Analysis Overview
SHA256
17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd
Threat Level: Known bad
The file Batch_7.zip was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Modifies firewall policy service
Pony family
Pony,Fareit
Modifies security service
CrypVault
UAC bypass
Windows security bypass
Crypvault family
Process spawned unexpected child process
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Deletes shadow copies
Renames multiple (4015) files with added filename extension
Adds policy Run key to start application
Blocklisted process makes network request
Disables RegEdit via registry modification
Drops file in Drivers directory
Disables Task Manager via registry modification
Loads dropped DLL
Drops startup file
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Windows security modification
Indicator Removal: File Deletion
Enumerates connected drives
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Blocklisted process makes network request
Looks up external IP address via web service
Requests dangerous framework permissions
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Sets desktop wallpaper using registry
Drops file in System32 directory
Enumerates processes with tasklist
Drops file in Windows directory
Drops file in Program Files directory
Browser Information Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Command and Scripting Interpreter: JavaScript
Program crash
Enumerates physical storage devices
Suspicious use of UnmapMainImage
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer Phishing Filter
Uses Volume Shadow Copy service COM API
Modifies Internet Explorer settings
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
System policy modification
Opens file in notepad (likely ransom note)
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious behavior: RenamesItself
Kills process with taskkill
outlook_win_path
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-22 03:36
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
126s
Max time network
150s
Command Line
Signatures
Deletes shadow copies
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" | C:\ProgramData\svchosd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" | C:\ProgramData\svchosd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\H: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\I: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\N: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\B: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\L: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\R: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\X: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\S: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\T: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\U: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\D: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\J: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\M: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\R: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\V: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\A: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\K: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Q: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\S: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\A: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\K: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\L: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\H: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\P: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\T: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\W: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\D: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\M: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\V: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\X: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Y: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\N: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\P: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\E: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Y: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\E: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\O: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Q: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\W: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\I: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\O: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\U: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\B: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\J: | C:\WINDOWS\system32\vssadmin.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\svchosd.exe | N/A |
Interacts with shadow copies
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe
"C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
C:\ProgramData\svchosd.exe
"C:\ProgramData\svchosd.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 5.8.63.54:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp |
Files
memory/3444-0-0x0000000002240000-0x0000000002281000-memory.dmp
memory/3444-2-0x0000000002240000-0x0000000002281000-memory.dmp
memory/3444-1-0x0000000000400000-0x0000000000453000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
16s
Max time network
151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Reads user/profile data of web browsers
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1920 wrote to memory of 1168 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\system32\cmd.exe |
| PID 1920 wrote to memory of 1168 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\downloader.js
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | locksmithspringfield.us | udp |
| US | 15.197.148.33:80 | locksmithspringfield.us | tcp |
| US | 8.8.8.8:53 | thecottagespsychotherapycenter.com | udp |
| US | 8.8.8.8:53 | kashfianlaw.com | udp |
| US | 104.16.108.239:80 | kashfianlaw.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.148.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.108.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.kashfianlaw.com | udp |
| US | 104.16.112.239:443 | www.kashfianlaw.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 239.112.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd
| MD5 | d96f59d97099a6248989e828d766dd5b |
| SHA1 | 9322d296171970ce8a280a4c562f41b5f3689de0 |
| SHA256 | e534769d416412d6ea8e91faf108bd8f52838e854145eab052483c37b4add1e3 |
| SHA512 | 562c52a4dab31d9fc8983823561d181ddd0d0999baf3cbe8841afd3919ae020df573f41bd58fe6ecd090d47a1a1d2bad6abd68955e329cd541974c12d4ceca8c |
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20241010-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe
"C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\ExtraTools.bat "C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe""
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\ErOne.vbs"
C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe
chrst.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\ExtraTools.bat
| MD5 | 8f07fa594d84c6e234b336def0b47cdc |
| SHA1 | 34b88980635c3f2367af03caedc01d50b5e4624a |
| SHA256 | dd79d7a80a9087e1fced76ade08394843eab01a8ce263dc2306f46435b451f77 |
| SHA512 | c33fd26b5399771f4bf9877d717bb730a8101b9f6bd24847084c50b066db7f6e43d56cbf44792eedc94d117c50a988f5d4a46127a34a2115c50fbb4a67ed2047 |
C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\ErOne.vbs
| MD5 | a764fe63c6cc48c851f0d2a8ba73c2b7 |
| SHA1 | e16351bd38ebcac7e182905767f9b36e078fb5d5 |
| SHA256 | 8c4d90a5343cea107fad96e842404522aadfc416e7cf84adc58fe2ba72bbc919 |
| SHA512 | b0a93898c66c2ff97f9d8cb1f75364a6c4a0ad5cf3158815f94ffb900796065c8e0d384b392d59bf2b01419adb8c65d2dc846ddebaaea971d64c3300edc63571 |
C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\firefox32.exe
| MD5 | 866604f3adb9207e29505012215f203f |
| SHA1 | 718b342c3bc42f3e73c4014c2b105c4d467b0ba6 |
| SHA256 | 978ed9b9c86653e8f10feb9e7f93eb32f2dadeec42ccce498403e96b7bb3e3c9 |
| SHA512 | cdcdd94e2a4c550a819a28085fe543ed944da298da1409ed111380fbde89f6976a4c7d040750307579b007b4551aa86182d453408436bd7aef35423c49b60f79 |
C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\chrst.exe
| MD5 | c657daf595b5d535ccc757ad837eebe8 |
| SHA1 | 894e953e86e54a830a14fac94e57569d184a9c09 |
| SHA256 | a02565ec78fa1221433e720bd57b044938345b8c65a73143bd9ff73529767526 |
| SHA512 | 21a26bc146dd2a915c17b268b13edc565e9a582d11c1714d89741f4156a880dfe35415d4920a6326d164519f4b28b6371ef9c7bfdb5e19080448bd77b4a20a4b |
memory/2404-44-0x00000000743CE000-0x00000000743CF000-memory.dmp
memory/2404-45-0x0000000001030000-0x0000000001058000-memory.dmp
memory/2404-46-0x00000000743CE000-0x00000000743CF000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\xgoexxnq.exe" | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Disables Task Manager via registry modification
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ctfmon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ctfmon.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ctfmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ctfmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe
"C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe"
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe
C:\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E8" "00000000000003B8"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 397110121001i83455512377.com | udp |
Files
memory/2320-6-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/2320-4-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/2320-3-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/1272-1-0x0000000000240000-0x0000000000256000-memory.dmp
memory/1272-0-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1272-2-0x0000000000400000-0x0000000000416000-memory.dmp
\Users\Admin\AppData\Local\Temp\puqaxfrnel.$00.exe
| MD5 | f45f47edced7fac5a99c45ab4b8c2d54 |
| SHA1 | 9060189dd95635c5f75d7f91c9bd345200e83028 |
| SHA256 | 0529cdbc893fee664d3ac540b1e41e184797e0770808254058fc21de0a10b6c8 |
| SHA512 | ecf1ae299d0525f86b8c398d06b429164a10d6552caf08710567680ba670bc0c918bfff1807214b33a177202cbe8eeeeffa1396b91e697aed4da91fe81f523d3 |
memory/2676-20-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/2488-18-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2488-17-0x00000000002C0000-0x00000000002D6000-memory.dmp
memory/2488-22-0x00000000002C0000-0x00000000002D6000-memory.dmp
memory/2676-23-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/2676-24-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/2676-28-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
140s
Command Line
Signatures
CrypVault
Crypvault family
Pony family
Pony,Fareit
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\vssadmin.exe |
Deletes shadow copies
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Edge = "C:\\Windows\\SYSTEM32\\Microsoft Edge\\Microsoft Edge.lnk" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Edge = "C:\\Windows\\SYSTEM32\\Microsoft Edge\\Microsoft Edge.lnk" | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Windows\SysWOW64\svchost.exe | N/A |
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\svchost.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AudioSes.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AccountsRt.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\ActiveSyncProvider.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AppVClientPS.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AppXDeploymentClient.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\asferror.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.lnk | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AcSpecfc.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AdaptiveCards.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AdmTmpl.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\adprovider.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\adrclient.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.lnk | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Microsoft Edge\accessibilitycpl.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AppxSip.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AuthFWSnapin.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.scr | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.scr | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\acledit.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\ApiSetHost.AppExecutionAlias.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\authfwcfg.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\bcryptprimitives.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Microsoft Edge | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AppIdPolicyEngineApi.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AppointmentActivation.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AppointmentApis.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\aspnet_counters.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AudioEng.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\altspace.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AuditPolicyGPInterop.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AuthBrokerUI.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AuthExt.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AzSqlExt.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\BcastDVRBroker.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\accessibilitycpl.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\ActivationClient.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AcXtrnal.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\advapi32.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\atlthunk.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\bcd.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\avrt.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\BackgroundMediaPolicy.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AcGenral.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\acwow64.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\appmgr.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\AppVTerminator.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Microsoft Edge\audiodev.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4868 set thread context of 4872 | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\svchost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
