admin\Desktop\DenyOut.jpeg

MD5 417ecfeff42c115bf636175d26d7a74c
SHA1 ee653ecffb54877c1ff7f0904ecf9d5488e8fb4c
SHA256 6e4b9f51b8e8d7c275b73f890e4f878b43702791958c19a71621459dee4af886
SHA512 058cee16e2bba1b0e0d2677023f7abb61baf92f4628fd24bb8a23db08c902a5307f74d791440915d802f84050a70896635644b0f151756f65e534170722fb191

C:\Users\Admin\Desktop\MountRemove.zip

MD5 f2e32f1166dd7d5b6e02c70a5a5ea51b
SHA1 c01d3f0a50dbe1f0dcff1de4e071fa5f8f894751
SHA256 0d0049849ed1ca235cd85df8e778d98186425a950a06b717366d5fe879e53faf
SHA512 19b0b303f8727e1406a5f40f86aa5c5389f7c39fbd5cb715172c6332cd14c4b7a3321c2300e883234183637d8d99bca254e508b33f1ad450f572f386a7eae765

C:\Users\Admin\Desktop\ShowSwitch.rtf

MD5 1301ccb48fed791f5ff7fbcdbb4522fc
SHA1 7b8a0a0a052946e0e2da76dc8c68822a1aa80a85
SHA256 210553b216d1e42150e7313757c5edcf2c653f59bb7efbcee9da66bc6d68966a
SHA512 8dbb8410d9ce81aede28d4830749b515529d07f5c2bc5e52ebe7223b29a4b5d80ea52c9cfd33d5537f34ee8e5a40b0aac82847ff3d19b76b84b77aafa63993b4

C:\Users\Admin\Desktop\SplitFormat.docx

MD5 f509ef6c31a2963fda6b1e79e9e544a6
SHA1 3fc584ec1c8d455a69e1fba6337a0f5f56874a2c
SHA256 eeb2e9012d9d3728879043e4365467b5365232f95bd95b3548cd720d73373a17
SHA512 bab34b50f1e65f4dfb3ab0896bfffcd6f5410eedce4fbdeb09c6055ff15130928aab8b029b6782f29af9a1cdb61c03c340e7377b62bc151b3b09bab184beee53

C:\Users\Admin\Desktop\WatchSuspend.zip

MD5 82609be0f6343d8e8d0d89159a9f9f7d
SHA1 67076039a99b8e62d6eacb4586e6c30ea4872bf9
SHA256 f13b07dfad669d47ac0a88a59677bbd0602d7e2a7c4e07638fdef235cd2cb941
SHA512 918199255c4802dc3a7418e1b3c23b81e8d5167f3131bf9816d54ff3290d766de8f5c5528dddfbaafd24dd2b0f20924aa788181b668d408404f18ee1d64f2a84

C:\Users\Admin\Documents\CopyAssert.xls

MD5 d95e1dfa89473cc83b276409997bf833
SHA1 f7b4e71e67f44234b5f2a25a042901a321670d7c
SHA256 514ec776d8c39de5d334b024cd359c80820f28f762924319797a57e102989297
SHA512 c5f7bf00ce1e1c1cd6886c245c0f1e5020fc5ec0b9af25cec014de708bc90c1dec8beea65f861a30c34f74f022228632b9dfafd9f9a72434ee0324e4fc6fae97

C:\Users\Admin\Documents\InstallAdd.rtf

MD5 2271ab816e43d75d30b736b356dcfb35
SHA1 bb4155835a15c753e9ff21bd955d3ab5d2bb5f11
SHA256 3ac41f74614931be16fe79d72bff3f6c33f1ff1fad679ee137a3931d323ce082
SHA512 312a427002931029bb36d03c5efb4501f48dc93d426bf99cb76e553d8465fede08c1c94234009450ee6abd3c61b05980631ed08383e0284dcce39bc37b0f8784