"C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe"
C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SYSTEM32\explorer.exe
C:\Windows\SysWOW64\tasklist.exe
C:\Windows\SYSTEM32\tasklist.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SYSTEM32\explorer.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SYSTEM32\svchost.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SYSTEM32\explorer.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process call create "vssadmin.exe delete shadows /all /quiet"
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\mshta.exe
mshta.exe C:\Users\Admin\Desktop\VAULT.hta
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hollandfintech.net | udp |
| US | 8.8.8.8:53 | hollandfintech.net | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hollandfintech.net | udp |
| US | 8.8.8.8:53 | hollandfintech.net | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4868-0-0x0000000002380000-0x0000000002385000-memory.dmp
memory/4872-1-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/4872-2-0x0000000000400000-0x000000000040F1F7-memory.dmp
memory/4872-3-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2212-4-0x0000000000D60000-0x0000000001193000-memory.dmp
memory/2212-9-0x0000000000D60000-0x0000000001193000-memory.dmp
memory/4872-8-0x0000000000400000-0x000000000040F1F7-memory.dmp
memory/2212-36-0x0000000000D60000-0x0000000001193000-memory.dmp
memory/4272-60-0x0000000000CC0000-0x0000000000CD6000-memory.dmp
memory/4272-59-0x0000000000CC0000-0x0000000000CD6000-memory.dmp
C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.scr
| MD5 | 1105f1e5cd13fc30fde877432e27457d |
| SHA1 | 108f03f9c98c63506dd8b9f6581f37ae5c18de23 |
| SHA256 | dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d |
| SHA512 | 49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373 |
memory/4272-61-0x0000000000CC0000-0x0000000000CD6000-memory.dmp
memory/1180-64-0x0000000000D60000-0x0000000001193000-memory.dmp
memory/1180-65-0x0000000000D60000-0x0000000001193000-memory.dmp
memory/1180-66-0x0000000000D60000-0x0000000001193000-memory.dmp
memory/3768-70-0x0000000000380000-0x000000000038E000-memory.dmp
memory/3768-69-0x0000000000380000-0x000000000038E000-memory.dmp
memory/3768-71-0x0000000000B10000-0x0000000000B3E000-memory.dmp
memory/5068-79-0x0000000000D60000-0x0000000001193000-memory.dmp
memory/5068-77-0x0000000000D60000-0x0000000001193000-memory.dmp
memory/5068-78-0x0000000000D60000-0x0000000001193000-memory.dmp
C:\VAULT.KEY
| MD5 | f9bee0e2dfdc5e1ce9db7f225359cc8b |
| SHA1 | 406c3e316ae41811956c9e33598b75df077783c9 |
| SHA256 | 5d3bdead8922de41c9fd7d054b0c071964ff247e076100d3261120c21adc38e6 |
| SHA512 | 56b96ae0b6811bfda79e699381305c142f53d70612af0333af0ec5c5e90dd2b8139205362560e297bed251e20ea3e54719e2c46a5946fa8a37fca6d7f1e448e1 |
C:\Users\Admin\AppData\Roaming\CONFIRMATION.KEY
| MD5 | 1ef8b68ffe960997d4509f24b11fb022 |
| SHA1 | 6d25c6ec8f63f9811420eaa3555159bdd40a2502 |
| SHA256 | 7f4813e5f1b84200cb3df1d26779f43ff73d64b4e6a3c70a0f6db9111b4c13d0 |
| SHA512 | 5c14137a63abfeaba978bb274a79878057f2263a1729d3922a8eff8cf1d70392a35d49ca0ec6e66627afc4fe9842d94cfed9e74cb8cf08a4361560b85d8d64c1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta
| MD5 | ca834cc56015bce8e010e356c69dc9f5 |
| SHA1 | b55ea373d3f5d583c33803d80059db5ddccf7038 |
| SHA256 | 1b5feb1b9bf79a857330fc891a65824953ad5d72ce38b4fb41755475775c65bd |
| SHA512 | 66c6370c538567286641e2ca3438d28572a78b4d2a15912f9d55cc65f9c7491d16e3f277c9f1385ee6773ef400e1a47e7abe5208aa4d7f75b8db5c816e6531a8 |
C:\VAULT.KEY
| MD5 | 02e8ec67bb9adec4d96f65024e61d3f4 |
| SHA1 | 841b6c629abd1f755214467d6a0f24ff0a8565fd |
| SHA256 | a026f2ae89be80d92621dbbe73d89f4ed5ce05c4a2f324a2a4ee26ccc31e3846 |
| SHA512 | a0f62cb227e572cc8ca8e195fdeacf4f1d552349aeb90f374ae5701d3bf43ecb845ddd9718cfcab20ddca6bf9f7baa3d7c46b1264b5fd4e406123e2e95a7a7ac |
C:\VAULT.KEY
| MD5 | 988f9920a47a009a5c3b4c8c304381fd |
| SHA1 | 81217bd02906dcdc0d941fd4ab7ac4af02d79a27 |
| SHA256 | 214f912401ac13bad81c4dde7114e1ebf942c04c8d09ca4e3a492c2cd5c1d3d9 |
| SHA512 | 5cb0a85241f09dbccd8ca0d33a4cd5dbc3e35816795e9d91b40da97a857a3b74c07ed030a8e2faf320a220d8342a57cfc036a9b15af058a0fa2590635d556097 |
C:\VAULT.KEY
| MD5 | 3022b371d3588070cc7dc63c9c86c407 |
| SHA1 | 0005037fcdac3401100a963442896ccba2872e36 |
| SHA256 | 83ac01d1bace84bd1bba0c3e2a4343958a56747be17a46c29dd18b5d91aaf51b |
| SHA512 | 03a22cccddf68e60434e6766d486ff958e94d53ec832ab11155ae9723ba255e702c3ccd5a14793279898daf9f904814841ca7296fb9e2ef585d2943f122d0dcf |
memory/3768-187-0x0000000002A30000-0x0000000002A42000-memory.dmp
C:\VAULT.KEY
| MD5 | da773f4a2943260a70dbb698c5cbbc77 |
| SHA1 | 2f8a2d0c96a5240d8a7dc53f91e6f62753c4724d |
| SHA256 | 2ec2b34a6b5175c58d1faae6f70bafb8875bc11471da72ebd7673960c13cc3af |
| SHA512 | eeb3999cbdde8be08713df55e40cf199022d46d53330be3cf98a4bf2ad8d392274973abbfa6a6ff7946a894f725cd9f891dd72b8d7c15a7e6b3ce91d29dbff11 |
memory/4272-190-0x0000000000CC0000-0x0000000000CD6000-memory.dmp
memory/3768-191-0x0000000000380000-0x000000000038E000-memory.dmp
C:\VAULT.KEY
| MD5 | cb8dd6d4719072c2157510329a016436 |
| SHA1 | 48d4b373b868b0a8aa44fa8aeea78d8a78369cb0 |
| SHA256 | b5cc58a3b66e3a800cd3c69cb5e8899d733f41cbac06d43c40affbe2ee3ea1cf |
| SHA512 | 5c2458b625aed1d12e9f5aad8cf082f9e94be4f4912f26b8b5e7f18cce6562c9f7b6989969c715ae825b0e9dd09fcd3002af6de50af4a01eaee8d4522c8ff090 |
C:\Windows\SysWOW64\Microsoft Edge\Microsoft Edge.lnk
| MD5 | 49694f63bb47cf24a0112f79e0e11685 |
| SHA1 | fe8b7c02aae6d4918ce2674b384bbab905cf3585 |
| SHA256 | 2ba990cfed349932ab2a722feb2dd2043dd40415ace1d1aadd70a91f9b3f955d |
| SHA512 | fcb8fd017a873d94efd95afb1cc86172a60b7dcb431167a6f8ea03d32b8ddefdb19f86bb8f369876fbebd687c151dd43da3b9b3021084d43f84b6ecd9bfe30bd |
memory/3768-202-0x0000000000B10000-0x0000000000B3E000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20241010-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIA078.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f779ca0.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAE22.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB3C3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f779c9d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9E82.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAD18.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAEB0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Tasks\sys.job | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f779ca0.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f779c9d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F2E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIACE8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9FCB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA115.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB1FD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9DA6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAFF9.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe
"C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1C0546BAB281714E431757DE0FBB5EFC
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A306E9C94C5217883499C26E9F43D022 M Global\MSI0000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | collect.installeranalytics.com | udp |
| US | 3.214.180.211:80 | collect.installeranalytics.com | tcp |
Files
\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll
| MD5 | 3531cf7755b16d38d5e9e3c43280e7d2 |
| SHA1 | 19981b17ae35b6e9a0007551e69d3e50aa1afffe |
| SHA256 | 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089 |
| SHA512 | 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd |
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi
| MD5 | 27bc9540828c59e1ca1997cf04f6c467 |
| SHA1 | bfa6d1ce9d4df8beba2bedf59f86a698de0215f3 |
| SHA256 | 05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a |
| SHA512 | a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848 |
\Windows\Installer\MSI9DA6.tmp
| MD5 | d552dd4108b5665d306b4a8bd6083dde |
| SHA1 | dae55ccba7adb6690b27fa9623eeeed7a57f8da1 |
| SHA256 | a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5 |
| SHA512 | e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{3CFEFCD3-DFDD-481F-AE0A-E201682ADEF4}.session
| MD5 | fecf27a5bbf0da7817c86e55aa264f21 |
| SHA1 | 65a8e83ee19d1f1725d276336deeb2241960bb15 |
| SHA256 | ac618fb9a7780b1cf5fdaf311f4970065c6bcc0a871b3836dbde2fbd902ff3a9 |
| SHA512 | 74cc4577fb408f041b80825b54c45fa7928a33772857dc7c549961349a8cb58bf8d16288f88f3d4eb2f91e19afb965621b440e40c36b3fc9f02d08071a8b4a51 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{3CFEFCD3-DFDD-481F-AE0A-E201682ADEF4}.session
| MD5 | b75376f0e4fa057eba0df455331ae0da |
| SHA1 | 04d34f68dfcef51322abd13acb2ae8b0a028bb7b |
| SHA256 | 066d7226bd174f3521907d8ebdeda2b916062c41f94ee90b8dbb9fd09bef11b9 |
| SHA512 | 5fd30cc3bdd2f4f16d16e3d0347b8bd1ddefbb420e27b87e148f47e2b12b0a8654857acd43eac28e0346444ef67450eea71997b314685cce3ad334f66e87ae8d |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{3CFEFCD3-DFDD-481F-AE0A-E201682ADEF4}.session
| MD5 | a55a3f4459e11c5e46275f03ba0ef4fb |
| SHA1 | 30ea186a531bf472eae03f633e9f8f57914c7b06 |
| SHA256 | 33c32bee5584b80f64b52496e34ebaa867c22ee06cc286eaf09b32c56a88383f |
| SHA512 | ab605500201adb4e233944f9a36b47cc215335965ee7f01482eb27ec774d57c6c173f42b0a8a99016b5938d7b025dcd28876ecb6ea83a32d6b6912aae24b3396 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{3CFEFCD3-DFDD-481F-AE0A-E201682ADEF4}.session
| MD5 | 1e0290dc4c165cbdf17903f3e8df13f8 |
| SHA1 | 1814868b8fe1af03a3aba700cf769b1e633adfdd |
| SHA256 | dc132376ecbf3438dc25d79fbc3d94f67037618b0ea2d120c87eaa3f928ae1af |
| SHA512 | a3242e8fad1f9ed082bed3d8b5f37cccedb98b79f857443a419030d39f20f7a5dbc8e0d9a7d0167e1c3dfe111ab8c309e42ffcdd51d13c2496e7becb11f09948 |
\Windows\Installer\MSI9F2E.tmp
| MD5 | 4083cb0f45a747d8e8ab0d3e060616f2 |
| SHA1 | dcec8efa7a15fa432af2ea0445c4b346fef2a4d6 |
| SHA256 | 252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a |
| SHA512 | 26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
| MD5 | e29f7a880c84850aa98c1e72f2804601 |
| SHA1 | 4930f4c5a076917d368ed150c36651432d8593e2 |
| SHA256 | f67c350e851157207865a30d39d9ff40ab0f07f425db71c805542bbd25ba03fa |
| SHA512 | 7bf9c8b4f937d37cd1be2434804ad56356ee0368fe411617167f02f61c7539c6bf3d99658213c81007bb1c026c783720733d6af6d7b02cfad2b5e03274032cc2 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
| MD5 | 8dfd3b687ff9b325715f2aca66414db3 |
| SHA1 | 92e494367207e65cf833c29ebf713fb6b22bf590 |
| SHA256 | 9afb63342f1306215ee619e07a81787f3fa7e976ebdbb5043c0344ee332751e9 |
| SHA512 | 53c8cb5432b1851e604b939c490c47c4556a4bd69048957ca5907ed8b51851b93222836485e2d37e295d81a4c9aec819b0352eb5146338e757fb9988a0033786 |
\Windows\Installer\MSIAD18.tmp
| MD5 | 3cab78d0dc84883be2335788d387601e |
| SHA1 | 14745df9595f190008c7e5c190660361f998d824 |
| SHA256 | 604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd |
| SHA512 | df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820 |
\Windows\Installer\MSIAE22.tmp
| MD5 | 7e6b88f7bb59ec4573711255f60656b5 |
| SHA1 | 5e7a159825a2d2cb263a161e247e9db93454d4f6 |
| SHA256 | 59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f |
| SHA512 | 294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c |
C:\Windows\Installer\MSIAEB0.tmp
| MD5 | aa82345a8f360804ea1d8d935f0377aa |
| SHA1 | c09cf3b1666d9192fa524c801bb2e3542c0840e2 |
| SHA256 | 9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437 |
| SHA512 | c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db |
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\fatalerror.exe
| MD5 | e579c5b3c386262e3dd4150eb2b13898 |
| SHA1 | 5ab7b37956511ea618bf8552abc88f8e652827d3 |
| SHA256 | e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2 |
| SHA512 | 9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb |
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav
| MD5 | bab1293f4cf987216af8051acddaf97f |
| SHA1 | 00abe5cfb050b4276c3dd2426e883cd9e1cde683 |
| SHA256 | bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344 |
| SHA512 | 3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49 |
C:\Config.Msi\f779ca1.rbs
| MD5 | f5ab7aaf6b2b97e8fb50b57ef5493425 |
| SHA1 | ff01d6366912d599ea14279136fddc0125b4bbe1 |
| SHA256 | e742055f58b998110e5dd16d9bf9fb41ece084e09000c1f6ebc615bc0a40880a |
| SHA512 | f389084751ae54aef57e9ea12ec8506017c207fb685e7e268dafbab359eb45322947d4f07e02487d39bf779a75a4df96d9d47a75565eb162697fc74cf7fa9d25 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
| MD5 | 68c7a5b701bf194b08e0df49a3379d76 |
| SHA1 | dc6d0fc79c3441b2f9f9982ed11c1cbafcebfa0f |
| SHA256 | 638791461bc2a9857d467683677fff275b9dc2cb73247f963877992ef569b406 |
| SHA512 | 0f08cb84f8a52639e97c52d870af893088561d12b81ad4d5bc6e3264f7029a28f3051559c0063b8eb063943d19370fd23c06061afee47beadf239f8b9a4e6b33 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240903-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,,C:\\Program Files (x86)\\Windows NT\\MIJOvBeC.exe" | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Program Files (x86)\\Windows NT\\MIJOvBeC.exe" | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
Disables Task Manager via registry modification
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DWTtAeLq.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DWTtAeLq.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DWTtAeLq.exe | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DWTtAeLq.exe | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\LdMVtZgE = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\MhzeIHWr.exe" | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\LdMVtZgE = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\MhzeIHWr.exe" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirtyDecrypt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dirty\\DirtyDecrypt.exe\" /hide" | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows NT\MIJOvBeC.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\MIJOvBeC.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File created | C:\Program Files (x86)\Dirty\DirtyDecrypt.exe | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dirty\DirtyDecrypt.exe | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe
"C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"
C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe
"C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe"
C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
"C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| NL | 85.17.31.82:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| NL | 85.17.31.82:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | sjytgtnkdl.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | vjuxtixi.com | udp |
| US | 8.8.8.8:53 | ntrshvquunyzxevkucs.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| DE | 169.50.13.61:80 | ntrshvquunyzxevkucs.com | tcp |
| DE | 169.50.13.61:80 | ntrshvquunyzxevkucs.com | tcp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | okenhqzgxngnkbwouvfm.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | wxluitpliymeoirc.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | wxluitpliymeoirc.com | tcp |
| DE | 169.50.13.61:80 | wxluitpliymeoirc.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | kcubcfuhwwn.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| NL | 85.17.31.82:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| NL | 85.17.31.82:80 | viweabkkfe.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| DE | 178.162.203.211:80 | viweabkkfe.com | tcp |
| DE | 178.162.203.211:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | sjytgtnkdl.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | wxluitpliymeoirc.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | wxluitpliymeoirc.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | wxluitpliymeoirc.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe
| MD5 | d224637a6b6e3001753d9922e749d00d |
| SHA1 | bacb2313289e00a1933b7984dd1cbef01c8019ee |
| SHA256 | 9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263 |
| SHA512 | 08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0 |
C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
| MD5 | 1d27a7210f54a047264f23c7506e9506 |
| SHA1 | 4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527 |
| SHA256 | 431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9 |
| SHA512 | 077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700 |
memory/2088-25-0x00000000004A0000-0x00000000004B4000-memory.dmp
memory/2508-31-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Desktop\TestExpand.xlsx
| MD5 | 78b526de070a85b6cf6410d013d2a1a6 |
| SHA1 | 6403f4013d1c5e636452274fa02436fc64f83e7e |
| SHA256 | 9a6a19655dc4ab926544e1f1da8750f4119ca615ac73e2c4da9ef4186e6a9e2a |
| SHA512 | e1418a6fe5acbcdda7fddf41835e6d9973ddfbf8c2b36204b53a8733ba1078b63aae28d314eb51b90e0a43896b803ca4920bc4ea6bf8bc18b0650e2cbf32226e |
C:\Users\Admin\Desktop\ConvertToExport.jpeg
| MD5 | 5cd869d25ed9b70cad0fcd729dbe93a8 |
| SHA1 | 18927946eaf87e45ec906c7b0f739205fffa0074 |
| SHA256 | 555f93ff05472882f6f72d44bbbe46f36e323a2fb2d9b7abe6b06010385cfbe4 |
| SHA512 | fe7827c6bbf76874041cd818645b8af930e23aea55d426f3c436fc521ae93ec6ad32cb99d5f25f5b042732a0280fc0c481e02c305e2a5bde94372fa248ac9b56 |
C:\Users\Admin\Documents\UnpublishRead.docx
| MD5 | 7fb0e9946503165c130615db7a4f28fe |
| SHA1 | f87b0a82e019088a0f69662f16cdf0e77d9ba1e4 |
| SHA256 | f3cac6ec3b761436663adaefad6b4b73c6a1a40b5a2d364973b25b43c27a2bef |
| SHA512 | 9b33b0563972c92c3e6a6722dd71b55ffebe95130d1cebdf3df0a00a014e5b41dc657c71fc38d6142ae9b379ef8dc8634977bceb9a2f4e0fcb4e0c674bc400f2 |
C:\Users\Admin\Documents\ApproveFormat.rtf
| MD5 | 55931f508169e2e57ea9e1fe0c0e87d1 |
| SHA1 | 612f3b45efe3162130307d7fe3dfafb8f3bcfd8e |
| SHA256 | ac71d5d33cf3cafc5ffc57265118fd5d3cbc5b895681245c16faf49f14ce9a56 |
| SHA512 | 1a94083a6fd1116a9b65b56fcfe3ae7b46f2f5caa8a35ee33630e46c6a0ec48c8add3ac6ffe2b4709cbba19c8287040d7fc63b7229fa558c715be58961e67b80 |
C:\Users\Admin\Documents\DebugClear.doc
| MD5 | baf2faff2c457dff4872bb6bb421004a |
| SHA1 | 5aa26906097a18d62c69daba985cd0f72ffe3b31 |
| SHA256 | 8494ac3bbb2c179bc191e4e73145eb8b2b79e156e2e331546dae155a808827e3 |
| SHA512 | 434367c313dd1e27384858cea0e39d6534f5a94e2b81406575c5b308f4d70e692221a43acb4e31166a4683f3bbffc4359bdebf6f818d686187d449e54a6ce559 |
C:\Users\Admin\Documents\DebugLimit.docm
| MD5 | 9da8b164f22bdb22f184142e1cfe1cb6 |
| SHA1 | f480bb1eda037e838df784609fd0ac3bc77565a2 |
| SHA256 | 3f13673feca10f32155cce12590601de9b14bc7d4e2f911e8e5af994690acc6b |
| SHA512 | 5b7f4607dc315d47d8cbb44d70082773071cbcb267ca51a40817be8607ccf1a415b37e3467eab7e23078d3612e3e33222b5e723da49df57e95f65aa47f5db0d1 |
C:\Users\Admin\Documents\NewPop.doc
| MD5 | 7f8895f63bbfd4693eb3a190e941e4c9 |
| SHA1 | b5ca49754a588b86583e262a75ef7fa23108df29 |
| SHA256 | f92dd76f5e53816cbf1070444520cb5198f5b47c600bd4a03d20ccf11bd3f2df |
| SHA512 | 61c924f26c54898fbdb3ca9aa6c3ad0d6bae610386f3bbc2dee833554359d42c0452d6382618915eae65a69e138a7903082c960404438efabb8165374fdb0f0b |
C:\Users\Admin\Documents\StepFormat.doc
| MD5 | bc2a99d4fed8fce68e5ee04c2ef762d8 |
| SHA1 | da216639ef63fe5f02320024d1895f38b860e631 |
| SHA256 | d333a98377a8eb3ed57cf88d616959a394d83ac53dd866ec8bd54ed10aa02ddb |
| SHA512 | a17c87e81acc75c5ebfc2feea61f8d6518adccef8db10cf9567bfd5fb63d153b5300f6edde601c1fcb8250ac1023a3231e567605e36f63173a077a3513a70f61 |
C:\Users\Admin\Downloads\ConvertFromStep.zip
| MD5 | 4d76b46a325f5b9b905f90e3a348a936 |
| SHA1 | 48522542ec191d967d2d172fac14ebea4a53182d |
| SHA256 | 0bd416bb32df60b7c2dc20863512c76cd9cd5c59a0f5d489807e3d819cadfa91 |
| SHA512 | f2c206a6d9b6c116ed008e9b0f4ba5ee75fa7919701cec2720d36736c8206d58ca056cc0ffe7b6566dd0b56f28cba36bdb717036871a19607dd683731dc6d706 |
C:\Users\Admin\Downloads\EnableSet.doc
| MD5 | a7b3504b51d9c9ad922cfb68fab066ec |
| SHA1 | 6f571660f7af85584201dfbc5b937d2e73d1d5ea |
| SHA256 | 7cd40cf425416f45a9c764b71eb548b7e9e0470a1e18f220997e0a1bcd62251c |
| SHA512 | 5d828c68ee4709ae70f9f3a7a2b7acfe2058a485dff88c8475bac4f14d091f32a5ec931714ce0e718bc83ff5c1ab86ea6134fd668a9e80f75eb3113cf8bc3e8c |
C:\Users\Admin\Downloads\WaitBackup.rtf
| MD5 | e5941e096adc9dee7df216a2571da334 |
| SHA1 | 022917d9e0e2640c9b1105ffd16afb5435f41b50 |
| SHA256 | 0b6b2f585a1005570caa4ceccc71ce8940310cb77629a83ca8ed236a04c1aef4 |
| SHA512 | 033b2c21e7b63e352e48c35b4c46788e7cad0dd022be0fc792ee440df2ce0b7df0f3bb06bc54173e4981a801309c837c459853252cd96ab8fd0fb2ed88687446 |
C:\Users\Admin\Music\AssertGet.xls
| MD5 | f3aa0c84cb7d2aefc20c49f0d59184a0 |
| SHA1 | d29dd7dd912c00e5f05a9cc4f04920814f3c4f96 |
| SHA256 | 8b1192569bef499da82ff8fd0deab26d7188d6c0c1c7a6859f2affbdca635cca |
| SHA512 | 98e27369f4aa3430e1a69d841917ff42b7132ea0f583e16500bd86dfd76b3528d7d43ac31951bb4bdb35bdd6bbddeefe1f615819d058c50fe62d03c30107da46 |
memory/2508-154-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Downloads\CopyClose.xlsm
| MD5 | 5d812c5cd71a5138ccc14b90db5d19bb |
| SHA1 | fb53724c8c9e87300c60e64248ef77ee2d0348bb |
| SHA256 | d57bea2ff1395e34662bf68b951a7d8cd1abd742f24f17e2e5358040d3b66f56 |
| SHA512 | 8fb745044652ed242407c974bdca86646695fe44c88f533520c75ff8b81a08493dffbd4e02f13481f903f2961cc54641ba0abae23a75e0d411d70104f7432c62 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20241023-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
CrypVault
Crypvault family
Pony family
Pony,Fareit
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\vssadmin.exe |
Deletes shadow copies
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Windows\SysWOW64\svchost.exe | N/A |
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\svchost.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IE4Data = "C:\\Windows\\SysWOW64\\IE4Data\\IE4Data.lnk" | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IE4Data = "C:\\Windows\\SysWOW64\\IE4Data\\IE4Data.lnk" | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\IE4Data\adsldp.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-libraryloader-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\IE4Data.scr | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IE4Data\IE4Data.lnk | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\adsmsext.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-fibers-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-processthreads-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-datetime-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-interlocked-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-localregistry-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IE4Data | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\ActionCenter.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\advapi32.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\aecache.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-console-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\IE4Data.lnk | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-handle-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-misc-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-string-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IE4Data\IE4Data.scr | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IE4Data\ActionCenter.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\amxread.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-file-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE4Data\api-ms-win-core-file-l1-2-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2412 set thread context of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\svchost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
"C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe"
C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\tasklist.exe
C:\Windows\SysWOW64\tasklist.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process call create "vssadmin.exe delete shadows /all /quiet"
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\mshta.exe
mshta.exe C:\Users\Admin\Desktop\VAULT.hta
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\mshta.exe
mshta.exe C:\Users\Admin\Desktop\VAULT.hta
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 348
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hollandfintech.net | udp |
Files
memory/2040-3-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2040-5-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2040-17-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2040-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2040-13-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2040-11-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2040-9-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2040-7-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2040-14-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2040-18-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2040-19-0x0000000000400000-0x000000000040F1F7-memory.dmp
memory/2040-1-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2628-29-0x00000000000F0000-0x0000000000371000-memory.dmp
memory/2628-22-0x00000000000F0000-0x0000000000371000-memory.dmp
memory/2628-23-0x00000000000F0000-0x0000000000371000-memory.dmp
memory/2412-0-0x0000000000310000-0x0000000000315000-memory.dmp
memory/2940-50-0x0000000000420000-0x0000000000436000-memory.dmp
C:\Windows\SysWOW64\IE4Data\IE4Data.scr
| MD5 | 1105f1e5cd13fc30fde877432e27457d |
| SHA1 | 108f03f9c98c63506dd8b9f6581f37ae5c18de23 |
| SHA256 | dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d |
| SHA512 | 49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373 |
memory/2940-52-0x0000000000420000-0x0000000000436000-memory.dmp
memory/2940-51-0x0000000000420000-0x0000000000436000-memory.dmp
memory/2268-54-0x00000000005A0000-0x0000000000821000-memory.dmp
memory/2268-55-0x00000000005A0000-0x0000000000821000-memory.dmp
memory/2432-58-0x0000000000080000-0x00000000000AE000-memory.dmp
memory/2432-57-0x0000000000380000-0x0000000000388000-memory.dmp