C:\Users\Admin\Documents\PopFind.rtf

MD5 82d4db3e9f6269d7568c42948aa44d83
SHA1 643f5c6324550646fdb20c41b9b120985d22a33e
SHA256 1a6066f67a70bfead028e3f6923ffe684a2e5fb87dd68b6d01c0433dd6d7c5cf
SHA512 87379704a1dbfd9431627ba2b3050b66cbe37084ab7f8738108b78ef861e4f30dd09f0f5addbf06b5aad5126fa4185f3bf0e3f403b1bfc7214ffb19b225c6101

C:\Users\Admin\Documents\SendUnprotect.pdf

MD5 b6ba14f7ff87de059ab99cc11b87885f
SHA1 32020a6258fb7b3a1ae222613eb5a9e1e3a56e10
SHA256 313621951a26cde61f331e4a1cdb5c1cac7e1c753827b0338cf3fb7aba70617a
SHA512 c0c9bf7cb8ce30504ebb86d86fa33ffae618fdf4e53aa0d7a74734ec446f4853da5d3d89ee7326d2c30b54a307a2e9c77c89ba1eaa3641eab67503dc43d8f5b5

C:\Users\Admin\Documents\SuspendWatch.docm

MD5 37ca8751f1ba8b9e1b67a73759980e99
SHA1 ffa27755dcffc35bdcac7fbc5bd904447f5a0945
SHA256 c0bc2c461468c2cf030b62645aec3a161cc2d101ba720e67171df7e24a582ba4
SHA512 0ad9e95f997ed126320afa494125bf798f7553a1041acd4e9b1eadc10f1190450869e343162e89d4bb94d7b6a6fe6253a41a8bd153d4bbfe9c2c139108098935

memory/3168-181-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240903-en

Max time kernel

131s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dump.mem.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\service.exe" C:\Users\Admin\AppData\Local\Temp\dump.mem.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dump.mem.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dump.mem.exe

"C:\Users\Admin\AppData\Local\Temp\dump.mem.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 exodus99.ru udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

126s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dump.mem.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\service.exe" C:\Users\Admin\AppData\Local\Temp\dump.mem.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dump.mem.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dump.mem.exe

"C:\Users\Admin\AppData\Local\Temp\dump.mem.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 exodus99.ru udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 exodus99.ru udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 exodus99.ru udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

66s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DirectX.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" C:\Users\Admin\AppData\Roaming\DirectX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" C:\Users\Admin\AppData\Roaming\DirectX.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\DirectX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe

"C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe"

C:\Users\Admin\AppData\Roaming\DirectX.exe

"C:\Users\Admin\AppData\Roaming\DirectX.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c aaa.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im DUMP_00A10000-00A1D000.exe.ViR.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 201.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp
US 8.8.8.8:53 tangotangocash.com udp

Files

memory/1716-0-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Roaming\DirectX.exe

MD5 6152709e741c4d5a5d793d35817b4c3d
SHA1 05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e
SHA256 2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2
SHA512 1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390

memory/1716-64-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aaa.bat

MD5 3e59a76bf84cb9d1a8585c17cda9b949
SHA1 60fdb9e6bf1154aad3a332ad5657a9d62a5be73a
SHA256 21060b57f9392d62259c274427c4bb6caf19b228716d691f44a26958b3620d5f
SHA512 01bd3726c30e304dd712d302a9081052b50a85a28c586458b691e748b1867e85fa679e58db304793a18f554b8a8c17af00bd38e795d3fdb6b0f5a873f80b5303

memory/2532-67-0x0000000000400000-0x0000000000419000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sljjipib = "\"C:\\Windows\\ocanybyl.exe\"" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1620 set thread context of 2360 N/A C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ocanybyl.exe C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\ocanybyl.exe C:\Windows\SysWOW64\explorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe

"C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\system32\explorer.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 money-waterfall.ru udp

Files

memory/1620-3-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1620-4-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1620-2-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1620-1-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1620-0-0x0000000002360000-0x00000000026B0000-memory.dmp

memory/1620-5-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1620-8-0x0000000002360000-0x00000000026B0000-memory.dmp

memory/1620-13-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1620-12-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1620-11-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1620-10-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1620-9-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2360-16-0x00000000000F0000-0x000000000012C000-memory.dmp

memory/2360-15-0x00000000000F0000-0x000000000012C000-memory.dmp

C:\ProgramData\egynegorelydakuf\01000000

MD5 344d179eff7427801b599847c63d232a
SHA1 d363462418f38d8f75361469429a4143b2f803f4
SHA256 99a0358cbbd42544801443e0d729cc1ac6d983da93d248c99170b57c66fd31bc
SHA512 e2e5e6784fe9ff7fbebc118354b1989552b41a650413a2723a402d2f1badabebb72399ff9bfc405a3cedfd03dddf6a4e7144b319eca05dff726cc52369dacc03

memory/1620-20-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2360-27-0x00000000000F0000-0x000000000012C000-memory.dmp

memory/2360-24-0x00000000000F0000-0x000000000012C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inahyqus = "\"C:\\Windows\\ogxqamof.exe\"" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1808 set thread context of 952 N/A C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ogxqamof.exe C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\ogxqamof.exe C:\Windows\SysWOW64\explorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe

"C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1808 -ip 1808

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\system32\explorer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 824

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 140

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 money-waterfall.ru udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/1808-11-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-10-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-9-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-8-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-7-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-6-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-5-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-4-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-3-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-26-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-27-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1808-25-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-24-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-23-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-22-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-21-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-20-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-19-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-18-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-17-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-16-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-15-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-14-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-13-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-12-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-2-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-1-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1808-0-0x00000000026B0000-0x0000000002A00000-memory.dmp

memory/952-32-0x0000000001260000-0x000000000129C000-memory.dmp

C:\ProgramData\egynegorelydakuf\01000000

MD5 344d179eff7427801b599847c63d232a
SHA1 d363462418f38d8f75361469429a4143b2f803f4
SHA256 99a0358cbbd42544801443e0d729cc1ac6d983da93d248c99170b57c66fd31bc
SHA512 e2e5e6784fe9ff7fbebc118354b1989552b41a650413a2723a402d2f1badabebb72399ff9bfc405a3cedfd03dddf6a4e7144b319eca05dff726cc52369dacc03

memory/952-37-0x0000000001260000-0x000000000129C000-memory.dmp

memory/952-40-0x0000000001260000-0x000000000129C000-memory.dmp

memory/1808-43-0x0000000000400000-0x0000000000445000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer_new.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vudltabcrghlqti = "C:\\ProgramData\\jkaricctyydkteijfwhz.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vudltabcrghlqti = "C:\\Windows\\jkaricctyydkteijfwhz.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vudltabcrghlqti = "C:\\Windows\\jkaricctyydkteijfwhz.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vudltabcrghlqti = "C:\\ProgramData\\jkaricctyydkteijfwhz.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe

"C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trybesmart.in udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

C:\ProgramData\yxftnsxajaeqqfnbmjyxbpypdpylkwqn

MD5 2747bf29cce4861659725fc80c4757a6
SHA1 03b82fb9fbd4e8d4915a7fd5037585d1f3766a0a
SHA256 264b88bc33cd504986e7d24581055fa1c8747fa6d79affe79d4085151cd8c14a
SHA512 631c7df5b62e4b7ef3df45d034add386c19532e6d416c9f59860a1a0cd34e1d1cdd235a1ca93a654df146c9593bb833b816b6b41ba303cb60d79c764bb6148ce

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe C:\Windows\system32\cmd.exe
PID 2796 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe C:\Windows\system32\cmd.exe
PID 4060 wrote to memory of 4300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4060 wrote to memory of 4300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4060 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe
PID 4060 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe
PID 4060 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe
PID 4868 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4868 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2192 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2192 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1652 wrote to memory of 4712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe

"C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\ExtraTools.bat "C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe""

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\ErOne.vbs"

C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe

chrst.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=chrst.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd675a46f8,0x7ffd675a4708,0x7ffd675a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=chrst.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd675a46f8,0x7ffd675a4708,0x7ffd675a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 23.200.189.221:443 learn.microsoft.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 221.189.200.23.in-addr.arpa udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.42.65.93:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 20.42.65.93:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\ExtraTools.bat