memory/2892-91-0x00000000005A0000-0x0000000000821000-memory.dmp
memory/2892-90-0x00000000005A0000-0x0000000000821000-memory.dmp
C:\VAULT.KEY
| MD5 | a6a39c97364f8fc8b412f55a01c0083d |
| SHA1 | a77d1e5da21e028c66af5f15bae308ebe7877d3e |
| SHA256 | 03cecda8a69893262e6f00d532167ded5732dec991bcd163ccaeadad62001348 |
| SHA512 | 6faac60921acf43cfc3bcf4bbdc7d7d433e408ae70d1900c54983eda943440f1e485d68f6271d14c3a7e3af6d38bb8c9c02b7221fb564b8ac8f7ccdd7f63d353 |
memory/2432-150-0x0000000000350000-0x0000000000362000-memory.dmp
C:\VAULT.KEY
| MD5 | 0451a438766083ffa91517ade99ee562 |
| SHA1 | 70d104395a196c0e3f2a8dee109839d68ebb339d |
| SHA256 | 68decb91fe284f1216b079810d2273acddd0d7754cb22689fa0aecfd7dae3aa1 |
| SHA512 | 240ebc181528d16323ca3398d539256241e72394afb4febd6df9dd3a7745af04ee1258e626043e90d58a7a9f5dfa4366dbedb5f75ad4c924abd65a7106ce1e79 |
C:\VAULT.KEY
| MD5 | e8d1dc697660fc828d75a73612f680f0 |
| SHA1 | eb5f51e52296f942c1e1065cb15dc06db9307263 |
| SHA256 | d203fa95c8fbec5abb1e41d845bee0f252e3c95eb7897d490b0c36806f104142 |
| SHA512 | 82a650f326fa34e7902e8777a8f61ce7bbe1f4892f0bc9b61a663e99e4c033677f1e18d5a111e9ee636208cbf2563815787a9a0d5eb7d5c2d771bb49d2b203e1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta
| MD5 | ca834cc56015bce8e010e356c69dc9f5 |
| SHA1 | b55ea373d3f5d583c33803d80059db5ddccf7038 |
| SHA256 | 1b5feb1b9bf79a857330fc891a65824953ad5d72ce38b4fb41755475775c65bd |
| SHA512 | 66c6370c538567286641e2ca3438d28572a78b4d2a15912f9d55cc65f9c7491d16e3f277c9f1385ee6773ef400e1a47e7abe5208aa4d7f75b8db5c816e6531a8 |
C:\VAULT.KEY
| MD5 | 2ec277aabfc39d7905efd15f5f3b904c |
| SHA1 | de03298a7b4caf942dab6b2f78b17d288a8b03e9 |
| SHA256 | df136bc3d46f2975b2d9de603c550408b70e061fc05e66b24b093d66dc857714 |
| SHA512 | 3977018a6aa83a0781ad1c2f2e938633fe1ecad3018e4f466436f1bc32412700954d91a959809438f5a813b31bd6587cc52fb7a15b02d621db29b4910d8b2028 |
memory/2940-153-0x0000000000420000-0x0000000000436000-memory.dmp
memory/2432-154-0x0000000000380000-0x0000000000388000-memory.dmp
memory/2432-166-0x0000000000080000-0x00000000000AE000-memory.dmp
C:\VAULT.KEY
| MD5 | ebd505de3b65505482f979dcf1979d9b |
| SHA1 | 393e308f0fc53e209c16703fc6aa9743a9cc2811 |
| SHA256 | d7bc912b4d63233f377b744ff6cd4885812dd6227fb17cbfe7a3e089ca4fc78f |
| SHA512 | 1c8555ba6adfe26bc06757df999c863d176d904cce089cb059aa56d96d8aa2ff92160c00c824c1dd6f6bc73574af56d92f7ea1888ef4ca1de8b57077057cec4c |
memory/2488-175-0x0000000000980000-0x0000000000C01000-memory.dmp
memory/336-178-0x0000000000C60000-0x0000000000C68000-memory.dmp
memory/336-179-0x00000000000F0000-0x000000000011E000-memory.dmp
memory/2488-177-0x0000000000980000-0x0000000000C01000-memory.dmp
memory/892-187-0x0000000000980000-0x0000000000C01000-memory.dmp
memory/892-186-0x0000000000980000-0x0000000000C01000-memory.dmp
C:\Windows\SysWOW64\IE4Data\IE4Data.lnk
| MD5 | 0dff388654ad9cf541763256dc0789a8 |
| SHA1 | b2a9296bbea70c57db307c41bb6b678e77aa3d73 |
| SHA256 | 2a7857336eb95d83107b80b29299284121f94f8664535b5dab7609464864ba68 |
| SHA512 | c43893934a1c2ca060438a6f7cf3708013a70e52cfebe436ad5abe0ea4dfa4d30caa0b3782b900741b4e0026fffb61899bf57c7d9dc22b097c3fb8e18fbc2fa9 |
memory/336-199-0x0000000000C60000-0x0000000000C68000-memory.dmp
memory/336-198-0x00000000000F0000-0x000000000011E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
130s
Max time network
137s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Dumped_.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Dumped_.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Dumped_.exe
"C:\Users\Admin\AppData\Local\Temp\Dumped_.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dolores.cursopersona.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dolores.cursopersona.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dolores.cursopersona.com | udp |
| US | 8.8.8.8:53 | dolores.cursopersona.com | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dolores.cursopersona.com | udp |
| US | 8.8.8.8:53 | dolores.cursopersona.com | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dolores.cursopersona.com | udp |
| US | 8.8.8.8:53 | dolores.cursopersona.com | udp |
Files
memory/3872-0-0x00000000008D0000-0x00000000008E2000-memory.dmp
memory/3872-4-0x00000000008D0000-0x00000000008E2000-memory.dmp
C:\ProgramData\cawjdzyliposrdr
| MD5 | af8c3a1898f41d3a338cdcff4f0587d9 |
| SHA1 | c665d6f2ea8b905667b51f07377aaf81e447f306 |
| SHA256 | 21419d7a0aa72bc59bc6b33255b521d41857a66cc08def7f889c4b74ec94e60e |
| SHA512 | 1655e2ac73d089cc88a36b3302ed5312be2fae115d70da50c7a9d5bad7d1d34a63e45ab8562ecf64059adc8ab2b6f2ac4ecf9a4453a83703f912be9fffdd6f8c |
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
138s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIBE24.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBF8E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Tasks\sys.job | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC187.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBC89.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBDE4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC02D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57bbed.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBCF8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBE92.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBF10.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBF9F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57bbed.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBFDE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC0DA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC2C1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBD95.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe
"C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C16F3427CDC6EA38E75CC0D770E37E25
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A18E76BC448C8C7AA40CF92A59828532 E Global\MSI0000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collect.installeranalytics.com | udp |
| US | 3.214.180.211:80 | collect.installeranalytics.com | tcp |
| US | 8.8.8.8:53 | 211.180.214.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll
| MD5 | 3531cf7755b16d38d5e9e3c43280e7d2 |
| SHA1 | 19981b17ae35b6e9a0007551e69d3e50aa1afffe |
| SHA256 | 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089 |
| SHA512 | 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd |
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi
| MD5 | 27bc9540828c59e1ca1997cf04f6c467 |
| SHA1 | bfa6d1ce9d4df8beba2bedf59f86a698de0215f3 |
| SHA256 | 05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a |
| SHA512 | a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848 |
C:\Windows\Installer\MSIBC89.tmp
| MD5 | 4083cb0f45a747d8e8ab0d3e060616f2 |
| SHA1 | dcec8efa7a15fa432af2ea0445c4b346fef2a4d6 |
| SHA256 | 252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a |
| SHA512 | 26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133 |
C:\Windows\Installer\MSIBCF8.tmp
| MD5 | d552dd4108b5665d306b4a8bd6083dde |
| SHA1 | dae55ccba7adb6690b27fa9623eeeed7a57f8da1 |
| SHA256 | a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5 |
| SHA512 | e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{E324ECA0-649A-46C1-8F15-87C2B2BECB25}.session
| MD5 | fa9ad6eac98e08fbf7c1b0ff9e38e150 |
| SHA1 | def38de93560b085acbf4007da9a5f904f8608ca |
| SHA256 | 064bcf17bafa525d38dbc95b125cacc27dac6d0f800f7d6758e94be4e8f188dd |
| SHA512 | b83fb1601fe411df76404d883c899d7cc226b247b2d06aa7a350decb98b3fe60714c82f80b2aeee61a68127338246433ca5d72762eb0e888bfb2d8400cff2bed |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
| MD5 | 6310ff5356335c0b80d22609648e67cd |
| SHA1 | 47ca24cd44f904bd65f293ac0bc497bc07efb66a |
| SHA256 | 9bc0a474899aa70d5b5353e9137a0c3e971f2d6f49da1e9d680197e61009a66e |
| SHA512 | d22bcd2e39b99ab34acd10361c126af177e9989ec267ec69458f74a913bca9a99b63c291a22af689ab2f8aa261a3458078bd94265fc9abee9ce5b312c2fa4628 |
C:\Windows\Installer\MSIBF9F.tmp
| MD5 | 3cab78d0dc84883be2335788d387601e |
| SHA1 | 14745df9595f190008c7e5c190660361f998d824 |
| SHA256 | 604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd |
| SHA512 | df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820 |
C:\Windows\Installer\MSIBFDE.tmp
| MD5 | 7e6b88f7bb59ec4573711255f60656b5 |
| SHA1 | 5e7a159825a2d2cb263a161e247e9db93454d4f6 |
| SHA256 | 59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f |
| SHA512 | 294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c |
C:\Windows\Installer\MSIC02D.tmp
| MD5 | aa82345a8f360804ea1d8d935f0377aa |
| SHA1 | c09cf3b1666d9192fa524c801bb2e3542c0840e2 |
| SHA256 | 9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437 |
| SHA512 | c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db |
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\fatalerror.exe
| MD5 | e579c5b3c386262e3dd4150eb2b13898 |
| SHA1 | 5ab7b37956511ea618bf8552abc88f8e652827d3 |
| SHA256 | e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2 |
| SHA512 | 9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb |
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav
| MD5 | bab1293f4cf987216af8051acddaf97f |
| SHA1 | 00abe5cfb050b4276c3dd2426e883cd9e1cde683 |
| SHA256 | bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344 |
| SHA512 | 3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49 |
C:\Config.Msi\e57bbf0.rbs
| MD5 | 5e3275ec1639cdad4e8e53bec43c33a0 |
| SHA1 | 8392fd1a965552dcc06f28443a3527abb3f727de |
| SHA256 | 277ffe00536c911965764b1862b13a35f05a95a2c74265dac6b1d90276168a79 |
| SHA512 | 4d68ab9c83eb720d640956d09772ab9521fd5f5f2de3f9f3cf1d9e517842b4ea6fbd4cc0e527f8e7b791eebc68b51686175a88f4dd0434239fe576ee65b9ff9d |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
| MD5 | 465ebf48d764cdfc125d36c0717369d6 |
| SHA1 | f0c4d2fd3ce5b7da8eb8ff46eb050f2bae54bb0b |
| SHA256 | c0dbd09aef45b3dfc135370923b4912ca9908fd3ac08941118634ca7f5e47b89 |
| SHA512 | ff0db29507760737eb60f37109a55845da533ac67204a772329bc6f38d189df80c19a60ab857c838bf264ecaef9afbb9674decd5fdceff6bd8f58e64d7750089 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr = "C:\\Program Files (x86)\\decrypt_0000000000000020-000A0000.exe" | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
| File opened for modification | C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
| File created | C:\Program Files (x86)\OIMOPMPEMA.MBE | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
| File opened for modification | C:\Program Files (x86)\OIMOPMPEMA.MBE | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe
"C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| US | 8.8.8.8:53 | deenislam.org | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 8.8.8.8:53 | dedhamfoodpantry.org | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | 178.46.92.34.in-addr.arpa | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | 157.249.124.192.in-addr.arpa | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
Files
memory/3108-3-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-4-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-5-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-6-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-7-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-8-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-9-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-10-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-11-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-12-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-13-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-14-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-15-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/3108-16-0x0000000000400000-0x00000000004A0000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
141s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240903-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\msconfig.dat" | C:\Windows\syswow64\svchost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\syswow64\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2968 set thread context of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ctfmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
"C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe"
C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\syswow64\svchost.exe
"C:\Windows\syswow64\svchost.exe"
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fsbps.ru | udp |
| US | 8.8.8.8:53 | cwnlz.ru | udp |
Files
memory/2968-0-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2968-1-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2968-14-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2852-18-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2852-19-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2852-16-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2968-15-0x0000000000490000-0x0000000000501000-memory.dmp
memory/2852-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2852-8-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2852-6-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2852-4-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2852-2-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2852-21-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2852-20-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2712-29-0x0000000000030000-0x0000000000040000-memory.dmp
memory/1188-25-0x00000000025C0000-0x00000000025C9000-memory.dmp
memory/2816-34-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2852-24-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2712-33-0x00000000FF1F0000-0x00000000FF4B0000-memory.dmp