MD5 8f07fa594d84c6e234b336def0b47cdc
SHA1 34b88980635c3f2367af03caedc01d50b5e4624a
SHA256 dd79d7a80a9087e1fced76ade08394843eab01a8ce263dc2306f46435b451f77
SHA512 c33fd26b5399771f4bf9877d717bb730a8101b9f6bd24847084c50b066db7f6e43d56cbf44792eedc94d117c50a988f5d4a46127a34a2115c50fbb4a67ed2047

C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\ErOne.vbs

MD5 a764fe63c6cc48c851f0d2a8ba73c2b7
SHA1 e16351bd38ebcac7e182905767f9b36e078fb5d5
SHA256 8c4d90a5343cea107fad96e842404522aadfc416e7cf84adc58fe2ba72bbc919
SHA512 b0a93898c66c2ff97f9d8cb1f75364a6c4a0ad5cf3158815f94ffb900796065c8e0d384b392d59bf2b01419adb8c65d2dc846ddebaaea971d64c3300edc63571

C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\firefox32.exe

MD5 866604f3adb9207e29505012215f203f
SHA1 718b342c3bc42f3e73c4014c2b105c4d467b0ba6
SHA256 978ed9b9c86653e8f10feb9e7f93eb32f2dadeec42ccce498403e96b7bb3e3c9
SHA512 cdcdd94e2a4c550a819a28085fe543ed944da298da1409ed111380fbde89f6976a4c7d040750307579b007b4551aa86182d453408436bd7aef35423c49b60f79

C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe

MD5 c657daf595b5d535ccc757ad837eebe8
SHA1 894e953e86e54a830a14fac94e57569d184a9c09
SHA256 a02565ec78fa1221433e720bd57b044938345b8c65a73143bd9ff73529767526
SHA512 21a26bc146dd2a915c17b268b13edc565e9a582d11c1714d89741f4156a880dfe35415d4920a6326d164519f4b28b6371ef9c7bfdb5e19080448bd77b4a20a4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d22073dea53e79d9b824f27ac5e9813e
SHA1 6d8a7281241248431a1571e6ddc55798b01fa961
SHA256 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA512 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

\??\pipe\LOCAL\crashpad_1652_SGZXKNJZNYMYKJYL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bffcefacce25cd03f3d5c9446ddb903d
SHA1 8923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA256 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7379466647e3765c092f6185c2a87874
SHA1 b0484a18f4b9f04c5716bb590facbb7d323e4f1a
SHA256 7e5d0dfc993a56c57f80deff53e52bd1e5d6e317d6420fe0e049e6d77c5897df
SHA512 200d9b2f9bf27dc969ef3be7cd68aa0d9073036090c8b31297f89b2553765886358d3f00389dcecb559d45bcbc65adc46f44c4eb1b4b2e819e7a4a8e32da68ee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8c20e44a3f8d8f5e996a9b6d4cbb77c7
SHA1 fd3c00496bf3b9bdd138bd0bb196cd90ee9d77e3
SHA256 17be443fdfb4688771fd7b453af64b2c0cfedb699858444d98a7f24ebac90f51
SHA512 944349ecefffe87bf15c67c9fa3095a682458847182cb2e0827d18012ffa5189d43464746e70a01d6f10c7cfd1c5066f4bfb811d032cb1d356b6f36e5bf8f4df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7ba8753bd535947a7de592b28172e18b
SHA1 00563b46e74075b78853a5ed0ee089f1a0186b9a
SHA256 04bd1b6698415910dba0a4c3e59e0d56b6011d785f6c33011c902383827c1793
SHA512 609be33c5a12bc6f55f1fcd9269402edaaabbc2f0a23363802969b394408d89523fafd4fc493a6ba8ee745088ca1016e5ff1f0fe5e7ea72531b904a37cbdad0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c5c5d431ab1d75854f1f8e48d9588b00
SHA1 0e6fc95bf5c6a91b86e8eda3126b8318643d8626
SHA256 cf2507ecf83d7a810c9794f579934412c030c12f45816f6a6ddf17e9b05b05d2
SHA512 9d8e77567b785d9f91f316060ffe73f6e0faf7ef45e0234559e944e1d18eb28d5566f4812609743cc4238527de3f8b57aca3b2342777e1b54fbe1395f8d613fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9d5136804451ca102c1f0a4d4942bec3
SHA1 b5b31fa6119b31c430589e56cacd817df24a636d
SHA256 5f5cd1f2c21356bf89d5ad8858e7038ffdfc0099dda225f58721f9a56dd53cb8
SHA512 7043d3d5310358329274fe0f2974f2243b22f9e485215c3abceafa73c413d95268dd3e9a488df32bc9c807d1486a19fc0e35d497cf2e528010fc617ddc2273fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58029b.TMP

MD5 bfab0336c3c8c190e2853b4350b0b88d
SHA1 9299456e262fdc0d2626c29ae3dce4490525323e
SHA256 e6d82746a35a0fd8b56f453e0a04d95c955155cb1c71dd9ecedb34e04dc24e71
SHA512 1514cf7ce819887ceccceb7bb1203ed2dfd8a8e629f4499a295f0ebe814fb2ee34b29bc6d47c44cbf5d9d3ebab83556476d2385581334c390809d65a8d0f2f84

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a5d1107ad646b86ad0c78a152a2ece81
SHA1 6f2ca812c647f290ed27d2c96ce734b46754f5ea
SHA256 17cf02578c4501f4caedd3e33584846a01702365a38588193f2ca49650bbdd0a
SHA512 05766921f2361e86a236de8d39fb56b2473dfd8867f046288b4eb0696a1c51fc0810b304fa3efb428abe93ae8eadb44f1af128ee3afbdf7e3aa1e5383f6a3857

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 05592d6b429a6209d372dba7629ce97c
SHA1 b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA256 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512 caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr = "C:\\Program Files (x86)\\decrypt_0000000000000020-000A0000.exe" C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A
File opened for modification C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A
File created C:\Program Files (x86)\KBSBQHKMQP.FNE C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A
File opened for modification C:\Program Files (x86)\KBSBQHKMQP.FNE C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe

"C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
US 8.8.8.8:53 deenislam.org udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 8.8.8.8:53 dedhamfoodpantry.org udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 tcp
HK 34.92.46.178:80 tcp

Files

memory/2380-3-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-4-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-5-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-6-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-7-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-8-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-9-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-10-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-11-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-12-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-13-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-14-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-15-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2380-16-0x0000000000400000-0x00000000004A0000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-22 03:36

Reported

2024-11-22 03:39

Platform

win7-20240903-en

Max time kernel

43s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\downloader.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 2612 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 2612 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 2612 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\downloader.js

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd" "

C:\Windows\system32\notepad.exe

notepad.exe C:\Users\Admin\AppData\Local\Temp\360390_readme.txt

C:\Windows\system32\reg.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WinHelp" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\360390_readme.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 locksmithspringfield.us udp
US 15.197.148.33:80 locksmithspringfield.us tcp
US 8.8.8.8:53 thecottagespsychotherapycenter.com udp
US 8.8.8.8:53 kashfianlaw.com udp
US 104.16.109.239:80 kashfianlaw.com tcp
US 8.8.8.8:53 www.kashfianlaw.com udp
US 104.16.112.239:443 www.kashfianlaw.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
NL 2.18.121.147:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.200.189.225:80 www.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd

MD5 d96f59d97099a6248989e828d766dd5b
SHA1 9322d296171970ce8a280a4c562f41b5f3689de0
SHA256 e534769d416412d6ea8e91faf108bd8f52838e854145eab052483c37b4add1e3
SHA512 562c52a4dab31d9fc8983823561d181ddd0d0999baf3cbe8841afd3919ae020df573f41bd58fe6ecd090d47a1a1d2bad6abd68955e329cd541974c12d4ceca8c

C:\Users\Admin\AppData\Local\Temp\360390_readme.txt

MD5 f6a2bb17bf99a4dab08f75504bf270b3
SHA1 d42b9acaa08e19e1708e0e00a7961b8dd3219102
SHA256 34d5153eb38ee664fc03fcb7de7a75a76c1162fa83110d34e6b64c29424ed6ed
SHA512 037a713b6e8580adf6773992b29b75dcae8d0284dee228deddb41149d89aafefc9d8bf4374d8437d57f6a26afede42accb629988b5cd234430f53f5df2da0a96