memory/2816-30-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2816-37-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2712-48-0x00000000FF1F0000-0x00000000FF4B0000-memory.dmp
memory/2816-51-0x0000000000080000-0x0000000000089000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1504 set thread context of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
"C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe"
C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1504-0-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1504-1-0x0000000000730000-0x0000000000731000-memory.dmp
memory/2208-2-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2208-5-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2208-7-0x0000000000400000-0x0000000000415000-memory.dmp
memory/1504-6-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2208-8-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2208-12-0x0000000000400000-0x0000000000415000-memory.dmp
memory/1152-9-0x00007FF6B8110000-0x00007FF6B85AD000-memory.dmp
memory/2208-14-0x0000000000400000-0x0000000000415000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240708-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Renames multiple (4015) files with added filename extension
Drops file in Drivers directory
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Indicator Removal: File Deletion
Drops file in System32 directory
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Rondo\\WallpapeR.bmp" | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FALL_01.MID.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14539_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PREVIEW.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryResume.dotx.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3B.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\WHOOSH.WAV.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.XML.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21334_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ga.txt.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\THMBNAIL.PNG.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME11.CSS.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBRV.XML.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Earthy.css.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR21F.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Solitaire\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Panther\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ba1cc5c862844f35\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cc39e164ed9f744a\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_en-us_77f885dc30a2b58b\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonypal_31bf3856ad364e35_6.1.7600.16385_none_cd66bc3541f90a26\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_ab6782291b0ca7be\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\Vss\Writers\System\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\watermark.bmp.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9cbb1d5656f57791\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_es-es_53d92c4ec2b28e59\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_code_b03f5f7f11d50a3a_6.1.7600.16385_none_09906177615c2112\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_8.0.7600.16385_none_1622b3b244141a27\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4106c47800c64a15\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a5ac6196f231571d\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b1837e63163037f\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.1.7600.16385_none_1f7373be61daf614\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1a07d4da952d4d02\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-t..cognition.es-es.ale_31bf3856ad364e35_6.1.7600.16385_es-es_3c034162a988d835\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ab03602b9d6cb924\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_d4c812c90da12283\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallPersonalization.sql.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a9893e83c110fe46\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_36242a66d0a3fac8\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f1bcbca1e780b68c\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_018b4fa043769680\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_netfx35linq-addinutil_31bf3856ad364e35_6.1.7601.17514_none_29443e96f9fb6564\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_e119eb1646de0342\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_00f087462bef45b7\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_netfx-regsvcs_exe_config_v1_31bf3856ad364e35_6.1.7600.16385_none_dd975ffb8de73e55\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7e7f3bd0c60c7e17\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_en-us_63cc1fc1c4366aaa\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_de-de_71d9774db1afe542\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7e0a31f5b1cdade5\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..s-directaccessentry_31bf3856ad364e35_6.1.7600.16385_none_52b3ba1508e42ec5\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cb425691a3c4dfa7\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-xpsreachviewer_31bf3856ad364e35_6.1.7600.16385_none_7b64ef799c494a30\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b1837e63163037f\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_prnca00z.inf_31bf3856ad364e35_6.1.7600.16385_none_ea189c313845a10e\Amd64\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SplashScreen.bmp.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-h..eraccount.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e185cfc7615ec6b0\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_064ef2a4b72f72b1\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0267af49be0713f6\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-o..sc-style-rectangles_31bf3856ad364e35_6.1.7600.16385_none_258f1924c482b7a1\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_cc7ce9d4d87afd2c\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8c1265b3f9ecd8c9\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8b1e0795efcd31f1\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\fr\Tracking_Schema.sql.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_795ac2ac69664653\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-snmp-mgmt-api_31bf3856ad364e35_6.1.7600.16385_none_47815118cd38388a\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-mlang_31bf3856ad364e35_6.1.7600.16385_none_bd28e772321016e1\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_d027e638f114b913\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_es-es_5e391147391d2f55\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\AgGlGlobalHistory.db.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\Logs\CBS\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\inf\PERFLIB\0410\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v3.0\WPF\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Local\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_es-es_959ec7b53a342ec3\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cffa1c7732c576aa\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2280 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2280 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2280 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fkksjobnn43.org | udp |
Files
C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.bmp
| MD5 | 58c3ce31b5687583c67761fa8a092f9d |
| SHA1 | cc3dd0f11895648b264d8890827059f618f2797f |
| SHA256 | e4b82a227f1af1d7ea08eebcbef5fc927b025683f5077d3be3635949576201e0 |
| SHA512 | 5aa50cbe95922a2a2e4f3bc8e7fefaf8e4f4eb990986aa41e96bb077f422fe70e475227fcb2c915864108abe2ff0f5eae281eb177f58d590461249b1a4a573d0 |
C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.html
| MD5 | 3a46dac3f4c10dfe74a0e3601021a791 |
| SHA1 | 9ffb319517542670eafc67cd71f898b43b71b452 |
| SHA256 | 44f4032bc674a2f836d1be30979456aaae5d24afaca44faba4503b92702fbba0 |
| SHA512 | ccd4beb602ce5a851b8f36de82b44169afb81c83e719ba4cdecf86c2783d8b1f6939a9db9e538f9f422e112b46c6ae55870ee9b1815e8f7a8438944697e89d2a |
C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.txt
| MD5 | adbe4d91680b52c82987a920a1918431 |
| SHA1 | 1871a4fd7983481a765b41d2dbfcf201a767221b |
| SHA256 | 5daf04f81052209f8b9fe65793e5be28b27243ce1c56178d088e8e835e6e9124 |
| SHA512 | bfdd9f632b519377bf2ba3fcc19442789acdf1b10faecbcd593d17cae1f61deb7796bf050cb2da3d23188db53a9660b6705ac15a051e6311a075eb9593d64e9e |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.jaff
| MD5 | 6276d2ae1fe73625484a985404675d4f |
| SHA1 | 750083f4852a7ad210b222aabbdc0a99689b2db9 |
| SHA256 | e110f40bbd910d845dcd536479032b1fc2c0b17a1e5f59cf91a007dedaaeaefe |
| SHA512 | 759fbbae3e4bd9fd65d7b3fbc6e80eaccebbb485e2b1a1ef06df5039143bcdb8c6e8b8b8a92cda87a2919d13f654a637d89dc23fa1191454d76cc22106c1100c |
C:\Windows\SysWOW64\com\ReadMe.html.jaff
| MD5 | 9fa145848f3b692d3949e4e9ce0f225f |
| SHA1 | 834871ed87bb5521902119f5ef6030c71935c40b |
| SHA256 | ca971f80b74b3ad2135bc8f7442e9248d47eb7ea87fc0a2f2eb54fc37e1ce561 |
| SHA512 | ae659082d957f981275dd2489be83dba3b44439a10c7d6402ea8c720b2d653dc8748983b48cee27c53e2a65259b29e5de04069345df4089a532b1117dbee6940 |
C:\Windows\SysWOW64\es-ES\ReadMe.txt.jaff
| MD5 | 777d6b87840244da4b80e117bf84bf18 |
| SHA1 | 7cfb42a9e3ef0eb8ffc2519724793ec0ca7d89d7 |
| SHA256 | 09cf18f36bcf462a63ffd916db61923b296e0e3779113b3d4e8ae3457a073b83 |
| SHA512 | 1a89831367edb3f6b693e9250062f3fe5368d97f6f0c263d6dc0a34da2ddd180594927a5c6d04b1b50f5850f94f3550d909260b27b7eb79c58bc06d0a8e165bf |
C:\Windows\SysWOW64\ja-JP\ReadMe.bmp.jaff
| MD5 | 577ec58e43331c65c8306f99333bb477 |
| SHA1 | 7bcc67a40054e83f4a297d724c995e49d2a9888c |
| SHA256 | 541964f505d61b88a36ef20ada38f5f6c9b3b92de0268ecd53ac71ff4f01289b |
| SHA512 | 3ccf18c28a8a71bb0682bfc7596ae5750d1ac728f8aa5a040c7a74d964aca5d1fc6401679ce710f1843475645afe1665f59f17c4c2d641316ca2a50ded7e123e |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe.config.jaff
| MD5 | 0c11e68f563439a620537d461db9f88a |
| SHA1 | c23fb49ef0371348e51bfc8a47b090a36ad63a57 |
| SHA256 | 1c13c0253b3638abd31000a8611e191bc6dea0aea1007b24a4f57df3926774db |
| SHA512 | 7ab90a26a763b2841385c598feb85f381eafba4be298d0e319ce371a492bb13cea5ba51bf3fbcd7d5208fdab0ecb0a7ae52489d2157098530f068eb06e096cec |
C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe.config.jaff
| MD5 | bc4e63ff2afdbd01872355904760b453 |
| SHA1 | 036672989c2869a19d1ee95d98f48a54a403a16b |
| SHA256 | 09f324a15bf0421549b6e4a7c9976f44a5fe9cd39e85006ce00d51ed564d25ec |
| SHA512 | 0806aad79c3337f1e29903618b5bf8706c78f6d9fb7702ddcc0ebc285fb4f588b45f966fc4c9e3ab38886a3c83c881a0c3a6b2a98bd35e6fdeb632f311c62cfc |
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe.config.jaff
| MD5 | 6d746b5a07a09516766f95a6d5326997 |
| SHA1 | 6d9b5acd4d5f2913b6a95307bf2a97eb75bcbc93 |
| SHA256 | 1ec20d1e92f94f5c29ea6e78dc17f88d98ba2b7ac90a22a5301eb799f723ebc6 |
| SHA512 | 2cf550c70aede52cf66747d467bfe699bce4ffaea7af955a073dddb0c40d8b47b61ae48888608929866553e3634ee9b09bdad9e11f21f34928d447f63f5596dc |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe.config.jaff
| MD5 | deeb38404b0292ece4558c1834babf49 |
| SHA1 | e51bb32061056541b168d2e78c40420c91d12df9 |
| SHA256 | c6f3c5177af39d649639a3eb297cd716a0fdad33d85c60033e6ab5e55fa4b40b |
| SHA512 | d41718140379142f56a0c5e9a5ae4297d2e683765fff1ee264ea94949d3e12c45cdd55d1b4155464ae9fbc1cd0533f874a068771078caab680b9e2441ab776f4 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe.config.jaff
| MD5 | 95d0e89b8c52b4edebc18d74c5b4c700 |
| SHA1 | 6738bcea016ad85dcea28058c6714647ad010630 |
| SHA256 | fa887f20bd8086356e986f0058588211966b25434641dc14154dcc4f56b2ca88 |
| SHA512 | fead5a94f0bec822a50b8c734de76bb14f67b3ad12e69b56141404593c257acaba38c554e1f92f0787621cf81c1cf94123490f4b70fc114baecc67e85916ca33 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe.config.jaff
| MD5 | 27a6c7c7822b8c34f8fbc34650f5bea5 |
| SHA1 | a232f0346514970a10bb2a68adb2e20122766050 |
| SHA256 | 6e2e30552648175a3eb31cbf7adf9b07b263bdd8293e24d7652bae2c6d47ebe9 |
| SHA512 | c55ac6f0a0bd855776c25b4f23fef1921b6cd972e8c18031c92be9819b40678316b7818eb4257ebfa084d492f34dcd0b67cc4b297f50dc57ec1353eff8e49fa0 |
C:\Windows\inf\PERFLIB\0411\perfc.dat.jaff
| MD5 | 7f0ff110485850b974164ee7bed8a025 |
| SHA1 | 651d56a8ed88c0cbed34f41e744c8f4742c7cee5 |
| SHA256 | 5ee90c4028a25caa65f4fe04126d25ceaa91b3d909e315a42bef7c581433063a |
| SHA512 | bfe0a1854bc03c5ef2eabe2082d360376ecf39f5332af84e58e7a78a675d27fea197bd623fd5a5915b6a7e9bfd5b85a299fb1da99a7bcb116d2f5fd8a70cfb16 |
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\DropSqlPersistenceProviderLogic.sql.jaff
| MD5 | 1445c9119491e64969d721a31888b528 |
| SHA1 | 8bd09f3f9da250f0628d11f3a2a630290d6d66a2 |
| SHA256 | 5ea2972e8f548bc8b72b6188e6f463f6c7a279e10ec962cd574bd8bae3a3b802 |
| SHA512 | aad2f084e609a94185b3d0e549ebc2a6ceca2e7b28d960046326f2eeca893a38a8f9b7026730d25c72c119b048fcfbd785c9360010d3d133c776fa4a8cb0e380 |
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\SqlPersistenceProviderLogic.sql.jaff
| MD5 | 750d4dc7bde47ef76a441a14c2449d06 |
| SHA1 | d92d706061a9fc4f4edc5704091656dee3027e82 |
| SHA256 | b8f3ca26050817cc6079805c007874d09329f8ca95ee532e2df3e69825c7dff5 |
| SHA512 | 58291afe47065c028eb0b3f151d50a609ac963ff5020bda27ff5e0d6f3eb7f68a32d98c98407790ea40b22a9eea085981718e67c5ed4ba6f7c457dd1f00ef17b |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif.jaff
| MD5 | ada413e008cdef885150bf038c1d0c5f |
| SHA1 | 8c5844866ed6b5c74f68acc9fa50f4f3f57391e7 |
| SHA256 | 7505c62f8e32fea2240b5a383050211f6276feb95bdbd2d63da398b869dfdf40 |
| SHA512 | a483343a9e393f9df53a437e6f5fd1fd0e9e243bb5b7461e2879868978d62ebb3392079f1a9d7b50e25cf6b753ba4af8c9305191d488120b09478901d3f12abd |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.jaff
| MD5 | e19fe113a3de76c2d36171b1dde45b52 |
| SHA1 | 6d23f5ad34ef87b3440b6c06e05365c14b42f9fc |
| SHA256 | 300115fe5e446400ef5f9fe0118599ccbf1e5496de87a24a62c8e25dd1b6e055 |
| SHA512 | 0d6642a42619043418b1be88189471127a899256c1c7e5aefa69389cf23731ee108c86aee6e959d6882519a07b480c983cbd7833448c997d4b289f30b808de8d |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.jaff
| MD5 | 7b2fffc2f0eaa5571da2acdb0f74c9c1 |
| SHA1 | a74f6da4e247b568ec50c4fefb079066f76a75b4 |
| SHA256 | 702ae305be310bc75db0568e58fb3d0078ad959674162f72ce6cde391ed0e151 |
| SHA512 | bd17148b359c1462fcd4f68a2b7ee55ae4312353cdd2d95747280c76b3e0561dcd02e3419e40003d873600dc5d83f83a8b1ca235302146e50f12620b2c658d73 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif.jaff
| MD5 | c94fa6ca0646b1fa00c716d14113417f |
| SHA1 | 993ebd8d02d3f21547401253cdf0c3299148ec57 |
| SHA256 | 21345ff35ed1dc6ebfef4ee3fc627f2060d95c8106b3d71c3bc78891754e2d44 |
| SHA512 | f1e11a2a47bec771e2ae7fd7b6c4e32bcb9d14a1abc23512ccf06a2d772c7dec6182192c82e5e9dc42093687d90317cde79960a7d017e66ea62dcd7aaffd9e47 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif.jaff
| MD5 | d5bd54f0288820e942c3527f047daa8b |
| SHA1 | ccc376f9b14fd946830827281a0e9a42835de1a6 |
| SHA256 | f513b89a662f4f6bbed5fd5e80d3aedc82572731bdc336d5ddd5996ab093f5c7 |
| SHA512 | 981ea6925a6b65d93db33d32726af3a6b1eaa02fc815c8b21f34f8a690bff1618e6969c8e83b5af58bc872c1f6a0757053a6072fd69d03ac94f541b0b6aeddd8 |
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log.jaff
| MD5 | b30b95e867f3600ed9e6bb6d9b75be4d |
| SHA1 | c38d6f8def212204ec253dfd20b640b2ba4875b5 |
| SHA256 | eeb52552a9f27cf4adef97dca2a84a63172f10b419daa73bbfc3e31ebe300923 |
| SHA512 | 1759a5d37844e2e016e5255f3dc0cbca3dd64006a3047b64cf7b4fca7c2bdb6aebc5578f0b1e458f78dd42d656555226a26dba1719ab8f8a6f54ef45d105a58d |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.jaff
| MD5 | ebb7ae0d55798dc571ade1045e00c041 |
| SHA1 | 497972d7a57031cf429ea3646ea4758bd9f0d95c |
| SHA256 | 90715bff0c24bd1272f5593a76ab2e9f598eac0bf300a75a4b511aa3ab90a2f3 |
| SHA512 | e00b648f82b6d7dc94643e347f65412497878be5ca1eaa36de6df30538ed7eb1b99944f350b62d09e2765f3ab3e2aaec53d534132b7fbbf1d2c888e1cc2deb80 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.jaff
| MD5 | d80de0457d3db29f32ac63828ebcc4b8 |
| SHA1 | 7f275665774e797b7f1db769e825ad1c5b35b898 |
| SHA256 | 412b30c16ab674f0be5e316379fbe736bec8815d8c90b5795fad8e6970cf341b |
| SHA512 | 511d6e7ee92e9bacf7b929961c4a85d3be42069e353dd5f1ff1a095d9fcc5c6d866dad4bfe7816650b743c0b05b77de52a94dfe94d1689046961ae1fc0fa52aa |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.jaff
| MD5 | 1edfe90774391d158546e29528c4698c |
| SHA1 | b4f7bbe73d89a2119b04690cee5dfbb55366f32a |
| SHA256 | 699f5c89eb9a30e4540212a8409da5af0972df39bc9b05b582b017189fff448d |
| SHA512 | 1d6ea4ce631450fbe0c2f93c121b510361f57480c97451b647b2eafcd6c9260d5d16c3257bd18125d32a4e24999610a7cd3bd64f8c76cecbeefdd6ec4ceca7fd |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.jaff
| MD5 | aeec8563857d4e88ae292653fe3596c2 |
| SHA1 | 045a66823cbf4c677681188854920de194d0f8e7 |
| SHA256 | ab2aa57e575dc552c7c3f7ef1453fcd372aaeb7fb13f9e6722b0b5bad27a7029 |
| SHA512 | 13ba5f27c18bcf9956467d092addb2669d76dd17d27e7dc8c98532d468936031698f5708c1c2b9e10247529aa7c58d49ab2515415afe41041697b63ae42038a1 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.jaff
| MD5 | 3f01f7e5e7e38198b03b2586a5be8583 |
| SHA1 | f34a0062a380e4da911927a7582d6860ba4ffb07 |
| SHA256 | fde5dbd46b23a8b3e2688e255758f13d0722aea56f1d845b93c8c7af4969f272 |
| SHA512 | 2fc9fe74e02ab092f54c4e41ebf0dc6f2f33bdb0b717891b00449d74d9c27ee5e7fde02419ba23790b5469dcb4a9eb5f71d11a20e944784aa3bb57142b9ecae3 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.jaff
| MD5 | d546455a6e81e30e49496053f98695ef |
| SHA1 | 2e78022d097357c739813dabda1edbba43d7692f |
| SHA256 | db2f33e28e503d727eb977335a7f9969a8dcfbd6ad9e1e75aecfdee37f8a0855 |
| SHA512 | 67a883ac9340cfd04771f0f7bea5f8550b17144c8cd8ebd4806ba7ec090e36e20bf0fbc9a961ab9d12099c543d9ab26e2ca0dce8aacb9c97b17ce0a3a61a486a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jaff
| MD5 | 47607045c2c43dfe9ec8815496c30778 |
| SHA1 | c2e376584f5d3e20764605a1d20102416cebb10b |
| SHA256 | 4cefcfc58247f51a19e6f19ec8f32024b54dff7e66d21a3139e11b970762e5b1 |
| SHA512 | 27a679450e0d7f9c0120aa8e6ec3348c014b4da175b6baa1e775e3d7570b2f536539046a7b1b8b7f05613c171fa521e2f99986d874c8f4b504fe0cf8d2d143aa |
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20241010-en
Max time kernel
123s
Max time network
130s
Command Line
Signatures
Deletes shadow copies
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" | C:\ProgramData\svchosd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" | C:\ProgramData\svchosd.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\X: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\B: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\T: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\I: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\D: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\U: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\V: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\O: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\L: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\W: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\H: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\W: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\D: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\M: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\S: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\A: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\E: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\I: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\K: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\O: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\T: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Y: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Q: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\X: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\L: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Q: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\U: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\V: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\J: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Y: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\J: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\N: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\R: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\B: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\E: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\H: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\A: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\M: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\N: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\P: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\K: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\P: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\R: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\S: | C:\WINDOWS\system32\vssadmin.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\svchosd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
Interacts with shadow copies
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe
"C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
C:\ProgramData\svchosd.exe
"C:\ProgramData\svchosd.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
Network
| Country | Destination | Domain | Proto |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp |
Files
memory/2572-0-0x00000000002E0000-0x0000000000321000-memory.dmp
memory/2572-2-0x00000000002E0000-0x0000000000321000-memory.dmp
memory/2572-1-0x0000000000400000-0x0000000000453000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\tainknoa.exe" | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Disables Task Manager via registry modification
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ctfmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ctfmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe
"C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe"
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe
C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 397110121001i83455512377.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/3552-2-0x0000000000400000-0x0000000000416000-memory.dmp
memory/3552-1-0x0000000002180000-0x0000000002196000-memory.dmp
memory/3552-0-0x0000000000400000-0x0000000000416000-memory.dmp
memory/3760-3-0x000000007F650000-0x000000007F65F000-memory.dmp
memory/3552-4-0x0000000000400000-0x0000000000416000-memory.dmp
memory/3760-6-0x000000007F650000-0x000000007F65F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\knmfilchry.$00.exe
| MD5 | f45f47edced7fac5a99c45ab4b8c2d54 |
| SHA1 | 9060189dd95635c5f75d7f91c9bd345200e83028 |
| SHA256 | 0529cdbc893fee664d3ac540b1e41e184797e0770808254058fc21de0a10b6c8 |
| SHA512 | ecf1ae299d0525f86b8c398d06b429164a10d6552caf08710567680ba670bc0c918bfff1807214b33a177202cbe8eeeeffa1396b91e697aed4da91fe81f523d3 |
memory/3760-11-0x000000007F650000-0x000000007F65F000-memory.dmp
memory/3260-14-0x0000000002060000-0x0000000002076000-memory.dmp
memory/3260-15-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2228-16-0x000000007FC50000-0x000000007FC5F000-memory.dmp
memory/2228-19-0x000000007FC50000-0x000000007FC5F000-memory.dmp
memory/2228-20-0x000000007FC50000-0x000000007FC5F000-memory.dmp
memory/2228-23-0x000000007FC50000-0x000000007FC5F000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240903-en
Max time kernel
132s
Max time network
135s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfgkuyuaoarifrk = "C:\\Windows\\ydyategyulafxiprjjmv.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfgkuyuaoarifrk = "C:\\ProgramData\\ydyategyulafxiprjjmv.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfgkuyuaoarifrk = "C:\\ProgramData\\ydyategyulafxiprjjmv.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfgkuyuaoarifrk = "C:\\Windows\\ydyategyulafxiprjjmv.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ydyategyulafxiprjjmv.exe | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| File opened for modification | C:\Windows\ydyategyulafxiprjjmv.exe | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe
"C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trybesmart.in | udp |
Files
C:\ProgramData\xedwccxvxjdrmpsrukbdmumycqumjwgq
| MD5 | 720ffbd7c4e1e136bc524c0f3315be5a |
| SHA1 | d97a4c5256f6936226dfc01a6f2681ead44f762e |
| SHA256 | c5ee84be2172fe70689f3716ddd55d39e1d177a76e1ed4844df7feb2d7ad5064 |
| SHA512 | c40fff39128002ecf9fc9fbe1af645bbddf6264676aafd4a1f2db780271bd2c7f26e17dea299f5baf515a0524dd4aca59e476a1591c53120fb999cc74a36e8b4 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240903-en
Max time kernel
40s
Max time network
123s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe
"C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe"
C:\Users\Admin\AppData\Roaming\DirectX.exe
"C:\Users\Admin\AppData\Roaming\DirectX.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c aaa.bat
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im DUMP_00A10000-00A1D000.exe.ViR.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
Files
memory/2096-0-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Roaming\DirectX.exe
| MD5 | 6152709e741c4d5a5d793d35817b4c3d |
| SHA1 | 05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e |
| SHA256 | 2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2 |
| SHA512 | 1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390 |
memory/2096-10-0x0000000003C40000-0x0000000003C59000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aaa.bat
| MD5 | 3e59a76bf84cb9d1a8585c17cda9b949 |
| SHA1 | 60fdb9e6bf1154aad3a332ad5657a9d62a5be73a |
| SHA256 | 21060b57f9392d62259c274427c4bb6caf19b228716d691f44a26958b3620d5f |
| SHA512 | 01bd3726c30e304dd712d302a9081052b50a85a28c586458b691e748b1867e85fa679e58db304793a18f554b8a8c17af00bd38e795d3fdb6b0f5a873f80b5303 |
memory/2096-21-0x0000000000400000-0x0000000000419000-memory.dmp
memory/1404-24-0x0000000000400000-0x0000000000419000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240708-en
Max time kernel
130s
Max time network
118s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Dumped_.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Dumped_.exe
"C:\Users\Admin\AppData\Local\Temp\Dumped_.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dolores.cursopersona.com | udp |
Files
memory/2248-0-0x00000000010A0000-0x00000000010B2000-memory.dmp
memory/2248-4-0x00000000010A0000-0x00000000010B2000-memory.dmp
C:\ProgramData\fjpnrwuutgmtath
| MD5 | e69691901dc85b4281e7877318cc94b8 |
| SHA1 | fb172f65d983a17afb1297d34ba30409d7cf46d5 |
| SHA256 | 0c568d09cbdb4645f277805f37997f73557bc09e9d84a89a5f2ca850b7ac5973 |
| SHA512 | 5a1a240581e4fb4ed2192cdae8384f040cc7da892dac1116ba74cb108b2465d92800da0938b4645d19953699229d198cf48869d1bcc0a13d1e6daeaf1200e26b |
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Program Files (x86)\\Mozilla Maintenance Service\\grMYZPfr.exe" | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhqPtOOK.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhqPtOOK.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhqPtOOK.exe | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhqPtOOK.exe | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FRnZFLWv = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\GszECgJr.exe" | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FRnZFLWv = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\GszECgJr.exe" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DirtyDecrypt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dirty\\DirtyDecrypt.exe\" /hide" | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\grMYZPfr.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\grMYZPfr.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File created | C:\Program Files (x86)\Dirty\DirtyDecrypt.exe | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dirty\DirtyDecrypt.exe | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1516 wrote to memory of 636 | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe |
| PID 1516 wrote to memory of 636 | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe |
| PID 1516 wrote to memory of 636 | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe |
| PID 636 wrote to memory of 3168 | N/A | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe |
| PID 636 wrote to memory of 3168 | N/A | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe |
| PID 636 wrote to memory of 3168 | N/A | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe
"C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"
C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe
"C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe"
C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
"C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| DE | 178.162.203.226:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | sjytgtnkdl.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | vjuxtixi.com | udp |
| US | 8.8.8.8:53 | ntrshvquunyzxevkucs.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | ntrshvquunyzxevkucs.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| DE | 169.50.13.61:80 | ntrshvquunyzxevkucs.com | tcp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | okenhqzgxngnkbwouvfm.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | wxluitpliymeoirc.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | wxluitpliymeoirc.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| DE | 169.50.13.61:80 | wxluitpliymeoirc.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | kcubcfuhwwn.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | 61.13.50.169.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| DE | 178.162.203.211:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 178.162.203.211:80 | viweabkkfe.com | tcp |
| DE | 178.162.203.211:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | 211.203.162.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| NL | 85.17.31.82:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| NL | 85.17.31.82:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | sjytgtnkdl.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | 82.31.17.85.in-addr.arpa | udp |
| NL | 85.17.31.82:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| NL | 85.17.31.82:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe
| MD5 | d224637a6b6e3001753d9922e749d00d |
| SHA1 | bacb2313289e00a1933b7984dd1cbef01c8019ee |
| SHA256 | 9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263 |
| SHA512 | 08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0 |
C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
| MD5 | 1d27a7210f54a047264f23c7506e9506 |
| SHA1 | 4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527 |
| SHA256 | 431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9 |
| SHA512 | 077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700 |
memory/3168-27-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Desktop\ConvertFromInvoke.xlsx
| MD5 | 53a08f84804005b603250b2bd3440dcb |
| SHA1 | d070e5f6532c1fbc6a3b716794c7b7a6f8de9840 |
| SHA256 | e6761f7d29b5e56bacbee0b93a4d2bbb22413d08afa2f812fa935bb30732406a |
| SHA512 | ed58439ccc05fa4f1318aea87b82d6370941a72633bc7dbf9e93fb2ad11c480f07fe0359da90277cbaeb783777b9114b9511d3eec920119809baf499c3d28fe9 |
C:\Users\Admin\Desktop\DenyOut.jpeg
| MD5 | 417ecfeff42c115bf636175d26d7a74c |
| SHA1 | ee653ecffb54877c1ff7f0904ecf9d5488e8fb4c |
| SHA256 | 6e4b9f51b8e8d7c275b73f890e4f878b43702791958c19a71621459dee4af886 |
| SHA512 | 058cee16e2bba1b0e0d2677023f7abb61baf92f4628fd24bb8a23db08c902a5307f74d791440915d802f84050a70896635644b0f151756f65e534170722fb191 |
C:\Users\Admin\Desktop\MountRemove.zip
| MD5 | f2e32f1166dd7d5b6e02c70a5a5ea51b |
| SHA1 | c01d3f0a50dbe1f0dcff1de4e071fa5f8f894751 |
| SHA256 | 0d0049849ed1ca235cd85df8e778d98186425a950a06b717366d5fe879e53faf |
| SHA512 | 19b0b303f8727e1406a5f40f86aa5c5389f7c39fbd5cb715172c6332cd14c4b7a3321c2300e883234183637d8d99bca254e508b33f1ad450f572f386a7eae765 |
C:\Users\Admin\Desktop\ShowSwitch.rtf
| MD5 | 1301ccb48fed791f5ff7fbcdbb4522fc |
| SHA1 | 7b8a0a0a052946e0e2da76dc8c68822a1aa80a85 |
| SHA256 | 210553b216d1e42150e7313757c5edcf2c653f59bb7efbcee9da66bc6d68966a |
| SHA512 | 8dbb8410d9ce81aede28d4830749b515529d07f5c2bc5e52ebe7223b29a4b5d80ea52c9cfd33d5537f34ee8e5a40b0aac82847ff3d19b76b84b77aafa63993b4 |
C:\Users\Admin\Desktop\SplitFormat.docx
| MD5 | f509ef6c31a2963fda6b1e79e9e544a6 |
| SHA1 | 3fc584ec1c8d455a69e1fba6337a0f5f56874a2c |
| SHA256 | eeb2e9012d9d3728879043e4365467b5365232f95bd95b3548cd720d73373a17 |
| SHA512 | bab34b50f1e65f4dfb3ab0896bfffcd6f5410eedce4fbdeb09c6055ff15130928aab8b029b6782f29af9a1cdb61c03c340e7377b62bc151b3b09bab184beee53 |
C:\Users\Admin\Desktop\WatchSuspend.zip
| MD5 | 82609be0f6343d8e8d0d89159a9f9f7d |
| SHA1 | 67076039a99b8e62d6eacb4586e6c30ea4872bf9 |
| SHA256 | f13b07dfad669d47ac0a88a59677bbd0602d7e2a7c4e07638fdef235cd2cb941 |
| SHA512 | 918199255c4802dc3a7418e1b3c23b81e8d5167f3131bf9816d54ff3290d766de8f5c5528dddfbaafd24dd2b0f20924aa788181b668d408404f18ee1d64f2a84 |
C:\Users\Admin\Documents\CopyAssert.xls
| MD5 | d95e1dfa89473cc83b276409997bf833 |
| SHA1 | f7b4e71e67f44234b5f2a25a042901a321670d7c |
| SHA256 | 514ec776d8c39de5d334b024cd359c80820f28f762924319797a57e102989297 |
| SHA512 | c5f7bf00ce1e1c1cd6886c245c0f1e5020fc5ec0b9af25cec014de708bc90c1dec8beea65f861a30c34f74f022228632b9dfafd9f9a72434ee0324e4fc6fae97 |
C:\Users\Admin\Documents\InstallAdd.rtf
| MD5 | 2271ab816e43d75d30b736b356dcfb35 |
| SHA1 | bb4155835a15c753e9ff21bd955d3ab5d2bb5f11 |
| SHA256 | 3ac41f74614931be16fe79d72bff3f6c33f1ff1fad679ee137a3931d323ce082 |
| SHA512 | 312a427002931029bb36d03c5efb4501f48dc93d426bf99cb76e553d8465fede08c1c94234009450ee6abd3c61b05980631ed08383e0284dcce39bc37b0f8784 |
C:\Users\Admin\Documents\PopFind.rtf
| MD5 | 82d4db3e9f6269d7568c42948aa44d83 |
| SHA1 | 643f5c6324550646fdb20c41b9b120985d22a33e |
| SHA256 | 1a6066f67a70bfead028e3f6923ffe684a2e5fb87dd68b6d01c0433dd6d7c5cf |
| SHA512 | 87379704a1dbfd9431627ba2b3050b66cbe37084ab7f8738108b78ef861e4f30dd09f0f5addbf06b5aad5126fa4185f3bf0e3f403b1bfc7214ffb19b225c6101 |
C:\Users\Admin\Documents\SendUnprotect.pdf
| MD5 | b6ba14f7ff87de059ab99cc11b87885f |
| SHA1 | 32020a6258fb7b3a1ae222613eb5a9e1e3a56e10 |
| SHA256 | 313621951a26cde61f331e4a1cdb5c1cac7e1c753827b0338cf3fb7aba70617a |
| SHA512 | c0c9bf7cb8ce30504ebb86d86fa33ffae618fdf4e53aa0d7a74734ec446f4853da5d3d89ee7326d2c30b54a307a2e9c77c89ba1eaa3641eab67503dc43d8f5b5 |
C:\Users\Admin\Documents\SuspendWatch.docm
| MD5 | 37ca8751f1ba8b9e1b67a73759980e99 |
| SHA1 | ffa27755dcffc35bdcac7fbc5bd904447f5a0945 |
| SHA256 | c0bc2c461468c2cf030b62645aec3a161cc2d101ba720e67171df7e24a582ba4 |
| SHA512 | 0ad9e95f997ed126320afa494125bf798f7553a1041acd4e9b1eadc10f1190450869e343162e89d4bb94d7b6a6fe6253a41a8bd153d4bbfe9c2c139108098935 |
memory/3168-181-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240903-en
Max time kernel
131s
Max time network
132s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\service.exe" | C:\Users\Admin\AppData\Local\Temp\dump.mem.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dump.mem.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dump.mem.exe
"C:\Users\Admin\AppData\Local\Temp\dump.mem.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | exodus99.ru | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
126s
Max time network
135s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\service.exe" | C:\Users\Admin\AppData\Local\Temp\dump.mem.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dump.mem.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dump.mem.exe
"C:\Users\Admin\AppData\Local\Temp\dump.mem.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exodus99.ru | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exodus99.ru | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exodus99.ru | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
66s
Max time network
147s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe
"C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe"
C:\Users\Admin\AppData\Roaming\DirectX.exe
"C:\Users\Admin\AppData\Roaming\DirectX.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c aaa.bat
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im DUMP_00A10000-00A1D000.exe.ViR.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | 73.247.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | 201.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
Files
memory/1716-0-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Roaming\DirectX.exe
| MD5 | 6152709e741c4d5a5d793d35817b4c3d |
| SHA1 | 05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e |
| SHA256 | 2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2 |
| SHA512 | 1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390 |
memory/1716-64-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aaa.bat
| MD5 | 3e59a76bf84cb9d1a8585c17cda9b949 |
| SHA1 | 60fdb9e6bf1154aad3a332ad5657a9d62a5be73a |
| SHA256 | 21060b57f9392d62259c274427c4bb6caf19b228716d691f44a26958b3620d5f |
| SHA512 | 01bd3726c30e304dd712d302a9081052b50a85a28c586458b691e748b1867e85fa679e58db304793a18f554b8a8c17af00bd38e795d3fdb6b0f5a873f80b5303 |
memory/2532-67-0x0000000000400000-0x0000000000419000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Deletes shadow copies
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sljjipib = "\"C:\\Windows\\ocanybyl.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1620 set thread context of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ocanybyl.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\ocanybyl.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe
"C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
Files
memory/1620-3-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1620-4-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1620-2-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1620-1-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1620-0-0x0000000002360000-0x00000000026B0000-memory.dmp
memory/1620-5-0x0000000000400000-0x0000000000445000-memory.dmp
memory/1620-8-0x0000000002360000-0x00000000026B0000-memory.dmp
memory/1620-13-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1620-12-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1620-11-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1620-10-0x0000000000300000-0x0000000000301000-memory.dmp
memory/1620-9-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2360-16-0x00000000000F0000-0x000000000012C000-memory.dmp
memory/2360-15-0x00000000000F0000-0x000000000012C000-memory.dmp
C:\ProgramData\egynegorelydakuf\01000000
| MD5 | 344d179eff7427801b599847c63d232a |
| SHA1 | d363462418f38d8f75361469429a4143b2f803f4 |
| SHA256 | 99a0358cbbd42544801443e0d729cc1ac6d983da93d248c99170b57c66fd31bc |
| SHA512 | e2e5e6784fe9ff7fbebc118354b1989552b41a650413a2723a402d2f1badabebb72399ff9bfc405a3cedfd03dddf6a4e7144b319eca05dff726cc52369dacc03 |
memory/1620-20-0x0000000000400000-0x0000000000445000-memory.dmp
memory/2360-27-0x00000000000F0000-0x000000000012C000-memory.dmp
memory/2360-24-0x00000000000F0000-0x000000000012C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Deletes shadow copies
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inahyqus = "\"C:\\Windows\\ogxqamof.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1808 set thread context of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ogxqamof.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\ogxqamof.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1808 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 1808 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 1808 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 1808 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 952 wrote to memory of 4872 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\SYSTEM32\vssadmin.exe |
| PID 952 wrote to memory of 4872 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\SYSTEM32\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe
"C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1808 -ip 1808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1808 -ip 1808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1808 -ip 1808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1808 -ip 1808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1808 -ip 1808
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 824
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1808 -ip 1808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 140
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/1808-11-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-10-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-9-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-8-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-7-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-6-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-5-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-4-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-3-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-26-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-27-0x0000000000400000-0x0000000000445000-memory.dmp
memory/1808-25-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-24-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-23-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-22-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-21-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-20-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-19-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-18-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-17-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-16-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-15-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-14-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-13-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-12-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-2-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-1-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1808-0-0x00000000026B0000-0x0000000002A00000-memory.dmp
memory/952-32-0x0000000001260000-0x000000000129C000-memory.dmp
C:\ProgramData\egynegorelydakuf\01000000
| MD5 | 344d179eff7427801b599847c63d232a |
| SHA1 | d363462418f38d8f75361469429a4143b2f803f4 |
| SHA256 | 99a0358cbbd42544801443e0d729cc1ac6d983da93d248c99170b57c66fd31bc |
| SHA512 | e2e5e6784fe9ff7fbebc118354b1989552b41a650413a2723a402d2f1badabebb72399ff9bfc405a3cedfd03dddf6a4e7144b319eca05dff726cc52369dacc03 |
memory/952-37-0x0000000001260000-0x000000000129C000-memory.dmp
memory/952-40-0x0000000001260000-0x000000000129C000-memory.dmp
memory/1808-43-0x0000000000400000-0x0000000000445000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer_new.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vudltabcrghlqti = "C:\\ProgramData\\jkaricctyydkteijfwhz.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vudltabcrghlqti = "C:\\Windows\\jkaricctyydkteijfwhz.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vudltabcrghlqti = "C:\\Windows\\jkaricctyydkteijfwhz.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vudltabcrghlqti = "C:\\ProgramData\\jkaricctyydkteijfwhz.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\jkaricctyydkteijfwhz.exe | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| File opened for modification | C:\Windows\jkaricctyydkteijfwhz.exe | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| File created | C:\Windows\explorer_new.exe | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe
"C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trybesmart.in | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
C:\ProgramData\yxftnsxajaeqqfnbmjyxbpypdpylkwqn
| MD5 | 2747bf29cce4861659725fc80c4757a6 |
| SHA1 | 03b82fb9fbd4e8d4915a7fd5037585d1f3766a0a |
| SHA256 | 264b88bc33cd504986e7d24581055fa1c8747fa6d79affe79d4085151cd8c14a |
| SHA512 | 631c7df5b62e4b7ef3df45d034add386c19532e6d416c9f59860a1a0cd34e1d1cdd235a1ca93a654df146c9593bb833b816b6b41ba303cb60d79c764bb6148ce |
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe
"C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\ExtraTools.bat "C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe""
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\ErOne.vbs"
C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe
chrst.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=chrst.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd675a46f8,0x7ffd675a4708,0x7ffd675a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=chrst.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd675a46f8,0x7ffd675a4708,0x7ffd675a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6404443149906503273,5979442725708006353,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| NL | 23.200.189.221:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.189.200.23.in-addr.arpa | udp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.64:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 20.42.65.93:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 20.42.65.93:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\ExtraTools.bat
| MD5 | 8f07fa594d84c6e234b336def0b47cdc |
| SHA1 | 34b88980635c3f2367af03caedc01d50b5e4624a |
| SHA256 | dd79d7a80a9087e1fced76ade08394843eab01a8ce263dc2306f46435b451f77 |
| SHA512 | c33fd26b5399771f4bf9877d717bb730a8101b9f6bd24847084c50b066db7f6e43d56cbf44792eedc94d117c50a988f5d4a46127a34a2115c50fbb4a67ed2047 |
C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\ErOne.vbs
| MD5 | a764fe63c6cc48c851f0d2a8ba73c2b7 |
| SHA1 | e16351bd38ebcac7e182905767f9b36e078fb5d5 |
| SHA256 | 8c4d90a5343cea107fad96e842404522aadfc416e7cf84adc58fe2ba72bbc919 |
| SHA512 | b0a93898c66c2ff97f9d8cb1f75364a6c4a0ad5cf3158815f94ffb900796065c8e0d384b392d59bf2b01419adb8c65d2dc846ddebaaea971d64c3300edc63571 |
C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\firefox32.exe
| MD5 | 866604f3adb9207e29505012215f203f |
| SHA1 | 718b342c3bc42f3e73c4014c2b105c4d467b0ba6 |
| SHA256 | 978ed9b9c86653e8f10feb9e7f93eb32f2dadeec42ccce498403e96b7bb3e3c9 |
| SHA512 | cdcdd94e2a4c550a819a28085fe543ed944da298da1409ed111380fbde89f6976a4c7d040750307579b007b4551aa86182d453408436bd7aef35423c49b60f79 |
C:\Users\Admin\AppData\Local\Temp\8DE8.tmp\chrst.exe
| MD5 | c657daf595b5d535ccc757ad837eebe8 |
| SHA1 | 894e953e86e54a830a14fac94e57569d184a9c09 |
| SHA256 | a02565ec78fa1221433e720bd57b044938345b8c65a73143bd9ff73529767526 |
| SHA512 | 21a26bc146dd2a915c17b268b13edc565e9a582d11c1714d89741f4156a880dfe35415d4920a6326d164519f4b28b6371ef9c7bfdb5e19080448bd77b4a20a4b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d22073dea53e79d9b824f27ac5e9813e |
| SHA1 | 6d8a7281241248431a1571e6ddc55798b01fa961 |
| SHA256 | 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6 |
| SHA512 | 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413 |
\??\pipe\LOCAL\crashpad_1652_SGZXKNJZNYMYKJYL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bffcefacce25cd03f3d5c9446ddb903d |
| SHA1 | 8923f84aa86db316d2f5c122fe3874bbe26f3bab |
| SHA256 | 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405 |
| SHA512 | 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7379466647e3765c092f6185c2a87874 |
| SHA1 | b0484a18f4b9f04c5716bb590facbb7d323e4f1a |
| SHA256 | 7e5d0dfc993a56c57f80deff53e52bd1e5d6e317d6420fe0e049e6d77c5897df |
| SHA512 | 200d9b2f9bf27dc969ef3be7cd68aa0d9073036090c8b31297f89b2553765886358d3f00389dcecb559d45bcbc65adc46f44c4eb1b4b2e819e7a4a8e32da68ee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8c20e44a3f8d8f5e996a9b6d4cbb77c7 |
| SHA1 | fd3c00496bf3b9bdd138bd0bb196cd90ee9d77e3 |
| SHA256 | 17be443fdfb4688771fd7b453af64b2c0cfedb699858444d98a7f24ebac90f51 |
| SHA512 | 944349ecefffe87bf15c67c9fa3095a682458847182cb2e0827d18012ffa5189d43464746e70a01d6f10c7cfd1c5066f4bfb811d032cb1d356b6f36e5bf8f4df |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7ba8753bd535947a7de592b28172e18b |
| SHA1 | 00563b46e74075b78853a5ed0ee089f1a0186b9a |
| SHA256 | 04bd1b6698415910dba0a4c3e59e0d56b6011d785f6c33011c902383827c1793 |
| SHA512 | 609be33c5a12bc6f55f1fcd9269402edaaabbc2f0a23363802969b394408d89523fafd4fc493a6ba8ee745088ca1016e5ff1f0fe5e7ea72531b904a37cbdad0c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c5c5d431ab1d75854f1f8e48d9588b00 |
| SHA1 | 0e6fc95bf5c6a91b86e8eda3126b8318643d8626 |
| SHA256 | cf2507ecf83d7a810c9794f579934412c030c12f45816f6a6ddf17e9b05b05d2 |
| SHA512 | 9d8e77567b785d9f91f316060ffe73f6e0faf7ef45e0234559e944e1d18eb28d5566f4812609743cc4238527de3f8b57aca3b2342777e1b54fbe1395f8d613fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 9d5136804451ca102c1f0a4d4942bec3 |
| SHA1 | b5b31fa6119b31c430589e56cacd817df24a636d |
| SHA256 | 5f5cd1f2c21356bf89d5ad8858e7038ffdfc0099dda225f58721f9a56dd53cb8 |
| SHA512 | 7043d3d5310358329274fe0f2974f2243b22f9e485215c3abceafa73c413d95268dd3e9a488df32bc9c807d1486a19fc0e35d497cf2e528010fc617ddc2273fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58029b.TMP
| MD5 | bfab0336c3c8c190e2853b4350b0b88d |
| SHA1 | 9299456e262fdc0d2626c29ae3dce4490525323e |
| SHA256 | e6d82746a35a0fd8b56f453e0a04d95c955155cb1c71dd9ecedb34e04dc24e71 |
| SHA512 | 1514cf7ce819887ceccceb7bb1203ed2dfd8a8e629f4499a295f0ebe814fb2ee34b29bc6d47c44cbf5d9d3ebab83556476d2385581334c390809d65a8d0f2f84 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a5d1107ad646b86ad0c78a152a2ece81 |
| SHA1 | 6f2ca812c647f290ed27d2c96ce734b46754f5ea |
| SHA256 | 17cf02578c4501f4caedd3e33584846a01702365a38588193f2ca49650bbdd0a |
| SHA512 | 05766921f2361e86a236de8d39fb56b2473dfd8867f046288b4eb0696a1c51fc0810b304fa3efb428abe93ae8eadb44f1af128ee3afbdf7e3aa1e5383f6a3857 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 05592d6b429a6209d372dba7629ce97c |
| SHA1 | b4d45e956e3ec9651d4e1e045b887c7ccbdde326 |
| SHA256 | 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd |
| SHA512 | caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa |
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr = "C:\\Program Files (x86)\\decrypt_0000000000000020-000A0000.exe" | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
| File opened for modification | C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
| File created | C:\Program Files (x86)\KBSBQHKMQP.FNE | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
| File opened for modification | C:\Program Files (x86)\KBSBQHKMQP.FNE | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe
"C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| US | 8.8.8.8:53 | deenislam.org | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 8.8.8.8:53 | dedhamfoodpantry.org | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | tcp | |
| HK | 34.92.46.178:80 | tcp |
Files
memory/2380-3-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-4-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-5-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-6-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-7-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-8-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-9-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-10-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-11-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-12-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-13-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-14-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-15-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2380-16-0x0000000000400000-0x00000000004A0000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-22 03:36
Reported
2024-11-22 03:39
Platform
win7-20240903-en
Max time kernel
43s
Max time network
121s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Reads user/profile data of web browsers
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 2612 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\system32\cmd.exe |
| PID 3044 wrote to memory of 2612 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\system32\cmd.exe |
| PID 3044 wrote to memory of 2612 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\downloader.js
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd" "
C:\Windows\system32\notepad.exe
notepad.exe C:\Users\Admin\AppData\Local\Temp\360390_readme.txt
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WinHelp" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\360390_readme.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | locksmithspringfield.us | udp |
| US | 15.197.148.33:80 | locksmithspringfield.us | tcp |
| US | 8.8.8.8:53 | thecottagespsychotherapycenter.com | udp |
| US | 8.8.8.8:53 | kashfianlaw.com | udp |
| US | 104.16.109.239:80 | kashfianlaw.com | tcp |
| US | 8.8.8.8:53 | www.kashfianlaw.com | udp |
| US | 104.16.112.239:443 | www.kashfianlaw.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| NL | 2.18.121.147:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 23.200.189.225:80 | www.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd
| MD5 | d96f59d97099a6248989e828d766dd5b |
| SHA1 | 9322d296171970ce8a280a4c562f41b5f3689de0 |
| SHA256 | e534769d416412d6ea8e91faf108bd8f52838e854145eab052483c37b4add1e3 |
| SHA512 | 562c52a4dab31d9fc8983823561d181ddd0d0999baf3cbe8841afd3919ae020df573f41bd58fe6ecd090d47a1a1d2bad6abd68955e329cd541974c12d4ceca8c |
C:\Users\Admin\AppData\Local\Temp\360390_readme.txt
| MD5 | f6a2bb17bf99a4dab08f75504bf270b3 |
| SHA1 | d42b9acaa08e19e1708e0e00a7961b8dd3219102 |
| SHA256 | 34d5153eb38ee664fc03fcb7de7a75a76c1162fa83110d34e6b64c29424ed6ed |
| SHA512 | 037a713b6e8580adf6773992b29b75dcae8d0284dee228deddb41149d89aafefc9d8bf4374d8437d57f6a26afede42accb629988b5cd234430f53f5df2da0a96 |